Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Payment_Advice_USD_48,054.40_.exe

Overview

General Information

Sample name:Payment_Advice_USD_48,054.40_.exe
Analysis ID:1549489
MD5:f488ea907a7447947fdd751ce2d1d0da
SHA1:0bb00f266d676584b35752d98878465fe20953b9
SHA256:af1c4d4509e271497c9eac4c96c1fc5c4e419c6d73b69a5141380589e479c16a
Tags:exeuser-threatcat_ch
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Connects to many ports of the same IP (likely port scanning)
Contains functionality to log keystrokes (.Net Source)
Found API chain indicative of sandbox detection
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses FTP
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Payment_Advice_USD_48,054.40_.exe (PID: 5144 cmdline: "C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exe" MD5: F488EA907A7447947FDD751CE2D1D0DA)
    • RegSvcs.exe (PID: 6656 cmdline: "C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • sgxIb.exe (PID: 5496 cmdline: "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • conhost.exe (PID: 528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • sgxIb.exe (PID: 2452 cmdline: "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • conhost.exe (PID: 2676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.haliza.com.my", "Username": "origin@haliza.com.my", "Password": "JesusChrist007$"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.4493085046.0000000002FDB000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000002.00000002.4493085046.0000000002FDB000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000002.00000002.4491744353.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000002.00000002.4491744353.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.2054880460.0000000003300000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.RegSvcs.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              2.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                2.2.RegSvcs.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x34f7c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x34fee:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x35078:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x3510a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x35174:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x351e6:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x3527c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x3530c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                2.2.RegSvcs.exe.400000.0.unpackMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
                • 0x32170:$s2: GetPrivateProfileString
                • 0x317fa:$s3: get_OSFullName
                • 0x32f6b:$s5: remove_Key
                • 0x33157:$s5: remove_Key
                • 0x34075:$s6: FtpWebRequest
                • 0x34f5e:$s7: logins
                • 0x354d0:$s7: logins
                • 0x38227:$s7: logins
                • 0x38293:$s7: logins
                • 0x39d12:$s7: logins
                • 0x38e2d:$s9: 1.85 (Hash, version 2, native byte-order)
                0.2.Payment_Advice_USD_48,054.40_.exe.3300000.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  Click to see the 7 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: CurrentVersion Autorun Keys Modification
                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6656, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sgxIb

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-05T17:11:04.702504+010020229301A Network Trojan was detected20.12.23.50443192.168.2.549710TCP
                  2024-11-05T17:11:43.737557+010020229301A Network Trojan was detected20.12.23.50443192.168.2.549910TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: Payment_Advice_USD_48,054.40_.exeAvira: detected
                  Found malware configuration
                  Source: 2.2.RegSvcs.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.haliza.com.my", "Username": "origin@haliza.com.my", "Password": "JesusChrist007$"}
                  Multi AV Scanner detection for submitted file
                  Source: Payment_Advice_USD_48,054.40_.exeReversingLabs: Detection: 47%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for sample
                  Source: Payment_Advice_USD_48,054.40_.exeJoe Sandbox ML: detected
                  Source: Payment_Advice_USD_48,054.40_.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49704 version: TLS 1.2
                  Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000002.00000002.4495957119.0000000006460000.00000004.00000020.00020000.00000000.sdmp, sgxIb.exe, 00000003.00000000.2161819279.0000000000A92000.00000002.00000001.01000000.00000006.sdmp, sgxIb.exe.2.dr
                  Source: Binary string: wntdll.pdbUGP source: Payment_Advice_USD_48,054.40_.exe, 00000000.00000003.2044172196.00000000034B0000.00000004.00001000.00020000.00000000.sdmp, Payment_Advice_USD_48,054.40_.exe, 00000000.00000003.2042631799.0000000003650000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: Payment_Advice_USD_48,054.40_.exe, 00000000.00000003.2044172196.00000000034B0000.00000004.00001000.00020000.00000000.sdmp, Payment_Advice_USD_48,054.40_.exe, 00000000.00000003.2042631799.0000000003650000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.4495957119.0000000006460000.00000004.00000020.00020000.00000000.sdmp, sgxIb.exe, 00000003.00000000.2161819279.0000000000A92000.00000002.00000001.01000000.00000006.sdmp, sgxIb.exe.2.dr
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004AC2A2 FindFirstFileExW,0_2_004AC2A2
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004E68EE FindFirstFileW,FindClose,0_2_004E68EE
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004E698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_004E698F
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004DD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_004DD076
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004DD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_004DD3A9
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004E9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_004E9642
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004E979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_004E979D
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004E9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_004E9B2B
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004DDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_004DDBBE
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004E5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_004E5C97

                  Networking

                  barindex
                  Connects to many ports of the same IP (likely port scanning)
                  Source: global trafficTCP traffic: 110.4.45.197 ports 64496,63446,60859,55289,1,54551,2,54693,51240,55039,59048,51110,55400,60673,54575,57907,60691,21
                  Source: global trafficTCP traffic: 192.168.2.5:49707 -> 110.4.45.197:55400
                  Source: Joe Sandbox ViewIP Address: 110.4.45.197 110.4.45.197
                  Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                  Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                  Source: Joe Sandbox ViewASN Name: EXABYTES-AS-APExaBytesNetworkSdnBhdMY EXABYTES-AS-APExaBytesNetworkSdnBhdMY
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.5:49710
                  Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.5:49910
                  Source: unknownFTP traffic detected: 110.4.45.197:21 -> 192.168.2.5:49706 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 9 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 9 of 50 allowed.220-Local time is now 00:10. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 9 of 50 allowed.220-Local time is now 00:10. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 9 of 50 allowed.220-Local time is now 00:10. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 9 of 50 allowed.220-Local time is now 00:10. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004ECE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_004ECE44
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                  Source: global trafficDNS traffic detected: DNS query: ftp.haliza.com.my
                  Source: RegSvcs.exe, 00000002.00000002.4493085046.0000000003184000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4493085046.0000000002FDB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4493085046.00000000033C9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4493085046.0000000003231000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4493085046.0000000003035000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4493085046.00000000031AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.haliza.com.my
                  Source: RegSvcs.exe, 00000002.00000002.4493085046.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: Payment_Advice_USD_48,054.40_.exe, 00000000.00000002.2054880460.0000000003300000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4491744353.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                  Source: Payment_Advice_USD_48,054.40_.exe, 00000000.00000002.2054880460.0000000003300000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4493085046.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4491744353.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                  Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49704 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 0.2.Payment_Advice_USD_48,054.40_.exe.3300000.1.raw.unpack, SKTzxzsJw.cs.Net Code: _71ZRqC1D
                  Installs a global keyboard hook
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004EEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_004EEAFF
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004EED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_004EED6A
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004EEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_004EEAFF
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004DAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_004DAA57
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_00509576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00509576

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.Payment_Advice_USD_48,054.40_.exe.3300000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.Payment_Advice_USD_48,054.40_.exe.3300000.1.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.Payment_Advice_USD_48,054.40_.exe.3300000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.Payment_Advice_USD_48,054.40_.exe.3300000.1.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 00000000.00000002.2054880460.0000000003300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 00000000.00000002.2054880460.0000000003300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Binary is likely a compiled AutoIt script file
                  Source: Payment_Advice_USD_48,054.40_.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: Payment_Advice_USD_48,054.40_.exe, 00000000.00000000.2030582341.0000000000532000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_9b0ef250-b
                  Source: Payment_Advice_USD_48,054.40_.exe, 00000000.00000000.2030582341.0000000000532000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_c473f4a1-3
                  Source: Payment_Advice_USD_48,054.40_.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_e83f4b03-9
                  Source: Payment_Advice_USD_48,054.40_.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_31f5c64a-6
                  Initial sample is a PE file and has a suspicious name
                  Source: initial sampleStatic PE information: Filename: Payment_Advice_USD_48,054.40_.exe
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004DD5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_004DD5EB
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004D1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_004D1201
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004DE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_004DE8F6
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_0047BF400_2_0047BF40
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004E20460_2_004E2046
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004780600_2_00478060
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004D82980_2_004D8298
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004AE4FF0_2_004AE4FF
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004A676B0_2_004A676B
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_005048730_2_00504873
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_0047CAF00_2_0047CAF0
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_0049CAA00_2_0049CAA0
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_0048CC390_2_0048CC39
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004A6DD90_2_004A6DD9
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_0048B1190_2_0048B119
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004791C00_2_004791C0
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004913940_2_00491394
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004917060_2_00491706
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_0049781B0_2_0049781B
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_0048997D0_2_0048997D
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004779200_2_00477920
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004919B00_2_004919B0
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_00497A4A0_2_00497A4A
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_00491C770_2_00491C77
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004C3CD20_2_004C3CD2
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_00497CA70_2_00497CA7
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004FBE440_2_004FBE44
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004A9EEE0_2_004A9EEE
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_00491F320_2_00491F32
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_00E2AD380_2_00E2AD38
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_015541982_2_01554198
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0155E9152_2_0155E915
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01554A682_2_01554A68
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0155AD902_2_0155AD90
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01553E502_2_01553E50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06A5C4AC2_2_06A5C4AC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06A539242_2_06A53924
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06A560362_2_06A56036
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06A553422_2_06A55342
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06A553482_2_06A55348
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06A51C682_2_06A51C68
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06A539182_2_06A53918
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06A756B02_2_06A756B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06A77E982_2_06A77E98
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06A767082_2_06A76708
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06A735802_2_06A73580
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06A777B82_2_06A777B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06A7E4D02_2_06A7E4D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06A75DFF2_2_06A75DFF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06A700402_2_06A70040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06A7003E2_2_06A7003E
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: String function: 00490A30 appears 46 times
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: String function: 0048F9F2 appears 40 times
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: String function: 00479CB3 appears 31 times
                  Source: Payment_Advice_USD_48,054.40_.exe, 00000000.00000003.2042986041.00000000035D3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Payment_Advice_USD_48,054.40_.exe
                  Source: Payment_Advice_USD_48,054.40_.exe, 00000000.00000003.2044742917.000000000377D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Payment_Advice_USD_48,054.40_.exe
                  Source: Payment_Advice_USD_48,054.40_.exe, 00000000.00000002.2054880460.0000000003300000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilename472d0e4f-32a4-4ea2-b137-597340264f0d.exe4 vs Payment_Advice_USD_48,054.40_.exe
                  Source: Payment_Advice_USD_48,054.40_.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.Payment_Advice_USD_48,054.40_.exe.3300000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.Payment_Advice_USD_48,054.40_.exe.3300000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.Payment_Advice_USD_48,054.40_.exe.3300000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.Payment_Advice_USD_48,054.40_.exe.3300000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 00000000.00000002.2054880460.0000000003300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 00000000.00000002.2054880460.0000000003300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.Payment_Advice_USD_48,054.40_.exe.3300000.1.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.Payment_Advice_USD_48,054.40_.exe.3300000.1.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.Payment_Advice_USD_48,054.40_.exe.3300000.1.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.Payment_Advice_USD_48,054.40_.exe.3300000.1.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.Payment_Advice_USD_48,054.40_.exe.3300000.1.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.Payment_Advice_USD_48,054.40_.exe.3300000.1.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.Payment_Advice_USD_48,054.40_.exe.3300000.1.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.Payment_Advice_USD_48,054.40_.exe.3300000.1.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/5@2/2
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004E37B5 GetLastError,FormatMessageW,0_2_004E37B5
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004D10BF AdjustTokenPrivileges,CloseHandle,0_2_004D10BF
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004D16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_004D16C3
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004E51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_004E51CD
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004FA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_004FA67C
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004E648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_004E648E
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004742A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_004742A2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\sgxIbJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2676:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:528:120:WilError_03
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeFile created: C:\Users\user\AppData\Local\Temp\uncolorableJump to behavior
                  Source: Payment_Advice_USD_48,054.40_.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: Payment_Advice_USD_48,054.40_.exeReversingLabs: Detection: 47%
                  Source: unknownProcess created: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exe "C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exe"
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exe"
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                  Source: Payment_Advice_USD_48,054.40_.exeStatic file information: File size 1414144 > 1048576
                  Source: Payment_Advice_USD_48,054.40_.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: Payment_Advice_USD_48,054.40_.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: Payment_Advice_USD_48,054.40_.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: Payment_Advice_USD_48,054.40_.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Payment_Advice_USD_48,054.40_.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: Payment_Advice_USD_48,054.40_.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: Payment_Advice_USD_48,054.40_.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000002.00000002.4495957119.0000000006460000.00000004.00000020.00020000.00000000.sdmp, sgxIb.exe, 00000003.00000000.2161819279.0000000000A92000.00000002.00000001.01000000.00000006.sdmp, sgxIb.exe.2.dr
                  Source: Binary string: wntdll.pdbUGP source: Payment_Advice_USD_48,054.40_.exe, 00000000.00000003.2044172196.00000000034B0000.00000004.00001000.00020000.00000000.sdmp, Payment_Advice_USD_48,054.40_.exe, 00000000.00000003.2042631799.0000000003650000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: Payment_Advice_USD_48,054.40_.exe, 00000000.00000003.2044172196.00000000034B0000.00000004.00001000.00020000.00000000.sdmp, Payment_Advice_USD_48,054.40_.exe, 00000000.00000003.2042631799.0000000003650000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.4495957119.0000000006460000.00000004.00000020.00020000.00000000.sdmp, sgxIb.exe, 00000003.00000000.2161819279.0000000000A92000.00000002.00000001.01000000.00000006.sdmp, sgxIb.exe.2.dr
                  Source: Payment_Advice_USD_48,054.40_.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: Payment_Advice_USD_48,054.40_.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: Payment_Advice_USD_48,054.40_.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: Payment_Advice_USD_48,054.40_.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: Payment_Advice_USD_48,054.40_.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_004742DE
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_00490A76 push ecx; ret 0_2_00490A89
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06A5EA10 push es; ret 2_2_06A5EA20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06A5A811 push es; ret 2_2_06A5A820
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sgxIbJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sgxIbJump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Hides that the sample has been downloaded from the Internet (zone.identifier)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe:Zone.Identifier read attributes | deleteJump to behavior
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_0048F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_0048F98E
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_00501C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00501C41
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Found API chain indicative of sandbox detection
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-96794
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Switches to a custom stack to bypass stack traces
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeAPI/Special instruction interceptor: Address: E2A95C
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory allocated: 1100000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory allocated: 2DF0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory allocated: 1100000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory allocated: 2340000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory allocated: 2530000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory allocated: 2340000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599766Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599648Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599532Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599403Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599295Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599186Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599059Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598938Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598819Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598703Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598594Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598360Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598235Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597985Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597738Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597610Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597360Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597235Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596985Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596726Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596606Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596498Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596355Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596250Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596141Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596016Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595891Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595781Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595668Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595562Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595453Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595344Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595234Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595119Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594891Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594781Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594672Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594563Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594438Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594316Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594188Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2159Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7680Jump to behavior
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeAPI coverage: 3.3 %
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 2792Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 1012Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004AC2A2 FindFirstFileExW,0_2_004AC2A2
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004E68EE FindFirstFileW,FindClose,0_2_004E68EE
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004E698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_004E698F
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004DD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_004DD076
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004DD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_004DD3A9
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004E9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_004E9642
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004E979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_004E979D
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004E9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_004E9B2B
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004DDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_004DDBBE
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004E5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_004E5C97
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_004742DE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599766Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599648Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599532Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599403Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599295Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599186Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599059Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598938Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598819Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598703Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598594Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598360Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598235Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597985Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597738Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597610Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597360Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597235Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596985Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596726Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596606Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596498Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596355Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596250Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596141Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596016Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595891Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595781Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595668Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595562Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595453Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595344Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595234Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595119Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594891Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594781Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594672Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594563Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594438Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594316Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594188Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: RegSvcs.exe, 00000002.00000002.4495957119.00000000063D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004EEAA2 BlockInput,0_2_004EEAA2
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004A2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004A2622
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_004742DE
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_00494CE8 mov eax, dword ptr fs:[00000030h]0_2_00494CE8
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_00E2ABC8 mov eax, dword ptr fs:[00000030h]0_2_00E2ABC8
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_00E2AC28 mov eax, dword ptr fs:[00000030h]0_2_00E2AC28
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_00E29588 mov eax, dword ptr fs:[00000030h]0_2_00E29588
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004D0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_004D0B62
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004A2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004A2622
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_0049083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0049083F
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004909D5 SetUnhandledExceptionFilter,0_2_004909D5
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_00490C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00490C21
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: ED0008Jump to behavior
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004D1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_004D1201
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004B2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_004B2BA5
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004DB226 SendInput,keybd_event,0_2_004DB226
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004F22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_004F22DA
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004D0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_004D0B62
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004D1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_004D1663
                  Source: Payment_Advice_USD_48,054.40_.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                  Source: RegSvcs.exe, 00000002.00000002.4493085046.0000000002FDB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4493085046.000000000319E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                  Source: Payment_Advice_USD_48,054.40_.exeBinary or memory string: Shell_TrayWnd
                  Source: RegSvcs.exe, 00000002.00000002.4493085046.000000000319E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $]q8<b>[ Program Manager]</b> (05/11/2024 23:45:09)<br>{Win}THbq
                  Source: RegSvcs.exe, 00000002.00000002.4493085046.000000000319E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $]q3<b>[ Program Manager]</b> (05/11/2024 23:45:09)<br>
                  Source: RegSvcs.exe, 00000002.00000002.4493085046.00000000031AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: <html>Time: 11/23/2024 16:42:45<br>User Name: user<br>Computer Name: 936905<br>OSFullName: Microsoft Windows 10 Pro<br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br>IP Address: 173.254.250.76<br><hr><b>[ Program Manager]</b> (05/11/2024 23:45:09)<br>{Win}r</html>
                  Source: RegSvcs.exe, 00000002.00000002.4493085046.000000000319E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR]q$$
                  Source: RegSvcs.exe, 00000002.00000002.4493085046.000000000319E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $]q9<b>[ Program Manager]</b> (05/11/2024 23:45:09)<br>{Win}rTHbq
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_00490698 cpuid 0_2_00490698
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004E8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_004E8195
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004CD27A GetUserNameW,0_2_004CD27A
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004AB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_004AB952
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_004742DE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Payment_Advice_USD_48,054.40_.exe.3300000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Payment_Advice_USD_48,054.40_.exe.3300000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.4493085046.0000000002FDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4491744353.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2054880460.0000000003300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Payment_Advice_USD_48,054.40_.exe PID: 5144, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6656, type: MEMORYSTR
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: Payment_Advice_USD_48,054.40_.exeBinary or memory string: WIN_81
                  Source: Payment_Advice_USD_48,054.40_.exeBinary or memory string: WIN_XP
                  Source: Payment_Advice_USD_48,054.40_.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
                  Source: Payment_Advice_USD_48,054.40_.exeBinary or memory string: WIN_XPe
                  Source: Payment_Advice_USD_48,054.40_.exeBinary or memory string: WIN_VISTA
                  Source: Payment_Advice_USD_48,054.40_.exeBinary or memory string: WIN_7
                  Source: Payment_Advice_USD_48,054.40_.exeBinary or memory string: WIN_8
                  Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Payment_Advice_USD_48,054.40_.exe.3300000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Payment_Advice_USD_48,054.40_.exe.3300000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.4493085046.0000000002FDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4491744353.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2054880460.0000000003300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Payment_Advice_USD_48,054.40_.exe PID: 5144, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6656, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Payment_Advice_USD_48,054.40_.exe.3300000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Payment_Advice_USD_48,054.40_.exe.3300000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.4493085046.0000000002FDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4491744353.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2054880460.0000000003300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Payment_Advice_USD_48,054.40_.exe PID: 5144, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6656, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004F1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_004F1204
                  Source: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exeCode function: 0_2_004F1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_004F1806

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire Infrastructure2
                  Valid Accounts                  		121
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  Exploitation for Privilege Escalation                  		11
                  Disable or Modify Tools                  		2
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		2
                  Ingress Tool Transfer                  		1
                  Exfiltration Over Alternative Protocol                  		1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts1
                  Native API                  		2
                  Valid Accounts                  		1
                  DLL Side-Loading                  		11
                  Deobfuscate/Decode Files or Information                  		221
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol2
                  Data from Local System                  		11
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAt1
                  Registry Run Keys / Startup Folder                  		2
                  Valid Accounts                  		2
                  Obfuscated Files or Information                  		1
                  Credentials in Registry                  		2
                  File and Directory Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                  Access Token Manipulation                  		1
                  DLL Side-Loading                  		NTDS138
                  System Information Discovery                  		Distributed Component Object Model221
                  Input Capture                  		2
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                  Process Injection                  		1
                  Masquerading                  		LSA Secrets331
                  Security Software Discovery                  		SSH4
                  Clipboard Data                  		23
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                  Registry Run Keys / Startup Folder                  		2
                  Valid Accounts                  		Cached Domain Credentials241
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items241
                  Virtualization/Sandbox Evasion                  		DCSync2
                  Process Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                  Access Token Manipulation                  		Proc Filesystem11
                  Application Window Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt212
                  Process Injection                  		/etc/passwd and /etc/shadow1
                  System Owner/User Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                  Hidden Files and Directories                  		Network Sniffing1
                  System Network Configuration Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1549489 Sample: Payment_Advice_USD_48,054.40_.exe Startdate: 05/11/2024 Architecture: WINDOWS Score: 100 25 ftp.haliza.com.my 2->25 27 api.ipify.org 2->27 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Antivirus / Scanner detection for submitted sample 2->45 47 8 other signatures 2->47 7 Payment_Advice_USD_48,054.40_.exe 1 2->7         started        10 sgxIb.exe 2 2->10         started        12 sgxIb.exe 1 2->12         started        signatures3 process4 signatures5 49 Binary is likely a compiled AutoIt script file 7->49 51 Found API chain indicative of sandbox detection 7->51 53 Writes to foreign memory regions 7->53 55 2 other signatures 7->55 14 RegSvcs.exe 16 4 7->14         started        19 conhost.exe 10->19         started        21 conhost.exe 12->21         started        process6 dnsIp7 29 ftp.haliza.com.my 110.4.45.197, 21, 49705, 49706 EXABYTES-AS-APExaBytesNetworkSdnBhdMY Malaysia 14->29 31 api.ipify.org 104.26.13.205, 443, 49704 CLOUDFLARENETUS United States 14->31 23 C:\Users\user\AppData\Roaming\...\sgxIb.exe, PE32 14->23 dropped 33 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->33 35 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->35 37 Tries to steal Mail credentials (via file / registry access) 14->37 39 4 other signatures 14->39 file8 signatures9

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  Payment_Advice_USD_48,054.40_.exe47%ReversingLabsWin32.Trojan.AgentTesla
                  Payment_Advice_USD_48,054.40_.exe100%AviraDR/AutoIt.Gen8
                  Payment_Advice_USD_48,054.40_.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe0%ReversingLabs

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  No Antivirus matches

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  api.ipify.org
                  		104.26.13.205
                  		truefalse
                    		high
                    ftp.haliza.com.my
                    		110.4.45.197
                    		truetrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://api.ipify.org/false
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://api.ipify.orgPayment_Advice_USD_48,054.40_.exe, 00000000.00000002.2054880460.0000000003300000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4493085046.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4491744353.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                          		high
                          https://account.dyn.com/Payment_Advice_USD_48,054.40_.exe, 00000000.00000002.2054880460.0000000003300000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4491744353.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                            		high
                            http://ftp.haliza.com.myRegSvcs.exe, 00000002.00000002.4493085046.0000000003184000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4493085046.0000000002FDB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4493085046.00000000033C9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4493085046.0000000003231000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4493085046.0000000003035000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4493085046.00000000031AD000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000002.00000002.4493085046.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                110.4.45.197
                                		ftp.haliza.com.myMalaysia
                                		46015EXABYTES-AS-APExaBytesNetworkSdnBhdMYtrue
                                104.26.13.205
                                		api.ipify.orgUnited States
                                		13335CLOUDFLARENETUSfalse

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1549489
                                Start date and time:2024-11-05 17:09:54 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 8m 35s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:9
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:Payment_Advice_USD_48,054.40_.exe
                                Detection:MAL
                                Classification:mal100.troj.spyw.evad.winEXE@7/5@2/2
                                EGA Information:
                                • Successful, ratio: 50%
                                HCA Information:
                                • Successful, ratio: 99%
                                • Number of executed functions: 43
                                • Number of non-executed functions: 300
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                Warnings

                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                • Execution Graph export aborted for target sgxIb.exe, PID 2452 because it is empty
                                • Execution Graph export aborted for target sgxIb.exe, PID 5496 because it is empty
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                • VT rate limit hit for: Payment_Advice_USD_48,054.40_.exe

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                11:10:48API Interceptor10953321x Sleep call for process: RegSvcs.exe modified
                                17:10:49AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run sgxIb C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
                                17:10:57AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run sgxIb C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                110.4.45.197Payslip_October_2024.exeGet hashmaliciousAgentTeslaBrowse
                                  Payslip_October_2024_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                    Payslip_October_2024_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                      Payslip_October_2024.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                        rMT103_126021720924.exeGet hashmaliciousAgentTeslaBrowse
                                          z1Transaction_ID_REF2418_cmd.batGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                            z20SWIFT_MT103_Payment_552016_pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                              Order Specifications for Materials.docx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                z14Employee_Contract_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                  Order Specifications for Materials.docx.exeGet hashmaliciousAgentTeslaBrowse
                                                    104.26.13.2052b7cu0KwZl.exeGet hashmaliciousUnknownBrowse
                                                    • api.ipify.org/
                                                    file.exeGet hashmaliciousUnknownBrowse
                                                    • api.ipify.org/
                                                    file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                    • api.ipify.org/
                                                    file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                    • api.ipify.org/
                                                    file.exeGet hashmaliciousRDPWrap ToolBrowse
                                                    • api.ipify.org/
                                                    Prismifyr-Install.exeGet hashmaliciousNode StealerBrowse
                                                    • api.ipify.org/
                                                    file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                    • api.ipify.org/
                                                    file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                    • api.ipify.org/
                                                    file.exeGet hashmaliciousUnknownBrowse
                                                    • api.ipify.org/
                                                    file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, Stealc, VidarBrowse
                                                    • api.ipify.org/

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    api.ipify.orgH096Ewc7ki.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                    • 104.26.12.205
                                                    Steelcase Series 1 Sustainable Office Chair _ Steelcase.htmlGet hashmaliciousUnknownBrowse
                                                    • 104.26.12.205
                                                    REnBTVfW8q.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                    • 104.26.13.205
                                                    ulf4JrCRk2.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                    • 172.67.74.152
                                                    D6yz87XjgM.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 172.67.74.152
                                                    Nt8BLNLKN7.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                    • 172.67.74.152
                                                    Quotation.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                    • 172.67.74.152
                                                    b9Mm2hq1pU.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    • 104.26.13.205
                                                    https://mlflegal.sharefile.com/public/share/web-s929b2bfc135a4aadb68ad5b8c7324a2eGet hashmaliciousUnknownBrowse
                                                    • 172.67.74.152
                                                    Ransomware Mallox.exeGet hashmaliciousTargeted RansomwareBrowse
                                                    • 104.26.12.205
                                                    ftp.haliza.com.myPayslip_October_2024.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 110.4.45.197
                                                    Payslip_October_2024_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 110.4.45.197
                                                    Payslip_October_2024_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 110.4.45.197
                                                    Payslip_October_2024.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 110.4.45.197
                                                    rMT103_126021720924.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 110.4.45.197
                                                    z1Transaction_ID_REF2418_cmd.batGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                    • 110.4.45.197
                                                    z20SWIFT_MT103_Payment_552016_pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    • 110.4.45.197
                                                    Order Specifications for Materials.docx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    • 110.4.45.197
                                                    z14Employee_Contract_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 110.4.45.197
                                                    Order Specifications for Materials.docx.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 110.4.45.197

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    EXABYTES-AS-APExaBytesNetworkSdnBhdMYPayslip_October_2024.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 110.4.45.197
                                                    Payslip_October_2024_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 110.4.45.197
                                                    Payslip_October_2024_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 110.4.45.197
                                                    Txwd 4063517991 djxjdlxmbk.pdfGet hashmaliciousHTMLPhisher, Mamba2FABrowse
                                                    • 103.6.199.200
                                                    Payslip_October_2024.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 110.4.45.197
                                                    rMT103_126021720924.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 110.4.45.197
                                                    z1Transaction_ID_REF2418_cmd.batGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                    • 110.4.45.197
                                                    z20SWIFT_MT103_Payment_552016_pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    • 110.4.45.197
                                                    Order Specifications for Materials.docx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    • 110.4.45.197
                                                    z14Employee_Contract_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 110.4.45.197
                                                    CLOUDFLARENETUSAENiBH7X1q.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                                    • 172.67.74.152
                                                    H096Ewc7ki.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                    • 104.26.12.205
                                                    T4WYgRfsgy.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                    • 188.114.97.3
                                                    lN65vHBnAu.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                    • 188.114.97.3
                                                    http://bankllist.usGet hashmaliciousUnknownBrowse
                                                    • 172.64.151.101
                                                    j9eXB1sYLi.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 188.114.96.3
                                                    56ck70s0BI.exeGet hashmaliciousFormBookBrowse
                                                    • 188.114.96.3
                                                    O82OCJNA3s.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                    • 188.114.96.3
                                                    EXTERNAL Re 0282119 Approved Rosado Sons Inc. - 110524 A00001220503Receipt (2).msgGet hashmaliciousUnknownBrowse
                                                    • 1.1.1.1
                                                    ACvmA4n5M2.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 188.114.97.3

                                                    JA3 Fingerprints

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    3b5074b1b5d032e5620f69f9f700ff0eAENiBH7X1q.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                                    • 104.26.13.205
                                                    H096Ewc7ki.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                    • 104.26.13.205
                                                    T4WYgRfsgy.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                    • 104.26.13.205
                                                    lN65vHBnAu.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                    • 104.26.13.205
                                                    j9eXB1sYLi.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 104.26.13.205
                                                    O82OCJNA3s.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                    • 104.26.13.205
                                                    ACvmA4n5M2.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 104.26.13.205
                                                    Steelcase Series 1 Sustainable Office Chair _ Steelcase.htmlGet hashmaliciousUnknownBrowse
                                                    • 104.26.13.205
                                                    REnBTVfW8q.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                    • 104.26.13.205
                                                    ulf4JrCRk2.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                    • 104.26.13.205

                                                    Dropped Files

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeM1Y6kc9FpE.exeGet hashmaliciousFormBookBrowse
                                                      mJIvCBk5vF.exeGet hashmaliciousFormBookBrowse
                                                        1aG5DoOsAW.exeGet hashmaliciousFormBookBrowse
                                                          copto de pago.exeGet hashmaliciousAgentTeslaBrowse
                                                            purchase order P857248 dated 04112024.exeGet hashmaliciousXWormBrowse
                                                              dJpo3HPctv.exeGet hashmaliciousXWormBrowse
                                                                Payslip_October_2024_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                  Payslip_October_2024.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                    Massive.exeGet hashmaliciousAgentTeslaBrowse
                                                                      z20SWIFT_MT103_Payment_552016_pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse

                                                                        Created / dropped Files

                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sgxIb.exe.log

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:modified
                                                                        Size (bytes):142
                                                                        Entropy (8bit):5.090621108356562
                                                                        Encrypted:false
                                                                        SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
                                                                        MD5:8C0458BB9EA02D50565175E38D577E35
                                                                        SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
                                                                        SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
                                                                        SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
                                                                        Malicious:false
                                                                        Reputation:high, very likely benign file
                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

                                                                        C:\Users\user\AppData\Local\Temp\uncolorable

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):247808
                                                                        Entropy (8bit):6.706396374241907
                                                                        Encrypted:false
                                                                        SSDEEP:6144:MvI7nqtBMf7IoAbXNy7Gi7nSZ0kACltSC52xcIiIE7ckW/mjzkts+Wjip9n:wI7MB47IoAbX07PmACltSC52xcIiIEXG
                                                                        MD5:A5D914334A62D03297B68300D8194820
                                                                        SHA1:8FF5CE59D27694781C7FB8B2E038BA9AA29983D4
                                                                        SHA-256:40A1448E651D9ED90121FFE77BFD9A60EE0BE238884BB77D5AE2E2FE07337544
                                                                        SHA-512:5CA932536CA1F974BB70B84ECA078D0D02CE6A6B6390F70B327DA25748EEFD56D527C76ED0F40D31CC46667FCC964E2B0D73595D103EB6A16C8EC757C31476E8
                                                                        Malicious:false
                                                                        Reputation:low
                                                                        Preview:.b.ADN67LMRP..GM.DI0Z8VA.N67HMRPZQGMIDI0Z8VAGN67HMRPZQGMIDI0.8VAIQ.9H.[.{.F..e.X3Kv15!QE) r3;?)"=d+UzJ#/g'X....p7>#(gID:~8VAGN67..RP.PDMvN!VZ8VAGN67.MPQQPLMI.J0Z0VAGN67v.QPZqGMI.J0Z8.AGn67HORP^QGMIDI0^8VAGN67HmVPZSGMIDI0X8..GN&7H]RPZQWMITI0Z8VAWN67HMRPZQGM..J0.8VAG.57.HRPZQGMIDI0Z8VAGN67HMVPVQGMIDI0Z8VAGN67HMRPZQGMIDI0Z8VAGN67HMRPZQGMIDI0Z8VAGn67@MRPZQGMIDI0R.VA.N67HMRPZQGMg0,H.8VA..57HmRPZ.DMIFI0Z8VAGN67HMRPzQG-g6:B98VA.K67H.QPZWGMI.J0Z8VAGN67HMRP.QG.g6,\5[VAKN67HMVPZSGMI.J0Z8VAGN67HMRP.QG.IDI0Z8VAGN67HMRPz.DMIDI0.8VAEN37..PPnkFMJDI0[8VGGN67HMRPZQGMIDI0Z8VAGN67HMRPZQGMIDI0Z8VAGN67HMRPG......EhK%I...*.S..T..=..UyC.<Z...._....n1O..8.Nw..A...$.EL=H.......=FF%.'u^&.T..l..w5...1&.(...9..*O......h...._.....0..9W;o&>F[-c.1<05$.F.1Z8VA........3)..dGF.n*......|_*.....7DI0>8VA5N67)MRP.QGM&DI048VA9N676MRP.QGM.DI0m8VAbN67%MRP~QGM7DI0.EYN...^;.PZQGM|....U........f+.9.+|..\....3d.B:.-.....G..S..P.]1k..W[WCHKCM3V.X.....JIVUXVCNEyG{...`.h..q..+....>.LZ8VAGN.7H.RPZ..M.DI0.8.A..67H.P.Q.M...0

                                                                        C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe

                                                                        Download File
                                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Category:modified
                                                                        Size (bytes):45984
                                                                        Entropy (8bit):6.16795797263964
                                                                        Encrypted:false
                                                                        SSDEEP:768:4BbSoy+SdIBf0k2dsjYg6Iq8S1GYqWH8BR:noOIBf0ddsjY/ZGyc7
                                                                        MD5:9D352BC46709F0CB5EC974633A0C3C94
                                                                        SHA1:1969771B2F022F9A86D77AC4D4D239BECDF08D07
                                                                        SHA-256:2C1EEB7097023C784C2BD040A2005A5070ED6F3A4ABF13929377A9E39FAB1390
                                                                        SHA-512:13C714244EC56BEEB202279E4109D59C2A43C3CF29F90A374A751C04FD472B45228CA5A0178F41109ED863DBD34E0879E4A21F5E38AE3D89559C57E6BE990A9B
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Joe Sandbox View:
                                                                        • Filename: M1Y6kc9FpE.exe, Detection: malicious, Browse
                                                                        • Filename: mJIvCBk5vF.exe, Detection: malicious, Browse
                                                                        • Filename: 1aG5DoOsAW.exe, Detection: malicious, Browse
                                                                        • Filename: copto de pago.exe, Detection: malicious, Browse
                                                                        • Filename: purchase order P857248 dated 04112024.exe, Detection: malicious, Browse
                                                                        • Filename: dJpo3HPctv.exe, Detection: malicious, Browse
                                                                        • Filename: Payslip_October_2024_pdf.exe, Detection: malicious, Browse
                                                                        • Filename: Payslip_October_2024.pdf.exe, Detection: malicious, Browse
                                                                        • Filename: Massive.exe, Detection: malicious, Browse
                                                                        • Filename: z20SWIFT_MT103_Payment_552016_pdf.exe, Detection: malicious, Browse
                                                                        Reputation:moderate, very likely benign file
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0..d..........V.... ........@.. ..............................s.....`.....................................O.......8............r...A.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

                                                                        \Device\ConDrv

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):1141
                                                                        Entropy (8bit):4.442398121585593
                                                                        Encrypted:false
                                                                        SSDEEP:24:zKLXkhDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0hDQntKKH1MqJC
                                                                        MD5:6FB4D27A716A8851BC0505666E7C7A10
                                                                        SHA1:AD2A232C6E709223532C4D1AB892303273D8C814
                                                                        SHA-256:1DC36F296CE49BDF1D560B527DB06E1E9791C10263459A67EACE706C6DDCDEAE
                                                                        SHA-512:3192095C68C6B7AD94212B7BCA0563F2058BCE00C0C439B90F0E96EA2F029A37C2F2B69487591B494C1BA54697FE891E214582E392127CB8C90AB682E0D81ADB
                                                                        Malicious:false
                                                                        Reputation:moderate, very likely benign file
                                                                        Preview:Microsoft (R) .NET Framework Services Installation Utility Version 4.8.4084.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

                                                                        Static File Info

                                                                        General

                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Entropy (8bit):7.286740382427047
                                                                        TrID:
                                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                        File name:Payment_Advice_USD_48,054.40_.exe
                                                                        File size:1'414'144 bytes
                                                                        MD5:f488ea907a7447947fdd751ce2d1d0da
                                                                        SHA1:0bb00f266d676584b35752d98878465fe20953b9
                                                                        SHA256:af1c4d4509e271497c9eac4c96c1fc5c4e419c6d73b69a5141380589e479c16a
                                                                        SHA512:e6c3a36ea1b6d85bbdfa0cdc40ee220697afa97fe32c95623167e571161b38df1c6109fb7c7d1d6149a288e2a0848b7ee9a95df750467ee18b26399400bc2ac6
                                                                        SSDEEP:24576:WqDEvCTbMWu7rQYlBQcBiT6rprG8aCWRwo62TuEWlHtqMMOrBdJcPW6:WTvC/MTQYxsWR7aCpo65EWLA
                                                                        TLSH:6A65D00273D1C062FFAB92334B5AF6515BBC69260123A61F13A81D7DBE701B1563E7A3
                                                                        File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

                                                                        File Icon

                                                                        Icon Hash:aaf3e3e3938382a0

                                                                        Static PE Info

                                                                        General

                                                                        Entrypoint:0x420577
                                                                        Entrypoint Section:.text
                                                                        Digitally signed:false
                                                                        Imagebase:0x400000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                        Time Stamp:0x6729FC7A [Tue Nov 5 11:07:38 2024 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:
                                                                        OS Version Major:5
                                                                        OS Version Minor:1
                                                                        File Version Major:5
                                                                        File Version Minor:1
                                                                        Subsystem Version Major:5
                                                                        Subsystem Version Minor:1
                                                                        Import Hash:948cc502fe9226992dce9417f952fce3

                                                                        Entrypoint Preview

                                                                        Instruction
                                                                        call 00007FB228B5F7B3h
                                                                        jmp 00007FB228B5F0BFh
                                                                        push ebp
                                                                        mov ebp, esp
                                                                        push esi
                                                                        push dword ptr [ebp+08h]
                                                                        mov esi, ecx
                                                                        call 00007FB228B5F29Dh
                                                                        mov dword ptr [esi], 0049FDF0h
                                                                        mov eax, esi
                                                                        pop esi
                                                                        pop ebp
                                                                        retn 0004h
                                                                        and dword ptr [ecx+04h], 00000000h
                                                                        mov eax, ecx
                                                                        and dword ptr [ecx+08h], 00000000h
                                                                        mov dword ptr [ecx+04h], 0049FDF8h
                                                                        mov dword ptr [ecx], 0049FDF0h
                                                                        ret
                                                                        push ebp
                                                                        mov ebp, esp
                                                                        push esi
                                                                        push dword ptr [ebp+08h]
                                                                        mov esi, ecx
                                                                        call 00007FB228B5F26Ah
                                                                        mov dword ptr [esi], 0049FE0Ch
                                                                        mov eax, esi
                                                                        pop esi
                                                                        pop ebp
                                                                        retn 0004h
                                                                        and dword ptr [ecx+04h], 00000000h
                                                                        mov eax, ecx
                                                                        and dword ptr [ecx+08h], 00000000h
                                                                        mov dword ptr [ecx+04h], 0049FE14h
                                                                        mov dword ptr [ecx], 0049FE0Ch
                                                                        ret
                                                                        push ebp
                                                                        mov ebp, esp
                                                                        push esi
                                                                        mov esi, ecx
                                                                        lea eax, dword ptr [esi+04h]
                                                                        mov dword ptr [esi], 0049FDD0h
                                                                        and dword ptr [eax], 00000000h
                                                                        and dword ptr [eax+04h], 00000000h
                                                                        push eax
                                                                        mov eax, dword ptr [ebp+08h]
                                                                        add eax, 04h
                                                                        push eax
                                                                        call 00007FB228B61E5Dh
                                                                        pop ecx
                                                                        pop ecx
                                                                        mov eax, esi
                                                                        pop esi
                                                                        pop ebp
                                                                        retn 0004h
                                                                        lea eax, dword ptr [ecx+04h]
                                                                        mov dword ptr [ecx], 0049FDD0h
                                                                        push eax
                                                                        call 00007FB228B61EA8h
                                                                        pop ecx
                                                                        ret
                                                                        push ebp
                                                                        mov ebp, esp
                                                                        push esi
                                                                        mov esi, ecx
                                                                        lea eax, dword ptr [esi+04h]
                                                                        mov dword ptr [esi], 0049FDD0h
                                                                        push eax
                                                                        call 00007FB228B61E91h
                                                                        test byte ptr [ebp+08h], 00000001h
                                                                        pop ecx

                                                                        Rich Headers

                                                                        Programming Language:
                                                                        • [ C ] VS2008 SP1 build 30729
                                                                        • [IMP] VS2008 SP1 build 30729

                                                                        Data Directories

                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x8293c.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x1570000x7594.reloc
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                        Sections

                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                        .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        .rsrc0xd40000x8293c0x82a004b6c1c7575aed01f8dcae02b6e8a09b5False0.9499046800239235data7.9393542959654315IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .reloc0x1570000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                        Resources

                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                        RT_ICON0xd45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                        RT_ICON0xd46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                        RT_ICON0xd47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                        RT_ICON0xd49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                        RT_ICON0xd4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                        RT_ICON0xd4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                        RT_ICON0xd5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                        RT_ICON0xd64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                        RT_ICON0xd69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                        RT_ICON0xd8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                        RT_ICON0xda0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                        RT_MENU0xda4a00x50dataEnglishGreat Britain0.9
                                                                        RT_STRING0xda4f00x594dataEnglishGreat Britain0.3333333333333333
                                                                        RT_STRING0xdaa840x68adataEnglishGreat Britain0.2735961768219833
                                                                        RT_STRING0xdb1100x490dataEnglishGreat Britain0.3715753424657534
                                                                        RT_STRING0xdb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                                        RT_STRING0xdbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                                        RT_STRING0xdc1f80x466dataEnglishGreat Britain0.3605683836589698
                                                                        RT_STRING0xdc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                        RT_RCDATA0xdc7b80x79c04data1.0003228445613725
                                                                        RT_GROUP_ICON0x1563bc0x76dataEnglishGreat Britain0.6610169491525424
                                                                        RT_GROUP_ICON0x1564340x14dataEnglishGreat Britain1.25
                                                                        RT_GROUP_ICON0x1564480x14dataEnglishGreat Britain1.15
                                                                        RT_GROUP_ICON0x15645c0x14dataEnglishGreat Britain1.25
                                                                        RT_VERSION0x1564700xdcdataEnglishGreat Britain0.6181818181818182
                                                                        RT_MANIFEST0x15654c0x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                                        Imports

                                                                        DLLImport
                                                                        WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
                                                                        VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                                        WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                        COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                        MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
                                                                        WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
                                                                        PSAPI.DLLGetProcessMemoryInfo
                                                                        IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
                                                                        USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
                                                                        UxTheme.dllIsThemeActive
                                                                        KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
                                                                        USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
                                                                        GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
                                                                        COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                        ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
                                                                        SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
                                                                        ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                                        OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

                                                                        Possible Origin

                                                                        Language of compilation systemCountry where language is spokenMap
                                                                        EnglishGreat Britain

                                                                        Network Behavior

                                                                        Suricata IDS Alerts

                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                        2024-11-05T17:11:04.702504+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.12.23.50443192.168.2.549710TCP
                                                                        2024-11-05T17:11:43.737557+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.12.23.50443192.168.2.549910TCP

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Nov 5, 2024 17:10:48.217149019 CET49704443192.168.2.5104.26.13.205
                                                                        Nov 5, 2024 17:10:48.217200041 CET44349704104.26.13.205192.168.2.5
                                                                        Nov 5, 2024 17:10:48.217323065 CET49704443192.168.2.5104.26.13.205
                                                                        Nov 5, 2024 17:10:48.225362062 CET49704443192.168.2.5104.26.13.205
                                                                        Nov 5, 2024 17:10:48.225373983 CET44349704104.26.13.205192.168.2.5
                                                                        Nov 5, 2024 17:10:48.841398001 CET44349704104.26.13.205192.168.2.5
                                                                        Nov 5, 2024 17:10:48.841514111 CET49704443192.168.2.5104.26.13.205
                                                                        Nov 5, 2024 17:10:48.846012115 CET49704443192.168.2.5104.26.13.205
                                                                        Nov 5, 2024 17:10:48.846021891 CET44349704104.26.13.205192.168.2.5
                                                                        Nov 5, 2024 17:10:48.846314907 CET44349704104.26.13.205192.168.2.5
                                                                        Nov 5, 2024 17:10:48.896133900 CET49704443192.168.2.5104.26.13.205
                                                                        Nov 5, 2024 17:10:48.899250984 CET49704443192.168.2.5104.26.13.205
                                                                        Nov 5, 2024 17:10:48.943335056 CET44349704104.26.13.205192.168.2.5
                                                                        Nov 5, 2024 17:10:49.080260038 CET44349704104.26.13.205192.168.2.5
                                                                        Nov 5, 2024 17:10:49.080439091 CET44349704104.26.13.205192.168.2.5
                                                                        Nov 5, 2024 17:10:49.080512047 CET49704443192.168.2.5104.26.13.205
                                                                        Nov 5, 2024 17:10:49.087086916 CET49704443192.168.2.5104.26.13.205
                                                                        Nov 5, 2024 17:10:49.945261002 CET4970521192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:10:49.950284958 CET2149705110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:10:49.950439930 CET4970521192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:10:49.977458954 CET4970521192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:10:49.982403994 CET2149705110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:10:49.982510090 CET4970521192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:10:50.020809889 CET4970621192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:10:50.025777102 CET2149706110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:10:50.025878906 CET4970621192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:10:50.978171110 CET2149706110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:10:50.978432894 CET4970621192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:10:50.983609915 CET2149706110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:10:51.336916924 CET2149706110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:10:51.337089062 CET4970621192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:10:51.341871023 CET2149706110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:10:51.741452932 CET2149706110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:10:51.741705894 CET4970621192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:10:51.746546030 CET2149706110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:10:52.099395990 CET2149706110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:10:52.099703074 CET4970621192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:10:52.105087996 CET2149706110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:10:52.469384909 CET2149706110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:10:52.469938993 CET4970621192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:10:52.474790096 CET2149706110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:10:52.829356909 CET2149706110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:10:52.829595089 CET4970621192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:10:52.834424973 CET2149706110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:10:53.197475910 CET2149706110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:10:53.208343983 CET4970755400192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:10:53.213210106 CET5540049707110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:10:53.213318110 CET4970755400192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:10:53.215704918 CET4970621192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:10:53.220649004 CET2149706110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:10:54.183792114 CET2149706110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:10:54.184099913 CET4970755400192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:10:54.184154987 CET4970755400192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:10:54.188970089 CET5540049707110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:10:54.189637899 CET5540049707110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:10:54.189691067 CET4970755400192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:10:54.224416018 CET4970621192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:10:54.549909115 CET2149706110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:10:54.550702095 CET4970621192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:10:54.555697918 CET2149706110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:10:54.940757036 CET2149706110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:10:54.941332102 CET4970851240192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:10:54.946460009 CET5124049708110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:10:54.946593046 CET4970851240192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:10:54.946747065 CET4970621192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:10:54.951601028 CET2149706110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:10:55.899368048 CET2149706110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:10:55.899677038 CET4970851240192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:10:55.904966116 CET5124049708110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:10:55.905379057 CET5124049708110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:10:55.905441046 CET4970851240192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:10:55.943022013 CET4970621192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:10:56.263839960 CET2149706110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:10:56.264426947 CET4970621192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:10:56.269709110 CET2149706110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:10:56.632280111 CET2149706110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:10:56.632824898 CET4970955039192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:10:56.637639046 CET5503949709110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:10:56.637703896 CET4970955039192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:10:56.637815952 CET4970621192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:10:56.643281937 CET2149706110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:10:57.686714888 CET2149706110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:10:57.686956882 CET4970955039192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:10:57.692728043 CET5503949709110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:10:57.692785025 CET4970955039192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:10:57.739902973 CET4970621192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:10:58.040682077 CET2149706110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:10:58.083663940 CET4970621192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:32.297159910 CET4998121192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:32.302635908 CET2149981110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:32.302719116 CET4998121192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:32.355961084 CET4998221192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:32.361068010 CET2149982110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:32.361140013 CET4998221192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:33.272506952 CET2149981110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:33.272980928 CET4998121192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:33.278048038 CET2149981110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:33.308090925 CET2149982110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:33.313579082 CET4998221192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:33.318485022 CET2149982110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:33.653305054 CET2149981110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:33.657690048 CET4998121192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:33.663325071 CET2149981110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:33.672970057 CET2149982110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:33.677644968 CET4998221192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:33.682487011 CET2149982110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:34.065985918 CET2149981110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:34.075620890 CET4998121192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:34.075965881 CET2149982110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:34.080550909 CET2149981110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:34.086736917 CET4998221192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:34.091562033 CET2149982110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:34.426153898 CET2149982110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:34.426343918 CET4998221192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:34.431499004 CET2149982110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:34.433691025 CET2149981110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:34.433847904 CET4998121192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:34.438678980 CET2149981110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:34.789622068 CET2149982110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:34.789750099 CET4998221192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:34.794620991 CET2149982110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:34.803688049 CET2149981110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:34.803956032 CET4998121192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:34.809438944 CET2149981110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:35.145148039 CET2149982110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:35.145499945 CET4998221192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:35.151070118 CET2149982110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:35.181807041 CET2149981110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:35.182012081 CET4998121192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:35.187006950 CET2149981110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:35.498697042 CET2149982110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:35.499159098 CET4998359048192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:35.504225016 CET5904849983110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:35.504295111 CET4998359048192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:35.504350901 CET4998221192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:35.509229898 CET2149982110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:35.546495914 CET2149981110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:35.546925068 CET4998451110192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:35.551836014 CET5111049984110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:35.551909924 CET4998451110192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:35.551964998 CET4998121192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:35.556986094 CET2149981110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:36.439886093 CET2149982110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:36.440212965 CET4998359048192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:36.445131063 CET5904849983110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:36.445153952 CET5904849983110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:36.445163965 CET5904849983110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:36.445173979 CET5904849983110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:36.445194960 CET4998359048192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:36.445245981 CET4998359048192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:36.445282936 CET5904849983110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:36.445324898 CET4998359048192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:36.445365906 CET5904849983110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:36.445413113 CET4998359048192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:36.445446014 CET5904849983110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:36.445456028 CET5904849983110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:36.445463896 CET5904849983110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:36.445499897 CET4998359048192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:36.445517063 CET4998359048192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:36.445589066 CET5904849983110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:36.445633888 CET4998359048192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:36.450102091 CET5904849983110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:36.450113058 CET5904849983110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:36.450123072 CET5904849983110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:36.450131893 CET5904849983110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:36.450164080 CET5904849983110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:36.450176954 CET5904849983110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:36.450186014 CET5904849983110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:36.450187922 CET4998359048192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:36.450206041 CET5904849983110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:36.450227976 CET4998359048192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:36.450248003 CET4998359048192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:36.450383902 CET5904849983110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:36.450402021 CET5904849983110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:36.450422049 CET5904849983110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:36.450438976 CET4998359048192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:36.450467110 CET4998359048192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:36.450503111 CET5904849983110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:36.450896025 CET5904849983110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:36.455290079 CET5904849983110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:36.455370903 CET5904849983110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:36.455379963 CET5904849983110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:36.455389977 CET5904849983110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:36.455399036 CET5904849983110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:36.455410004 CET5904849983110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:36.455419064 CET5904849983110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:36.455429077 CET5904849983110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:36.455437899 CET5904849983110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:36.456434011 CET5904849983110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:36.456486940 CET4998359048192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:36.516165018 CET2149981110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:36.517388105 CET4998451110192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:36.517695904 CET4998451110192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:36.522310019 CET5111049984110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:36.522905111 CET5111049984110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:36.522955894 CET4998451110192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:36.532089949 CET4998221192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:36.572428942 CET4998121192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:36.879206896 CET2149981110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:36.879631042 CET4998121192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:36.885138035 CET2149981110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:36.885189056 CET4998121192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:36.895669937 CET4998521192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:36.900541067 CET2149985110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:36.900607109 CET4998521192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:37.258063078 CET2149982110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:37.381911993 CET4998221192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:37.916678905 CET2149985110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:37.916836977 CET4998521192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:37.921974897 CET2149985110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:38.269865990 CET2149985110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:38.270133018 CET4998521192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:38.275028944 CET2149985110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:38.631747007 CET2149985110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:38.631886005 CET4998521192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:38.636785984 CET2149985110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:38.979712963 CET2149985110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:38.981667995 CET4998521192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:38.986954927 CET2149985110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:39.338624001 CET2149985110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:39.338812113 CET4998521192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:39.345292091 CET2149985110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:39.689390898 CET2149985110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:39.689719915 CET4998521192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:39.696058035 CET2149985110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:40.036015034 CET2149985110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:40.039695978 CET4998660859192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:40.046217918 CET6085949986110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:40.047791958 CET4998660859192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:40.051757097 CET4998521192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:40.056852102 CET2149985110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:41.036556959 CET2149985110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:41.036904097 CET4998660859192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:41.036925077 CET4998660859192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:41.041764021 CET6085949986110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:41.042527914 CET6085949986110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:41.042576075 CET4998660859192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:41.085062027 CET4998521192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:41.381006002 CET2149985110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:41.589687109 CET4998521192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:42.277147055 CET4998521192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:42.282594919 CET2149985110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:42.626965046 CET2149985110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:42.627485991 CET4998757907192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:42.632327080 CET5790749987110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:42.632386923 CET4998757907192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:42.632441044 CET4998521192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:42.637861013 CET2149985110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:43.573545933 CET2149985110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:43.576064110 CET4998757907192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:43.580935955 CET5790749987110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:43.580990076 CET5790749987110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:43.581037045 CET5790749987110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:43.581046104 CET5790749987110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:43.581054926 CET5790749987110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:43.581095934 CET4998757907192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:43.581268072 CET4998757907192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:43.581465960 CET5790749987110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:43.581475973 CET5790749987110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:43.581511021 CET5790749987110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:43.581520081 CET5790749987110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:43.581559896 CET5790749987110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:43.581619978 CET4998757907192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:43.585951090 CET5790749987110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:43.585975885 CET5790749987110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:43.586039066 CET5790749987110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:43.586110115 CET5790749987110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:43.586118937 CET5790749987110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:43.586155891 CET5790749987110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:43.586158991 CET4998757907192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:43.586189032 CET4998757907192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:43.586211920 CET5790749987110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:43.586241961 CET4998757907192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:43.586292028 CET5790749987110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:43.586504936 CET4998757907192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:43.586569071 CET5790749987110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:43.586600065 CET5790749987110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:43.586699009 CET4998757907192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:43.586740017 CET5790749987110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:43.586873055 CET5790749987110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:43.591041088 CET5790749987110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:43.591172934 CET5790749987110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:43.591392040 CET5790749987110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:43.591448069 CET5790749987110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:43.591456890 CET5790749987110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:43.591495037 CET5790749987110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:43.591948032 CET5790749987110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:43.591995001 CET5790749987110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:43.592092037 CET5790749987110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:43.592101097 CET5790749987110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:43.592116117 CET5790749987110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:43.592160940 CET5790749987110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:43.592248917 CET5790749987110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:43.592257977 CET5790749987110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:43.592272043 CET5790749987110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:43.592662096 CET5790749987110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:43.597814083 CET4998757907192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:43.681714058 CET4998521192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:44.151632071 CET4998221192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:44.156748056 CET2149982110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:44.474982977 CET2149985110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:44.521121979 CET2149982110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:44.521759033 CET4998854693192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:44.527585030 CET5469349988110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:44.527661085 CET4998854693192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:44.527796030 CET4998221192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:44.533055067 CET2149982110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:44.564940929 CET4998521192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:45.471944094 CET2149982110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:45.481786013 CET4998854693192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:45.486685991 CET5469349988110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:45.486701012 CET5469349988110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:45.486721992 CET5469349988110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:45.486732006 CET5469349988110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:45.486736059 CET5469349988110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:45.486936092 CET5469349988110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:45.486944914 CET5469349988110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:45.486989975 CET5469349988110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:45.486995935 CET4998854693192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:45.486999035 CET5469349988110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:45.487030983 CET5469349988110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:45.487031937 CET4998854693192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:45.491928101 CET5469349988110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:45.491940022 CET5469349988110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:45.491952896 CET5469349988110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:45.491961956 CET4998854693192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:45.492003918 CET5469349988110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:45.492053032 CET4998854693192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:45.492146015 CET5469349988110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:45.492156029 CET5469349988110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:45.492326975 CET5469349988110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:45.492357016 CET4998854693192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:45.492429972 CET5469349988110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:45.492490053 CET4998854693192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:45.493758917 CET4998854693192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:45.496841908 CET5469349988110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:45.496911049 CET5469349988110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:45.496922016 CET5469349988110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:45.496948957 CET5469349988110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:45.497483969 CET5469349988110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:45.497493982 CET5469349988110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:45.497504950 CET5469349988110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:45.497514963 CET5469349988110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:45.497524023 CET5469349988110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:45.497531891 CET5469349988110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:45.497550964 CET5469349988110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:45.497560024 CET5469349988110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:45.497603893 CET5469349988110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:45.497612953 CET5469349988110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:45.497756004 CET5469349988110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:45.497765064 CET5469349988110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:45.497775078 CET5469349988110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:45.498541117 CET5469349988110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:45.498550892 CET5469349988110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:45.498809099 CET5469349988110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:45.499845982 CET4998854693192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:45.678900003 CET4998221192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:46.316385031 CET2149982110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:46.390718937 CET4998221192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:54.950130939 CET4998221192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:54.955044031 CET2149982110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:55.318734884 CET2149982110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:55.319370031 CET4998954551192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:55.324287891 CET5455149989110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:55.324361086 CET4998954551192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:55.324455023 CET4998221192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:55.329830885 CET2149982110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:56.275445938 CET2149982110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:56.278249025 CET4998954551192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:56.283293962 CET5455149989110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:56.283320904 CET5455149989110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:56.283343077 CET5455149989110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:56.283353090 CET5455149989110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:56.283364058 CET5455149989110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:56.283385038 CET5455149989110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:56.283392906 CET5455149989110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:56.283421993 CET5455149989110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:56.283454895 CET4998954551192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:56.283545971 CET4998954551192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:56.283548117 CET5455149989110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:56.283593893 CET5455149989110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:56.285620928 CET4998954551192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:56.288537979 CET5455149989110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:56.288553953 CET5455149989110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:56.288575888 CET5455149989110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:56.288590908 CET5455149989110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:56.288602114 CET5455149989110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:56.288610935 CET5455149989110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:56.288621902 CET5455149989110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:56.288635969 CET4998954551192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:56.288680077 CET4998954551192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:56.288695097 CET5455149989110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:56.288738966 CET4998954551192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:56.288773060 CET4998954551192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:56.290628910 CET5455149989110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:56.290791988 CET5455149989110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:56.290890932 CET4998954551192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:56.293534040 CET5455149989110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:56.315298080 CET5455149989110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:56.323945999 CET5455149989110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:56.326044083 CET4998954551192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:56.410815001 CET4998221192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:56.860074997 CET4998521192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:56.865051031 CET2149985110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:57.098598003 CET2149982110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:57.179074049 CET4998221192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:57.206954956 CET2149985110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:57.207407951 CET4999060673192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:57.212562084 CET6067349990110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:57.212662935 CET4999060673192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:57.212723970 CET4998521192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:57.218302011 CET2149985110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:58.155122042 CET2149985110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:58.155455112 CET4999060673192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:58.160567045 CET6067349990110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:58.160615921 CET6067349990110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:58.160667896 CET6067349990110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:58.160677910 CET6067349990110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:58.160703897 CET4999060673192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:58.160792112 CET6067349990110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:58.160795927 CET4999060673192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:58.160814047 CET6067349990110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:58.160881042 CET6067349990110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:58.160883904 CET4999060673192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:58.160932064 CET6067349990110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:58.160958052 CET4999060673192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:58.161006927 CET6067349990110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:58.161020041 CET6067349990110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:58.161026955 CET4999060673192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:58.161065102 CET4999060673192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:58.161065102 CET4999060673192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:58.165632963 CET6067349990110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:58.165714979 CET6067349990110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:58.165724039 CET6067349990110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:58.165733099 CET6067349990110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:58.165751934 CET6067349990110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:58.165760994 CET6067349990110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:58.165841103 CET6067349990110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:58.165863991 CET4999060673192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:58.165919065 CET4999060673192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:58.165934086 CET6067349990110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:58.165968895 CET6067349990110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:58.165994883 CET4999060673192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:58.166145086 CET4999060673192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:58.171116114 CET6067349990110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:58.171253920 CET4999060673192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:58.171416044 CET6067349990110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:58.176299095 CET6067349990110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:58.176307917 CET6067349990110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:58.177170992 CET6067349990110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:58.177303076 CET4999060673192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:58.289916039 CET4998521192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:12:58.969660044 CET2149985110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:12:59.079931974 CET4998521192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:13:02.215408087 CET4998521192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:13:02.220278978 CET2149985110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:02.556874990 CET2149985110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:02.557399035 CET4999160691192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:13:02.562971115 CET6069149991110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:02.563034058 CET4999160691192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:13:02.563152075 CET4998521192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:13:02.568017006 CET2149985110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:03.471445084 CET2149985110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:03.476197004 CET4999160691192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:13:03.481040001 CET6069149991110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:03.481084108 CET6069149991110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:03.481095076 CET6069149991110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:03.481144905 CET6069149991110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:03.481153965 CET6069149991110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:03.481199026 CET4999160691192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:13:03.481285095 CET6069149991110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:03.481303930 CET6069149991110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:03.481389999 CET6069149991110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:03.481400013 CET6069149991110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:03.481410027 CET6069149991110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:03.481494904 CET4999160691192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:13:03.486002922 CET6069149991110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:03.486126900 CET6069149991110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:03.486136913 CET6069149991110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:03.486152887 CET6069149991110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:03.486162901 CET6069149991110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:03.486171007 CET6069149991110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:03.486180067 CET6069149991110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:03.486254930 CET6069149991110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:03.486279011 CET4999160691192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:13:03.486371040 CET6069149991110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:03.486402035 CET4999160691192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:13:03.486416101 CET6069149991110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:03.486432076 CET6069149991110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:03.486450911 CET4999160691192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:13:03.486692905 CET6069149991110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:03.486737967 CET4999160691192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:13:03.491187096 CET6069149991110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:03.491218090 CET6069149991110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:03.491235018 CET6069149991110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:03.491297007 CET6069149991110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:03.491395950 CET6069149991110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:03.491482973 CET6069149991110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:03.491571903 CET6069149991110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:03.491642952 CET6069149991110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:03.491651058 CET6069149991110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:03.491678953 CET6069149991110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:03.491703987 CET6069149991110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:03.491724014 CET6069149991110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:03.491777897 CET6069149991110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:03.491786957 CET6069149991110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:03.491887093 CET6069149991110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:03.491895914 CET6069149991110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:03.491913080 CET6069149991110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:03.491928101 CET6069149991110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:03.492255926 CET6069149991110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:03.494041920 CET4999160691192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:13:03.585396051 CET4998521192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:13:04.256613970 CET2149985110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:04.426954031 CET4998521192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:13:22.172518969 CET4998521192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:13:22.177650928 CET2149985110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:22.507436037 CET2149985110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:22.508059025 CET4999263446192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:13:22.512995958 CET6344649992110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:22.513060093 CET4999263446192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:13:22.513149023 CET4998521192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:13:22.517975092 CET2149985110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:23.414892912 CET2149985110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:23.420263052 CET4998521192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:13:23.425437927 CET2149985110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:23.432295084 CET4998521192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:13:23.975974083 CET6344649992110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:23.976059914 CET4999263446192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:13:35.123091936 CET4998221192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:13:35.128060102 CET2149982110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:35.489629030 CET2149982110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:35.490199089 CET4999364496192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:13:35.495279074 CET6449649993110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:35.495498896 CET4999364496192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:13:35.495609045 CET4998221192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:13:35.500364065 CET2149982110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:36.294410944 CET4999421192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:13:36.302838087 CET2149994110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:36.303112984 CET4999421192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:13:36.303347111 CET4999421192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:13:36.311788082 CET2149994110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:36.323060989 CET2149994110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:36.323211908 CET4999421192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:13:36.447402954 CET2149982110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:36.447752953 CET4999364496192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:13:36.452955008 CET6449649993110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:36.453003883 CET6449649993110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:36.453011990 CET6449649993110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:36.453067064 CET6449649993110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:36.453073025 CET4999364496192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:13:36.453075886 CET6449649993110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:36.453083992 CET6449649993110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:36.453124046 CET6449649993110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:36.453133106 CET6449649993110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:36.453140974 CET6449649993110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:36.453142881 CET4999364496192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:13:36.453151941 CET6449649993110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:36.453223944 CET4999364496192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:13:36.458158970 CET6449649993110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:36.458173990 CET6449649993110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:36.458183050 CET6449649993110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:36.458192110 CET6449649993110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:36.458213091 CET6449649993110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:36.458221912 CET6449649993110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:36.458251953 CET4999364496192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:13:36.458261013 CET6449649993110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:36.458271027 CET6449649993110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:36.458281040 CET6449649993110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:36.458282948 CET4999364496192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:13:36.458337069 CET4999364496192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:13:36.458343983 CET6449649993110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:36.458353043 CET6449649993110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:36.458362103 CET4999364496192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:13:36.458365917 CET6449649993110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:36.458379030 CET4999364496192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:13:36.458421946 CET4999364496192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:13:36.463973045 CET6449649993110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:36.464025021 CET6449649993110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:36.464034081 CET6449649993110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:36.464042902 CET6449649993110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:36.464054108 CET6449649993110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:36.464061975 CET6449649993110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:36.464066029 CET6449649993110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:36.464075089 CET6449649993110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:36.464087009 CET6449649993110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:36.464095116 CET6449649993110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:36.464102983 CET6449649993110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:36.464111090 CET6449649993110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:36.464119911 CET6449649993110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:36.464133024 CET6449649993110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:36.464142084 CET6449649993110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:36.464149952 CET6449649993110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:36.464158058 CET6449649993110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:36.464165926 CET6449649993110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:36.464174032 CET6449649993110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:36.464231968 CET6449649993110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:36.464410067 CET4999364496192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:13:36.492006063 CET4998221192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:13:37.252393961 CET2149982110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:13:37.304501057 CET4998221192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:14.860318899 CET4998221192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:14.865211010 CET2149982110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:15.193813086 CET2149982110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:15.194364071 CET4999555289192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:15.199193954 CET5528949995110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:15.199256897 CET4999555289192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:15.199348927 CET4998221192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:15.204150915 CET2149982110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:17.193522930 CET2149982110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:17.193831921 CET4999555289192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:17.198990107 CET5528949995110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:17.199016094 CET5528949995110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:17.199081898 CET4999555289192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:17.199110031 CET4999555289192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:17.199111938 CET5528949995110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:17.199121952 CET5528949995110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:17.199157000 CET4999555289192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:17.199182987 CET4999555289192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:17.199197054 CET5528949995110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:17.199242115 CET4999555289192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:17.199306011 CET5528949995110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:17.199348927 CET4999555289192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:17.199350119 CET5528949995110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:17.199399948 CET4999555289192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:17.199429035 CET5528949995110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:17.199446917 CET5528949995110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:17.199456930 CET5528949995110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:17.199482918 CET4999555289192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:17.199523926 CET4999555289192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:17.204125881 CET5528949995110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:17.204135895 CET5528949995110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:17.204145908 CET5528949995110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:17.204154968 CET5528949995110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:17.204195023 CET4999555289192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:17.204219103 CET4999555289192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:17.204262018 CET5528949995110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:17.204271078 CET5528949995110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:17.204303026 CET4999555289192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:17.204315901 CET4999555289192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:17.204391003 CET5528949995110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:17.204400063 CET5528949995110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:17.204453945 CET4999555289192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:17.204500914 CET5528949995110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:17.204533100 CET5528949995110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:17.204555035 CET4999555289192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:17.204607964 CET4999555289192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:17.204706907 CET5528949995110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:17.204752922 CET4999555289192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:17.209193945 CET5528949995110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:17.209287882 CET5528949995110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:17.209342957 CET5528949995110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:17.209477901 CET5528949995110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:17.209522009 CET5528949995110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:17.209569931 CET5528949995110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:17.209630013 CET5528949995110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:17.209701061 CET5528949995110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:17.209708929 CET5528949995110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:17.209723949 CET5528949995110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:17.209783077 CET5528949995110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:17.209791899 CET5528949995110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:17.209800959 CET5528949995110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:17.209836006 CET5528949995110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:17.209845066 CET5528949995110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:17.209947109 CET5528949995110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:17.210015059 CET5528949995110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:17.210024118 CET5528949995110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:17.211337090 CET5528949995110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:17.211348057 CET5528949995110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:17.211395025 CET4999555289192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:17.351712942 CET4998221192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:18.035343885 CET2149982110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:18.117568016 CET4998221192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:24.389051914 CET4998221192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:24.394294024 CET2149982110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:24.723521948 CET2149982110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:24.724056005 CET4999654575192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:24.729166031 CET5457549996110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:24.729235888 CET4999654575192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:24.729357958 CET4998221192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:24.734368086 CET2149982110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:25.133531094 CET4999654575192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:25.139075994 CET5457549996110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:25.139137983 CET4999654575192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:25.631181955 CET2149982110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:25.631582975 CET2149982110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:25.631719112 CET4998221192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:25.633989096 CET4998221192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:26.595221996 CET4999721192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:26.601161003 CET2149997110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:26.601248980 CET4999721192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:26.601572990 CET4999721192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:26.608114004 CET2149997110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:26.608169079 CET4999721192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:30.612314939 CET4999821192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:30.617454052 CET2149998110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:30.617515087 CET4999821192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:30.617871046 CET4999821192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:30.622989893 CET2149998110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:30.623044014 CET4999821192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:34.756378889 CET4999921192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:34.761430025 CET2149999110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:34.761548042 CET4999921192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:34.761750937 CET4999921192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:34.767178059 CET2149999110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:34.767230034 CET4999921192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:34.768794060 CET4970621192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:34.768888950 CET4999263446192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:41.653592110 CET5000021192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:41.662815094 CET2150000110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:41.667798996 CET5000021192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:41.667799950 CET5000021192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:41.674467087 CET2150000110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:41.681387901 CET5000021192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:52.700786114 CET5000121192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:52.705840111 CET2150001110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:52.705938101 CET5000121192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:53.616082907 CET2150001110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:53.616255999 CET5000121192.168.2.5110.4.45.197
                                                                        Nov 5, 2024 17:14:53.621121883 CET2150001110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:53.949790955 CET2150001110.4.45.197192.168.2.5
                                                                        Nov 5, 2024 17:14:53.992858887 CET5000121192.168.2.5110.4.45.197

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Nov 5, 2024 17:10:48.201493025 CET5314853192.168.2.51.1.1.1
                                                                        Nov 5, 2024 17:10:48.208720922 CET53531481.1.1.1192.168.2.5
                                                                        Nov 5, 2024 17:10:49.675369978 CET5155153192.168.2.51.1.1.1
                                                                        Nov 5, 2024 17:10:49.944159031 CET53515511.1.1.1192.168.2.5

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                        Nov 5, 2024 17:10:48.201493025 CET192.168.2.51.1.1.10xf080Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                        Nov 5, 2024 17:10:49.675369978 CET192.168.2.51.1.1.10x3c85Standard query (0)ftp.haliza.com.myA (IP address)IN (0x0001)false

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                        Nov 5, 2024 17:10:48.208720922 CET1.1.1.1192.168.2.50xf080No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                        Nov 5, 2024 17:10:48.208720922 CET1.1.1.1192.168.2.50xf080No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                                        Nov 5, 2024 17:10:48.208720922 CET1.1.1.1192.168.2.50xf080No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                        Nov 5, 2024 17:10:49.944159031 CET1.1.1.1192.168.2.50x3c85No error (0)ftp.haliza.com.my110.4.45.197A (IP address)IN (0x0001)false

                                                                        HTTP Request Dependency Graph

                                                                        • api.ipify.org

                                                                        HTTPS Proxied Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        0192.168.2.549704104.26.13.2054436656C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-11-05 16:10:48 UTC155OUTGET / HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                        Host: api.ipify.org
                                                                        Connection: Keep-Alive
                                                                        2024-11-05 16:10:49 UTC399INHTTP/1.1 200 OK
                                                                        Date: Tue, 05 Nov 2024 16:10:49 GMT
                                                                        Content-Type: text/plain
                                                                        Content-Length: 14
                                                                        Connection: close
                                                                        Vary: Origin
                                                                        cf-cache-status: DYNAMIC
                                                                        Server: cloudflare
                                                                        CF-RAY: 8dde1db80ad82cd5-DFW
                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1656&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2816&recv_bytes=769&delivery_rate=1388302&cwnd=251&unsent_bytes=0&cid=628d47a9d3b6c80d&ts=251&x=0"
                                                                        2024-11-05 16:10:49 UTC14INData Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36
                                                                        Data Ascii: 173.254.250.76


                                                                        FTP Packets

                                                                        TimestampSource PortDest PortSource IPDest IPCommands
                                                                        Nov 5, 2024 17:10:50.978171110 CET2149706110.4.45.197192.168.2.5220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 9 of 50 allowed.
                                                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 9 of 50 allowed.220-Local time is now 00:10. Server port: 21.
                                                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 9 of 50 allowed.220-Local time is now 00:10. Server port: 21.220-This is a private system - No anonymous login
                                                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 9 of 50 allowed.220-Local time is now 00:10. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 9 of 50 allowed.220-Local time is now 00:10. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                                                        Nov 5, 2024 17:10:50.978432894 CET4970621192.168.2.5110.4.45.197USER origin@haliza.com.my
                                                                        Nov 5, 2024 17:10:51.336916924 CET2149706110.4.45.197192.168.2.5331 User origin@haliza.com.my OK. Password required
                                                                        Nov 5, 2024 17:10:51.337089062 CET4970621192.168.2.5110.4.45.197PASS JesusChrist007$
                                                                        Nov 5, 2024 17:10:51.741452932 CET2149706110.4.45.197192.168.2.5230 OK. Current restricted directory is /
                                                                        Nov 5, 2024 17:10:52.099395990 CET2149706110.4.45.197192.168.2.5504 Unknown command
                                                                        Nov 5, 2024 17:10:52.099703074 CET4970621192.168.2.5110.4.45.197PWD
                                                                        Nov 5, 2024 17:10:52.469384909 CET2149706110.4.45.197192.168.2.5257 "/" is your current location
                                                                        Nov 5, 2024 17:10:52.469938993 CET4970621192.168.2.5110.4.45.197TYPE I
                                                                        Nov 5, 2024 17:10:52.829356909 CET2149706110.4.45.197192.168.2.5200 TYPE is now 8-bit binary
                                                                        Nov 5, 2024 17:10:52.829595089 CET4970621192.168.2.5110.4.45.197PASV
                                                                        Nov 5, 2024 17:10:53.197475910 CET2149706110.4.45.197192.168.2.5227 Entering Passive Mode (110,4,45,197,216,104)
                                                                        Nov 5, 2024 17:10:53.215704918 CET4970621192.168.2.5110.4.45.197STOR CO_Chrome_Default.txt_user-936905_2024_11_05_11_40_48.txt
                                                                        Nov 5, 2024 17:10:54.183792114 CET2149706110.4.45.197192.168.2.5150 Accepted data connection
                                                                        Nov 5, 2024 17:10:54.549909115 CET2149706110.4.45.197192.168.2.5226-File successfully transferred
                                                                        226-File successfully transferred226 0.375 seconds (measured here), 0.75 Kbytes per second
                                                                        Nov 5, 2024 17:10:54.550702095 CET4970621192.168.2.5110.4.45.197PASV
                                                                        Nov 5, 2024 17:10:54.940757036 CET2149706110.4.45.197192.168.2.5227 Entering Passive Mode (110,4,45,197,200,40)
                                                                        Nov 5, 2024 17:10:54.946747065 CET4970621192.168.2.5110.4.45.197STOR CO_Edge Chromium_Default.txt_user-936905_2024_11_05_17_59_10.txt
                                                                        Nov 5, 2024 17:10:55.899368048 CET2149706110.4.45.197192.168.2.5150 Accepted data connection
                                                                        Nov 5, 2024 17:10:56.263839960 CET2149706110.4.45.197192.168.2.5226 File successfully transferred
                                                                        Nov 5, 2024 17:10:56.264426947 CET4970621192.168.2.5110.4.45.197PASV
                                                                        Nov 5, 2024 17:10:56.632280111 CET2149706110.4.45.197192.168.2.5227 Entering Passive Mode (110,4,45,197,214,255)
                                                                        Nov 5, 2024 17:10:56.637815952 CET4970621192.168.2.5110.4.45.197STOR CO_Firefox_v6zchhhv.default-release.txt_user-936905_2024_11_05_20_17_52.txt
                                                                        Nov 5, 2024 17:10:57.686714888 CET2149706110.4.45.197192.168.2.5150 Accepted data connection
                                                                        Nov 5, 2024 17:10:58.040682077 CET2149706110.4.45.197192.168.2.5226 File successfully transferred
                                                                        Nov 5, 2024 17:12:33.272506952 CET2149981110.4.45.197192.168.2.5220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 50 allowed.
                                                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 50 allowed.220-Local time is now 00:12. Server port: 21.
                                                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 50 allowed.220-Local time is now 00:12. Server port: 21.220-This is a private system - No anonymous login
                                                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 50 allowed.220-Local time is now 00:12. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 50 allowed.220-Local time is now 00:12. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                                                        Nov 5, 2024 17:12:33.272980928 CET4998121192.168.2.5110.4.45.197USER origin@haliza.com.my
                                                                        Nov 5, 2024 17:12:33.308090925 CET2149982110.4.45.197192.168.2.5220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 11 of 50 allowed.
                                                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 11 of 50 allowed.220-Local time is now 00:12. Server port: 21.
                                                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 11 of 50 allowed.220-Local time is now 00:12. Server port: 21.220-This is a private system - No anonymous login
                                                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 11 of 50 allowed.220-Local time is now 00:12. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 11 of 50 allowed.220-Local time is now 00:12. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                                                        Nov 5, 2024 17:12:33.313579082 CET4998221192.168.2.5110.4.45.197USER origin@haliza.com.my
                                                                        Nov 5, 2024 17:12:33.653305054 CET2149981110.4.45.197192.168.2.5331 User origin@haliza.com.my OK. Password required
                                                                        Nov 5, 2024 17:12:33.657690048 CET4998121192.168.2.5110.4.45.197PASS JesusChrist007$
                                                                        Nov 5, 2024 17:12:33.672970057 CET2149982110.4.45.197192.168.2.5331 User origin@haliza.com.my OK. Password required
                                                                        Nov 5, 2024 17:12:33.677644968 CET4998221192.168.2.5110.4.45.197PASS JesusChrist007$
                                                                        Nov 5, 2024 17:12:34.065985918 CET2149981110.4.45.197192.168.2.5230 OK. Current restricted directory is /
                                                                        Nov 5, 2024 17:12:34.075965881 CET2149982110.4.45.197192.168.2.5230 OK. Current restricted directory is /
                                                                        Nov 5, 2024 17:12:34.426153898 CET2149982110.4.45.197192.168.2.5504 Unknown command
                                                                        Nov 5, 2024 17:12:34.426343918 CET4998221192.168.2.5110.4.45.197PWD
                                                                        Nov 5, 2024 17:12:34.433691025 CET2149981110.4.45.197192.168.2.5504 Unknown command
                                                                        Nov 5, 2024 17:12:34.433847904 CET4998121192.168.2.5110.4.45.197PWD
                                                                        Nov 5, 2024 17:12:34.789622068 CET2149982110.4.45.197192.168.2.5257 "/" is your current location
                                                                        Nov 5, 2024 17:12:34.789750099 CET4998221192.168.2.5110.4.45.197TYPE I
                                                                        Nov 5, 2024 17:12:34.803688049 CET2149981110.4.45.197192.168.2.5257 "/" is your current location
                                                                        Nov 5, 2024 17:12:34.803956032 CET4998121192.168.2.5110.4.45.197TYPE I
                                                                        Nov 5, 2024 17:12:35.145148039 CET2149982110.4.45.197192.168.2.5200 TYPE is now 8-bit binary
                                                                        Nov 5, 2024 17:12:35.145499945 CET4998221192.168.2.5110.4.45.197PASV
                                                                        Nov 5, 2024 17:12:35.181807041 CET2149981110.4.45.197192.168.2.5200 TYPE is now 8-bit binary
                                                                        Nov 5, 2024 17:12:35.182012081 CET4998121192.168.2.5110.4.45.197PASV
                                                                        Nov 5, 2024 17:12:35.498697042 CET2149982110.4.45.197192.168.2.5227 Entering Passive Mode (110,4,45,197,230,168)
                                                                        Nov 5, 2024 17:12:35.504350901 CET4998221192.168.2.5110.4.45.197STOR SC_user-936905_2024_11_23_17_53_34.jpeg
                                                                        Nov 5, 2024 17:12:35.546495914 CET2149981110.4.45.197192.168.2.5227 Entering Passive Mode (110,4,45,197,199,166)
                                                                        Nov 5, 2024 17:12:35.551964998 CET4998121192.168.2.5110.4.45.197STOR KL_user-936905_2024_11_23_16_42_45.html
                                                                        Nov 5, 2024 17:12:36.439886093 CET2149982110.4.45.197192.168.2.5150 Accepted data connection
                                                                        Nov 5, 2024 17:12:36.516165018 CET2149981110.4.45.197192.168.2.5150 Accepted data connection
                                                                        Nov 5, 2024 17:12:36.879206896 CET2149981110.4.45.197192.168.2.5226-File successfully transferred
                                                                        226-File successfully transferred226 0.362 seconds (measured here), 0.77 Kbytes per second
                                                                        Nov 5, 2024 17:12:37.258063078 CET2149982110.4.45.197192.168.2.5226-File successfully transferred
                                                                        226-File successfully transferred226 0.808 seconds (measured here), 91.16 Kbytes per second
                                                                        Nov 5, 2024 17:12:37.916678905 CET2149985110.4.45.197192.168.2.5220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 11 of 50 allowed.
                                                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 11 of 50 allowed.220-Local time is now 00:12. Server port: 21.
                                                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 11 of 50 allowed.220-Local time is now 00:12. Server port: 21.220-This is a private system - No anonymous login
                                                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 11 of 50 allowed.220-Local time is now 00:12. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 11 of 50 allowed.220-Local time is now 00:12. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                                                        Nov 5, 2024 17:12:37.916836977 CET4998521192.168.2.5110.4.45.197USER origin@haliza.com.my
                                                                        Nov 5, 2024 17:12:38.269865990 CET2149985110.4.45.197192.168.2.5331 User origin@haliza.com.my OK. Password required
                                                                        Nov 5, 2024 17:12:38.270133018 CET4998521192.168.2.5110.4.45.197PASS JesusChrist007$
                                                                        Nov 5, 2024 17:12:38.631747007 CET2149985110.4.45.197192.168.2.5230 OK. Current restricted directory is /
                                                                        Nov 5, 2024 17:12:38.979712963 CET2149985110.4.45.197192.168.2.5504 Unknown command
                                                                        Nov 5, 2024 17:12:38.981667995 CET4998521192.168.2.5110.4.45.197PWD
                                                                        Nov 5, 2024 17:12:39.338624001 CET2149985110.4.45.197192.168.2.5257 "/" is your current location
                                                                        Nov 5, 2024 17:12:39.338812113 CET4998521192.168.2.5110.4.45.197TYPE I
                                                                        Nov 5, 2024 17:12:39.689390898 CET2149985110.4.45.197192.168.2.5200 TYPE is now 8-bit binary
                                                                        Nov 5, 2024 17:12:39.689719915 CET4998521192.168.2.5110.4.45.197PASV
                                                                        Nov 5, 2024 17:12:40.036015034 CET2149985110.4.45.197192.168.2.5227 Entering Passive Mode (110,4,45,197,237,187)
                                                                        Nov 5, 2024 17:12:40.051757097 CET4998521192.168.2.5110.4.45.197STOR KL_user-936905_2024_11_27_16_18_29.html
                                                                        Nov 5, 2024 17:12:41.036556959 CET2149985110.4.45.197192.168.2.5150 Accepted data connection
                                                                        Nov 5, 2024 17:12:41.381006002 CET2149985110.4.45.197192.168.2.5226-File successfully transferred
                                                                        226-File successfully transferred226 0.362 seconds (measured here), 0.62 Kbytes per second
                                                                        Nov 5, 2024 17:12:42.277147055 CET4998521192.168.2.5110.4.45.197PASV
                                                                        Nov 5, 2024 17:12:42.626965046 CET2149985110.4.45.197192.168.2.5227 Entering Passive Mode (110,4,45,197,226,51)
                                                                        Nov 5, 2024 17:12:42.632441044 CET4998521192.168.2.5110.4.45.197STOR SC_user-936905_2024_12_02_05_29_34.jpeg
                                                                        Nov 5, 2024 17:12:43.573545933 CET2149985110.4.45.197192.168.2.5150 Accepted data connection
                                                                        Nov 5, 2024 17:12:44.151632071 CET4998221192.168.2.5110.4.45.197PASV
                                                                        Nov 5, 2024 17:12:44.474982977 CET2149985110.4.45.197192.168.2.5226-File successfully transferred
                                                                        226-File successfully transferred226 0.877 seconds (measured here), 84.03 Kbytes per second
                                                                        Nov 5, 2024 17:12:44.521121979 CET2149982110.4.45.197192.168.2.5227 Entering Passive Mode (110,4,45,197,213,165)
                                                                        Nov 5, 2024 17:12:44.527796030 CET4998221192.168.2.5110.4.45.197STOR SC_user-936905_2024_12_05_05_44_07.jpeg
                                                                        Nov 5, 2024 17:12:45.471944094 CET2149982110.4.45.197192.168.2.5150 Accepted data connection
                                                                        Nov 5, 2024 17:12:46.316385031 CET2149982110.4.45.197192.168.2.5226-File successfully transferred
                                                                        226-File successfully transferred226 0.853 seconds (measured here), 86.38 Kbytes per second
                                                                        Nov 5, 2024 17:12:54.950130939 CET4998221192.168.2.5110.4.45.197PASV
                                                                        Nov 5, 2024 17:12:55.318734884 CET2149982110.4.45.197192.168.2.5227 Entering Passive Mode (110,4,45,197,213,23)
                                                                        Nov 5, 2024 17:12:55.324455023 CET4998221192.168.2.5110.4.45.197STOR SC_user-936905_2024_12_13_03_01_36.jpeg
                                                                        Nov 5, 2024 17:12:56.275445938 CET2149982110.4.45.197192.168.2.5150 Accepted data connection
                                                                        Nov 5, 2024 17:12:56.860074997 CET4998521192.168.2.5110.4.45.197PASV
                                                                        Nov 5, 2024 17:12:57.098598003 CET2149982110.4.45.197192.168.2.5226-File successfully transferred
                                                                        226-File successfully transferred226 0.834 seconds (measured here), 88.27 Kbytes per second
                                                                        Nov 5, 2024 17:12:57.206954956 CET2149985110.4.45.197192.168.2.5227 Entering Passive Mode (110,4,45,197,237,1)
                                                                        Nov 5, 2024 17:12:57.212723970 CET4998521192.168.2.5110.4.45.197STOR SC_user-936905_2024_12_16_03_14_31.jpeg
                                                                        Nov 5, 2024 17:12:58.155122042 CET2149985110.4.45.197192.168.2.5150 Accepted data connection
                                                                        Nov 5, 2024 17:12:58.969660044 CET2149985110.4.45.197192.168.2.5226-File successfully transferred
                                                                        226-File successfully transferred226 0.828 seconds (measured here), 88.96 Kbytes per second
                                                                        Nov 5, 2024 17:13:02.215408087 CET4998521192.168.2.5110.4.45.197PASV
                                                                        Nov 5, 2024 17:13:02.556874990 CET2149985110.4.45.197192.168.2.5227 Entering Passive Mode (110,4,45,197,237,19)
                                                                        Nov 5, 2024 17:13:02.563152075 CET4998521192.168.2.5110.4.45.197STOR SC_user-936905_2024_12_20_14_13_44.jpeg
                                                                        Nov 5, 2024 17:13:03.471445084 CET2149985110.4.45.197192.168.2.5150 Accepted data connection
                                                                        Nov 5, 2024 17:13:04.256613970 CET2149985110.4.45.197192.168.2.5226-File successfully transferred
                                                                        226-File successfully transferred226 0.778 seconds (measured here), 94.84 Kbytes per second
                                                                        Nov 5, 2024 17:13:22.172518969 CET4998521192.168.2.5110.4.45.197PASV
                                                                        Nov 5, 2024 17:13:22.507436037 CET2149985110.4.45.197192.168.2.5227 Entering Passive Mode (110,4,45,197,247,214)
                                                                        Nov 5, 2024 17:13:22.513149023 CET4998521192.168.2.5110.4.45.197STOR SC_user-936905_2025_01_04_23_27_38.jpeg
                                                                        Nov 5, 2024 17:13:23.414892912 CET2149985110.4.45.197192.168.2.5150 Accepted data connection
                                                                        Nov 5, 2024 17:13:35.123091936 CET4998221192.168.2.5110.4.45.197PASV
                                                                        Nov 5, 2024 17:13:35.489629030 CET2149982110.4.45.197192.168.2.5227 Entering Passive Mode (110,4,45,197,251,240)
                                                                        Nov 5, 2024 17:13:35.495609045 CET4998221192.168.2.5110.4.45.197STOR SC_user-936905_2025_01_12_14_50_58.jpeg
                                                                        Nov 5, 2024 17:13:36.447402954 CET2149982110.4.45.197192.168.2.5150 Accepted data connection
                                                                        Nov 5, 2024 17:13:37.252393961 CET2149982110.4.45.197192.168.2.5226-File successfully transferred
                                                                        226-File successfully transferred226 0.812 seconds (measured here), 90.72 Kbytes per second
                                                                        Nov 5, 2024 17:14:14.860318899 CET4998221192.168.2.5110.4.45.197PASV
                                                                        Nov 5, 2024 17:14:15.193813086 CET2149982110.4.45.197192.168.2.5227 Entering Passive Mode (110,4,45,197,215,249)
                                                                        Nov 5, 2024 17:14:15.199348927 CET4998221192.168.2.5110.4.45.197STOR SC_user-936905_2025_02_02_13_00_38.jpeg
                                                                        Nov 5, 2024 17:14:17.193522930 CET2149982110.4.45.197192.168.2.5150 Accepted data connection
                                                                        Nov 5, 2024 17:14:18.035343885 CET2149982110.4.45.197192.168.2.5226-File successfully transferred
                                                                        226-File successfully transferred226 0.866 seconds (measured here), 89.45 Kbytes per second
                                                                        Nov 5, 2024 17:14:24.389051914 CET4998221192.168.2.5110.4.45.197PASV
                                                                        Nov 5, 2024 17:14:24.723521948 CET2149982110.4.45.197192.168.2.5227 Entering Passive Mode (110,4,45,197,213,47)
                                                                        Nov 5, 2024 17:14:24.729357958 CET4998221192.168.2.5110.4.45.197STOR SC_user-936905_2025_02_08_19_37_35.jpeg
                                                                        Nov 5, 2024 17:14:25.631181955 CET2149982110.4.45.197192.168.2.5150 Accepted data connection
                                                                        Nov 5, 2024 17:14:25.631582975 CET2149982110.4.45.197192.168.2.5226 File successfully transferred
                                                                        Nov 5, 2024 17:14:53.616082907 CET2150001110.4.45.197192.168.2.5220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 7 of 50 allowed.
                                                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 7 of 50 allowed.220-Local time is now 00:14. Server port: 21.
                                                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 7 of 50 allowed.220-Local time is now 00:14. Server port: 21.220-This is a private system - No anonymous login
                                                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 7 of 50 allowed.220-Local time is now 00:14. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 7 of 50 allowed.220-Local time is now 00:14. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                                                        Nov 5, 2024 17:14:53.616255999 CET5000121192.168.2.5110.4.45.197USER origin@haliza.com.my
                                                                        Nov 5, 2024 17:14:53.949790955 CET2150001110.4.45.197192.168.2.5331 User origin@haliza.com.my OK. Password required

                                                                        Statistics

                                                                        CPU Usage

                                                                        Click to jump to process

                                                                        Memory Usage

                                                                        Click to jump to process

                                                                        High Level Behavior Distribution

                                                                        Click to dive into process behavior distribution

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        General

                                                                        Target ID:0
                                                                        Start time:11:10:44
                                                                        Start date:05/11/2024
                                                                        Path:C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exe"
                                                                        Imagebase:0x470000
                                                                        File size:1'414'144 bytes
                                                                        MD5 hash:F488EA907A7447947FDD751CE2D1D0DA
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2054880460.0000000003300000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2054880460.0000000003300000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000000.00000002.2054880460.0000000003300000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                        • Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000000.00000002.2054880460.0000000003300000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                        Reputation:low
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:2
                                                                        Start time:11:10:45
                                                                        Start date:05/11/2024
                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exe"
                                                                        Imagebase:0xd00000
                                                                        File size:45'984 bytes
                                                                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4493085046.0000000002FDB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.4493085046.0000000002FDB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4491744353.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.4491744353.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:high
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:3
                                                                        Start time:11:10:57
                                                                        Start date:05/11/2024
                                                                        Path:C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
                                                                        Imagebase:0xa90000
                                                                        File size:45'984 bytes
                                                                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Antivirus matches:
                                                                        • Detection: 0%, ReversingLabs
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:4
                                                                        Start time:11:10:57
                                                                        Start date:05/11/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:6
                                                                        Start time:11:11:05
                                                                        Start date:05/11/2024
                                                                        Path:C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
                                                                        Imagebase:0x220000
                                                                        File size:45'984 bytes
                                                                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:7
                                                                        Start time:11:11:05
                                                                        Start date:05/11/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        Disassembly

                                                                        Reset < >

                                                                          Execution Graph

                                                                          Execution Coverage:2.7%
                                                                          Dynamic/Decrypted Code Coverage:1.1%
                                                                          Signature Coverage:5.5%
                                                                          Total number of Nodes:1583
                                                                          Total number of Limit Nodes:42
                                                                          execution_graph 95839 47dee5 95842 47b710 95839->95842 95843 47b72b 95842->95843 95844 4c00f8 95843->95844 95845 4c0146 95843->95845 95871 47b750 95843->95871 95848 4c0102 95844->95848 95849 4c010f 95844->95849 95844->95871 95908 4f58a2 207 API calls 2 library calls 95845->95908 95906 4f5d33 207 API calls 95848->95906 95868 47ba20 95849->95868 95907 4f61d0 207 API calls 2 library calls 95849->95907 95854 47bbe0 40 API calls 95854->95871 95855 48d336 40 API calls 95855->95871 95856 4c03d9 95856->95856 95859 47ba4e 95861 4c0322 95912 4f5c0c 82 API calls 95861->95912 95868->95859 95913 4e359c 82 API calls __wsopen_s 95868->95913 95871->95854 95871->95855 95871->95859 95871->95861 95871->95868 95873 47ec40 95871->95873 95897 47a81b 41 API calls 95871->95897 95898 48d2f0 40 API calls 95871->95898 95899 48a01b 207 API calls 95871->95899 95900 490242 5 API calls __Init_thread_wait 95871->95900 95901 48edcd 22 API calls 95871->95901 95902 4900a3 29 API calls __onexit 95871->95902 95903 4901f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95871->95903 95904 48ee53 82 API calls 95871->95904 95905 48e5ca 207 API calls 95871->95905 95909 47aceb 23 API calls messages 95871->95909 95910 4cf6bf 23 API calls 95871->95910 95911 47a8c7 22 API calls __fread_nolock 95871->95911 95893 47ec76 messages 95873->95893 95874 48fddb 22 API calls 95874->95893 95876 47fef7 95889 47ed9d messages 95876->95889 95917 47a8c7 22 API calls __fread_nolock 95876->95917 95878 4c4b0b 95919 4e359c 82 API calls __wsopen_s 95878->95919 95879 47a8c7 22 API calls 95879->95893 95880 4c4600 95880->95889 95916 47a8c7 22 API calls __fread_nolock 95880->95916 95886 490242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 95886->95893 95887 47fbe3 95887->95889 95891 4c4bdc 95887->95891 95896 47f3ae messages 95887->95896 95888 47a961 22 API calls 95888->95893 95889->95871 95890 4900a3 29 API calls pre_c_initialization 95890->95893 95920 4e359c 82 API calls __wsopen_s 95891->95920 95893->95874 95893->95876 95893->95878 95893->95879 95893->95880 95893->95886 95893->95887 95893->95888 95893->95889 95893->95890 95894 4c4beb 95893->95894 95895 4901f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 95893->95895 95893->95896 95914 4801e0 207 API calls 2 library calls 95893->95914 95915 4806a0 41 API calls messages 95893->95915 95921 4e359c 82 API calls __wsopen_s 95894->95921 95895->95893 95896->95889 95918 4e359c 82 API calls __wsopen_s 95896->95918 95897->95871 95898->95871 95899->95871 95900->95871 95901->95871 95902->95871 95903->95871 95904->95871 95905->95871 95906->95849 95907->95868 95908->95871 95909->95871 95910->95871 95911->95871 95912->95868 95913->95856 95914->95893 95915->95893 95916->95889 95917->95889 95918->95889 95919->95889 95920->95894 95921->95889 95922 471044 95927 4710f3 95922->95927 95924 47104a 95963 4900a3 29 API calls __onexit 95924->95963 95926 471054 95964 471398 95927->95964 95931 47116a 95974 47a961 95931->95974 95934 47a961 22 API calls 95935 47117e 95934->95935 95936 47a961 22 API calls 95935->95936 95937 471188 95936->95937 95938 47a961 22 API calls 95937->95938 95939 4711c6 95938->95939 95940 47a961 22 API calls 95939->95940 95941 471292 95940->95941 95979 47171c 95941->95979 95945 4712c4 95946 47a961 22 API calls 95945->95946 95947 4712ce 95946->95947 96000 481940 95947->96000 95949 4712f9 96010 471aab 95949->96010 95951 471315 95952 471325 GetStdHandle 95951->95952 95953 47137a 95952->95953 95954 4b2485 95952->95954 95957 471387 OleInitialize 95953->95957 95954->95953 95955 4b248e 95954->95955 96017 48fddb 95955->96017 95957->95924 95958 4b2495 96027 4e011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 95958->96027 95960 4b249e 96028 4e0944 CreateThread 95960->96028 95962 4b24aa CloseHandle 95962->95953 95963->95926 96029 4713f1 95964->96029 95967 4713f1 22 API calls 95968 4713d0 95967->95968 95969 47a961 22 API calls 95968->95969 95970 4713dc 95969->95970 96036 476b57 95970->96036 95972 471129 95973 471bc3 6 API calls 95972->95973 95973->95931 95975 48fe0b 22 API calls 95974->95975 95976 47a976 95975->95976 95977 48fddb 22 API calls 95976->95977 95978 471174 95977->95978 95978->95934 95980 47a961 22 API calls 95979->95980 95981 47172c 95980->95981 95982 47a961 22 API calls 95981->95982 95983 471734 95982->95983 95984 47a961 22 API calls 95983->95984 95985 47174f 95984->95985 95986 48fddb 22 API calls 95985->95986 95987 47129c 95986->95987 95988 471b4a 95987->95988 95989 471b58 95988->95989 95990 47a961 22 API calls 95989->95990 95991 471b63 95990->95991 95992 47a961 22 API calls 95991->95992 95993 471b6e 95992->95993 95994 47a961 22 API calls 95993->95994 95995 471b79 95994->95995 95996 47a961 22 API calls 95995->95996 95997 471b84 95996->95997 95998 48fddb 22 API calls 95997->95998 95999 471b96 RegisterWindowMessageW 95998->95999 95999->95945 96001 481981 96000->96001 96005 48195d 96000->96005 96081 490242 5 API calls __Init_thread_wait 96001->96081 96004 48198b 96004->96005 96082 4901f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96004->96082 96009 48196e 96005->96009 96083 490242 5 API calls __Init_thread_wait 96005->96083 96006 488727 96006->96009 96084 4901f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96006->96084 96009->95949 96011 4b272d 96010->96011 96012 471abb 96010->96012 96085 4e3209 23 API calls 96011->96085 96013 48fddb 22 API calls 96012->96013 96016 471ac3 96013->96016 96015 4b2738 96016->95951 96020 48fde0 96017->96020 96018 49ea0c ___std_exception_copy 21 API calls 96018->96020 96019 48fdfa 96019->95958 96020->96018 96020->96019 96023 48fdfc 96020->96023 96086 494ead 7 API calls 2 library calls 96020->96086 96022 49066d 96088 4932a4 RaiseException 96022->96088 96023->96022 96087 4932a4 RaiseException 96023->96087 96026 49068a 96026->95958 96027->95960 96028->95962 96089 4e092a 28 API calls 96028->96089 96030 47a961 22 API calls 96029->96030 96031 4713fc 96030->96031 96032 47a961 22 API calls 96031->96032 96033 471404 96032->96033 96034 47a961 22 API calls 96033->96034 96035 4713c6 96034->96035 96035->95967 96037 476b67 _wcslen 96036->96037 96038 4b4ba1 96036->96038 96041 476ba2 96037->96041 96042 476b7d 96037->96042 96059 4793b2 96038->96059 96040 4b4baa 96040->96040 96044 48fddb 22 API calls 96041->96044 96048 476f34 22 API calls 96042->96048 96045 476bae 96044->96045 96049 48fe0b 96045->96049 96046 476b85 __fread_nolock 96046->95972 96048->96046 96052 48fddb 96049->96052 96051 48fdfa 96051->96046 96052->96051 96055 48fdfc 96052->96055 96063 49ea0c 96052->96063 96070 494ead 7 API calls 2 library calls 96052->96070 96054 49066d 96072 4932a4 RaiseException 96054->96072 96055->96054 96071 4932a4 RaiseException 96055->96071 96058 49068a 96058->96046 96060 4793c9 __fread_nolock 96059->96060 96061 4793c0 96059->96061 96060->96040 96061->96060 96075 47aec9 96061->96075 96068 4a3820 __dosmaperr 96063->96068 96064 4a385e 96074 49f2d9 20 API calls __dosmaperr 96064->96074 96066 4a3849 RtlAllocateHeap 96067 4a385c 96066->96067 96066->96068 96067->96052 96068->96064 96068->96066 96073 494ead 7 API calls 2 library calls 96068->96073 96070->96052 96071->96054 96072->96058 96073->96068 96074->96067 96076 47aedc 96075->96076 96080 47aed9 __fread_nolock 96075->96080 96077 48fddb 22 API calls 96076->96077 96078 47aee7 96077->96078 96079 48fe0b 22 API calls 96078->96079 96079->96080 96080->96060 96081->96004 96082->96005 96083->96006 96084->96009 96085->96015 96086->96020 96087->96022 96088->96026 96090 472de3 96091 472df0 __wsopen_s 96090->96091 96092 4b2c2b ___scrt_fastfail 96091->96092 96093 472e09 96091->96093 96096 4b2c47 GetOpenFileNameW 96092->96096 96106 473aa2 96093->96106 96098 4b2c96 96096->96098 96099 476b57 22 API calls 96098->96099 96101 4b2cab 96099->96101 96101->96101 96103 472e27 96134 4744a8 96103->96134 96164 4b1f50 96106->96164 96109 473ace 96111 476b57 22 API calls 96109->96111 96110 473ae9 96170 47a6c3 96110->96170 96113 473ada 96111->96113 96166 4737a0 96113->96166 96116 472da5 96117 4b1f50 __wsopen_s 96116->96117 96118 472db2 GetLongPathNameW 96117->96118 96119 476b57 22 API calls 96118->96119 96120 472dda 96119->96120 96121 473598 96120->96121 96122 47a961 22 API calls 96121->96122 96123 4735aa 96122->96123 96124 473aa2 23 API calls 96123->96124 96125 4735b5 96124->96125 96126 4735c0 96125->96126 96130 4b32eb 96125->96130 96176 47515f 96126->96176 96132 4b330d 96130->96132 96188 48ce60 41 API calls 96130->96188 96133 4735df 96133->96103 96189 474ecb 96134->96189 96137 4b3833 96211 4e2cf9 96137->96211 96139 474ecb 94 API calls 96141 4744e1 96139->96141 96140 4b3848 96142 4b3869 96140->96142 96143 4b384c 96140->96143 96141->96137 96144 4744e9 96141->96144 96148 48fe0b 22 API calls 96142->96148 96261 474f39 96143->96261 96145 4744f5 96144->96145 96146 4b3854 96144->96146 96260 47940c 136 API calls 2 library calls 96145->96260 96267 4dda5a 82 API calls 96146->96267 96163 4b38ae 96148->96163 96151 472e31 96152 4b3862 96152->96142 96153 4b3a5f 96158 4b3a67 96153->96158 96154 474f39 68 API calls 96154->96158 96158->96154 96269 4d989b 82 API calls __wsopen_s 96158->96269 96160 479cb3 22 API calls 96160->96163 96163->96153 96163->96158 96163->96160 96237 4d967e 96163->96237 96240 4e0b5a 96163->96240 96246 47a4a1 96163->96246 96254 473ff7 96163->96254 96268 4d95ad 42 API calls _wcslen 96163->96268 96165 473aaf GetFullPathNameW 96164->96165 96165->96109 96165->96110 96167 4737ae 96166->96167 96168 4793b2 22 API calls 96167->96168 96169 472e12 96168->96169 96169->96116 96171 47a6dd 96170->96171 96175 47a6d0 96170->96175 96172 48fddb 22 API calls 96171->96172 96173 47a6e7 96172->96173 96174 48fe0b 22 API calls 96173->96174 96174->96175 96175->96113 96177 47516e 96176->96177 96181 47518f __fread_nolock 96176->96181 96179 48fe0b 22 API calls 96177->96179 96178 48fddb 22 API calls 96180 4735cc 96178->96180 96179->96181 96182 4735f3 96180->96182 96181->96178 96183 473605 96182->96183 96187 473624 __fread_nolock 96182->96187 96186 48fe0b 22 API calls 96183->96186 96184 48fddb 22 API calls 96185 47363b 96184->96185 96185->96133 96186->96187 96187->96184 96188->96130 96270 474e90 LoadLibraryA 96189->96270 96194 474ef6 LoadLibraryExW 96278 474e59 LoadLibraryA 96194->96278 96195 4b3ccf 96197 474f39 68 API calls 96195->96197 96199 4b3cd6 96197->96199 96201 474e59 3 API calls 96199->96201 96203 4b3cde 96201->96203 96202 474f20 96202->96203 96204 474f2c 96202->96204 96300 4750f5 96203->96300 96206 474f39 68 API calls 96204->96206 96208 4744cd 96206->96208 96208->96137 96208->96139 96210 4b3d05 96212 4e2d15 96211->96212 96213 47511f 64 API calls 96212->96213 96214 4e2d29 96213->96214 96450 4e2e66 96214->96450 96217 4750f5 40 API calls 96218 4e2d56 96217->96218 96219 4750f5 40 API calls 96218->96219 96220 4e2d66 96219->96220 96221 4750f5 40 API calls 96220->96221 96222 4e2d81 96221->96222 96223 4750f5 40 API calls 96222->96223 96224 4e2d9c 96223->96224 96225 47511f 64 API calls 96224->96225 96226 4e2db3 96225->96226 96227 49ea0c ___std_exception_copy 21 API calls 96226->96227 96228 4e2dba 96227->96228 96229 49ea0c ___std_exception_copy 21 API calls 96228->96229 96230 4e2dc4 96229->96230 96231 4750f5 40 API calls 96230->96231 96232 4e2dd8 96231->96232 96233 4e28fe 27 API calls 96232->96233 96235 4e2dee 96233->96235 96234 4e2d3f 96234->96140 96235->96234 96456 4e22ce 79 API calls 96235->96456 96238 48fe0b 22 API calls 96237->96238 96239 4d96ae __fread_nolock 96238->96239 96239->96163 96241 4e0b65 96240->96241 96242 48fddb 22 API calls 96241->96242 96243 4e0b7c 96242->96243 96457 479cb3 96243->96457 96247 47a52b 96246->96247 96253 47a4b1 __fread_nolock 96246->96253 96249 48fe0b 22 API calls 96247->96249 96248 48fddb 22 API calls 96250 47a4b8 96248->96250 96249->96253 96251 48fddb 22 API calls 96250->96251 96252 47a4d6 96250->96252 96251->96252 96252->96163 96253->96248 96256 47400a 96254->96256 96259 4740ae 96254->96259 96255 47403c 96257 48fddb 22 API calls 96255->96257 96255->96259 96256->96255 96258 48fe0b 22 API calls 96256->96258 96257->96255 96258->96255 96259->96163 96260->96151 96262 474f43 96261->96262 96264 474f4a 96261->96264 96463 49e678 96262->96463 96265 474f6a FreeLibrary 96264->96265 96266 474f59 96264->96266 96265->96266 96266->96146 96267->96152 96268->96163 96269->96158 96271 474ec6 96270->96271 96272 474ea8 GetProcAddress 96270->96272 96275 49e5eb 96271->96275 96273 474eb8 96272->96273 96273->96271 96274 474ebf FreeLibrary 96273->96274 96274->96271 96308 49e52a 96275->96308 96277 474eea 96277->96194 96277->96195 96279 474e6e GetProcAddress 96278->96279 96280 474e8d 96278->96280 96281 474e7e 96279->96281 96283 474f80 96280->96283 96281->96280 96282 474e86 FreeLibrary 96281->96282 96282->96280 96284 48fe0b 22 API calls 96283->96284 96285 474f95 96284->96285 96376 475722 96285->96376 96287 474fa1 __fread_nolock 96288 4750a5 96287->96288 96289 4b3d1d 96287->96289 96299 474fdc 96287->96299 96379 4742a2 CreateStreamOnHGlobal 96288->96379 96390 4e304d 74 API calls 96289->96390 96292 4b3d22 96294 47511f 64 API calls 96292->96294 96293 4750f5 40 API calls 96293->96299 96295 4b3d45 96294->96295 96296 4750f5 40 API calls 96295->96296 96297 47506e messages 96296->96297 96297->96202 96299->96292 96299->96293 96299->96297 96385 47511f 96299->96385 96301 475107 96300->96301 96302 4b3d70 96300->96302 96412 49e8c4 96301->96412 96305 4e28fe 96433 4e274e 96305->96433 96307 4e2919 96307->96210 96310 49e536 ___BuildCatchObject 96308->96310 96309 49e544 96333 49f2d9 20 API calls __dosmaperr 96309->96333 96310->96309 96312 49e574 96310->96312 96315 49e579 96312->96315 96316 49e586 96312->96316 96313 49e549 96334 4a27ec 26 API calls pre_c_initialization 96313->96334 96335 49f2d9 20 API calls __dosmaperr 96315->96335 96325 4a8061 96316->96325 96319 49e58f 96320 49e5a2 96319->96320 96321 49e595 96319->96321 96337 49e5d4 LeaveCriticalSection __fread_nolock 96320->96337 96336 49f2d9 20 API calls __dosmaperr 96321->96336 96322 49e554 __wsopen_s 96322->96277 96326 4a806d ___BuildCatchObject 96325->96326 96338 4a2f5e EnterCriticalSection 96326->96338 96328 4a807b 96339 4a80fb 96328->96339 96332 4a80ac __wsopen_s 96332->96319 96333->96313 96334->96322 96335->96322 96336->96322 96337->96322 96338->96328 96346 4a811e 96339->96346 96340 4a8088 96352 4a80b7 96340->96352 96341 4a8177 96357 4a4c7d 96341->96357 96346->96340 96346->96341 96355 49918d EnterCriticalSection 96346->96355 96356 4991a1 LeaveCriticalSection 96346->96356 96347 4a8189 96347->96340 96370 4a3405 11 API calls 2 library calls 96347->96370 96349 4a81a8 96371 49918d EnterCriticalSection 96349->96371 96375 4a2fa6 LeaveCriticalSection 96352->96375 96354 4a80be 96354->96332 96355->96346 96356->96346 96362 4a4c8a __dosmaperr 96357->96362 96358 4a4cca 96373 49f2d9 20 API calls __dosmaperr 96358->96373 96359 4a4cb5 RtlAllocateHeap 96361 4a4cc8 96359->96361 96359->96362 96364 4a29c8 96361->96364 96362->96358 96362->96359 96372 494ead 7 API calls 2 library calls 96362->96372 96365 4a29d3 RtlFreeHeap 96364->96365 96369 4a29fc __dosmaperr 96364->96369 96366 4a29e8 96365->96366 96365->96369 96374 49f2d9 20 API calls __dosmaperr 96366->96374 96368 4a29ee GetLastError 96368->96369 96369->96347 96370->96349 96371->96340 96372->96362 96373->96361 96374->96368 96375->96354 96377 48fddb 22 API calls 96376->96377 96378 475734 96377->96378 96378->96287 96380 4742bc FindResourceExW 96379->96380 96384 4742d9 96379->96384 96381 4b35ba LoadResource 96380->96381 96380->96384 96382 4b35cf SizeofResource 96381->96382 96381->96384 96383 4b35e3 LockResource 96382->96383 96382->96384 96383->96384 96384->96299 96386 47512e 96385->96386 96388 4b3d90 96385->96388 96391 49ece3 96386->96391 96390->96292 96394 49eaaa 96391->96394 96393 47513c 96393->96299 96395 49eab6 ___BuildCatchObject 96394->96395 96396 49eac2 96395->96396 96397 49eae8 96395->96397 96407 49f2d9 20 API calls __dosmaperr 96396->96407 96409 49918d EnterCriticalSection 96397->96409 96400 49eac7 96408 4a27ec 26 API calls pre_c_initialization 96400->96408 96402 49eaf4 96410 49ec0a 62 API calls 2 library calls 96402->96410 96404 49eb08 96411 49eb27 LeaveCriticalSection __fread_nolock 96404->96411 96406 49ead2 __wsopen_s 96406->96393 96407->96400 96408->96406 96409->96402 96410->96404 96411->96406 96415 49e8e1 96412->96415 96414 475118 96414->96305 96416 49e8ed ___BuildCatchObject 96415->96416 96417 49e92d 96416->96417 96419 49e925 __wsopen_s 96416->96419 96421 49e900 ___scrt_fastfail 96416->96421 96430 49918d EnterCriticalSection 96417->96430 96419->96414 96420 49e937 96431 49e6f8 38 API calls 4 library calls 96420->96431 96428 49f2d9 20 API calls __dosmaperr 96421->96428 96424 49e91a 96429 4a27ec 26 API calls pre_c_initialization 96424->96429 96425 49e94e 96432 49e96c LeaveCriticalSection __fread_nolock 96425->96432 96428->96424 96429->96419 96430->96420 96431->96425 96432->96419 96436 49e4e8 96433->96436 96435 4e275d 96435->96307 96439 49e469 96436->96439 96438 49e505 96438->96435 96440 49e478 96439->96440 96441 49e48c 96439->96441 96447 49f2d9 20 API calls __dosmaperr 96440->96447 96446 49e488 __alldvrm 96441->96446 96449 4a333f 11 API calls 2 library calls 96441->96449 96443 49e47d 96448 4a27ec 26 API calls pre_c_initialization 96443->96448 96446->96438 96447->96443 96448->96446 96449->96446 96455 4e2e7a 96450->96455 96451 4750f5 40 API calls 96451->96455 96452 4e2d3b 96452->96217 96452->96234 96453 4e28fe 27 API calls 96453->96455 96454 47511f 64 API calls 96454->96455 96455->96451 96455->96452 96455->96453 96455->96454 96456->96234 96458 479cc2 _wcslen 96457->96458 96459 48fe0b 22 API calls 96458->96459 96460 479cea __fread_nolock 96459->96460 96461 48fddb 22 API calls 96460->96461 96462 479d00 96461->96462 96462->96163 96464 49e684 ___BuildCatchObject 96463->96464 96465 49e6aa 96464->96465 96466 49e695 96464->96466 96475 49e6a5 __wsopen_s 96465->96475 96478 49918d EnterCriticalSection 96465->96478 96476 49f2d9 20 API calls __dosmaperr 96466->96476 96468 49e69a 96477 4a27ec 26 API calls pre_c_initialization 96468->96477 96471 49e6c6 96479 49e602 96471->96479 96473 49e6d1 96495 49e6ee LeaveCriticalSection __fread_nolock 96473->96495 96475->96264 96476->96468 96477->96475 96478->96471 96480 49e60f 96479->96480 96481 49e624 96479->96481 96496 49f2d9 20 API calls __dosmaperr 96480->96496 96486 49e61f 96481->96486 96498 49dc0b 96481->96498 96483 49e614 96497 4a27ec 26 API calls pre_c_initialization 96483->96497 96486->96473 96491 49e646 96515 4a862f 96491->96515 96494 4a29c8 _free 20 API calls 96494->96486 96495->96475 96496->96483 96497->96486 96499 49dc23 96498->96499 96500 49dc1f 96498->96500 96499->96500 96501 49d955 __fread_nolock 26 API calls 96499->96501 96504 4a4d7a 96500->96504 96502 49dc43 96501->96502 96530 4a59be 62 API calls 4 library calls 96502->96530 96505 49e640 96504->96505 96506 4a4d90 96504->96506 96508 49d955 96505->96508 96506->96505 96507 4a29c8 _free 20 API calls 96506->96507 96507->96505 96509 49d961 96508->96509 96510 49d976 96508->96510 96531 49f2d9 20 API calls __dosmaperr 96509->96531 96510->96491 96512 49d966 96532 4a27ec 26 API calls pre_c_initialization 96512->96532 96514 49d971 96514->96491 96516 4a863e 96515->96516 96517 4a8653 96515->96517 96533 49f2c6 20 API calls __dosmaperr 96516->96533 96519 4a868e 96517->96519 96523 4a867a 96517->96523 96538 49f2c6 20 API calls __dosmaperr 96519->96538 96520 4a8643 96534 49f2d9 20 API calls __dosmaperr 96520->96534 96535 4a8607 96523->96535 96524 4a8693 96539 49f2d9 20 API calls __dosmaperr 96524->96539 96527 49e64c 96527->96486 96527->96494 96528 4a869b 96540 4a27ec 26 API calls pre_c_initialization 96528->96540 96530->96500 96531->96512 96532->96514 96533->96520 96534->96527 96541 4a8585 96535->96541 96537 4a862b 96537->96527 96538->96524 96539->96528 96540->96527 96542 4a8591 ___BuildCatchObject 96541->96542 96552 4a5147 EnterCriticalSection 96542->96552 96544 4a859f 96545 4a85d1 96544->96545 96546 4a85c6 96544->96546 96568 49f2d9 20 API calls __dosmaperr 96545->96568 96553 4a86ae 96546->96553 96549 4a85cc 96569 4a85fb LeaveCriticalSection __wsopen_s 96549->96569 96551 4a85ee __wsopen_s 96551->96537 96552->96544 96570 4a53c4 96553->96570 96555 4a86c4 96583 4a5333 21 API calls 2 library calls 96555->96583 96556 4a86f6 96556->96555 96560 4a53c4 __wsopen_s 26 API calls 96556->96560 96557 4a86be 96557->96555 96557->96556 96559 4a53c4 __wsopen_s 26 API calls 96557->96559 96562 4a86ed 96559->96562 96563 4a8702 CloseHandle 96560->96563 96561 4a871c 96564 4a873e 96561->96564 96584 49f2a3 20 API calls __dosmaperr 96561->96584 96565 4a53c4 __wsopen_s 26 API calls 96562->96565 96563->96555 96566 4a870e GetLastError 96563->96566 96564->96549 96565->96556 96566->96555 96568->96549 96569->96551 96571 4a53d1 96570->96571 96572 4a53e6 96570->96572 96585 49f2c6 20 API calls __dosmaperr 96571->96585 96577 4a540b 96572->96577 96587 49f2c6 20 API calls __dosmaperr 96572->96587 96575 4a53d6 96586 49f2d9 20 API calls __dosmaperr 96575->96586 96577->96557 96578 4a5416 96588 49f2d9 20 API calls __dosmaperr 96578->96588 96579 4a53de 96579->96557 96581 4a541e 96589 4a27ec 26 API calls pre_c_initialization 96581->96589 96583->96561 96584->96564 96585->96575 96586->96579 96587->96578 96588->96581 96589->96579 96590 4a8402 96595 4a81be 96590->96595 96593 4a842a 96596 4a81ef try_get_first_available_module 96595->96596 96603 4a8338 96596->96603 96610 498e0b 40 API calls 2 library calls 96596->96610 96598 4a83ee 96614 4a27ec 26 API calls pre_c_initialization 96598->96614 96600 4a8343 96600->96593 96607 4b0984 96600->96607 96602 4a838c 96602->96603 96611 498e0b 40 API calls 2 library calls 96602->96611 96603->96600 96613 49f2d9 20 API calls __dosmaperr 96603->96613 96605 4a83ab 96605->96603 96612 498e0b 40 API calls 2 library calls 96605->96612 96615 4b0081 96607->96615 96609 4b099f 96609->96593 96610->96602 96611->96605 96612->96603 96613->96598 96614->96600 96618 4b008d ___BuildCatchObject 96615->96618 96616 4b009b 96673 49f2d9 20 API calls __dosmaperr 96616->96673 96618->96616 96620 4b00d4 96618->96620 96619 4b00a0 96674 4a27ec 26 API calls pre_c_initialization 96619->96674 96626 4b065b 96620->96626 96625 4b00aa __wsopen_s 96625->96609 96676 4b042f 96626->96676 96629 4b068d 96708 49f2c6 20 API calls __dosmaperr 96629->96708 96630 4b06a6 96694 4a5221 96630->96694 96633 4b0692 96709 49f2d9 20 API calls __dosmaperr 96633->96709 96634 4b06ab 96635 4b06cb 96634->96635 96636 4b06b4 96634->96636 96707 4b039a CreateFileW 96635->96707 96710 49f2c6 20 API calls __dosmaperr 96636->96710 96640 4b06b9 96711 49f2d9 20 API calls __dosmaperr 96640->96711 96642 4b0781 GetFileType 96644 4b078c GetLastError 96642->96644 96645 4b07d3 96642->96645 96643 4b0756 GetLastError 96713 49f2a3 20 API calls __dosmaperr 96643->96713 96714 49f2a3 20 API calls __dosmaperr 96644->96714 96716 4a516a 21 API calls 2 library calls 96645->96716 96646 4b0704 96646->96642 96646->96643 96712 4b039a CreateFileW 96646->96712 96649 4b079a CloseHandle 96649->96633 96651 4b07c3 96649->96651 96715 49f2d9 20 API calls __dosmaperr 96651->96715 96653 4b0749 96653->96642 96653->96643 96655 4b07f4 96657 4b0840 96655->96657 96717 4b05ab 72 API calls 3 library calls 96655->96717 96656 4b07c8 96656->96633 96661 4b086d 96657->96661 96718 4b014d 72 API calls 4 library calls 96657->96718 96660 4b0866 96660->96661 96664 4b087e 96660->96664 96662 4a86ae __wsopen_s 29 API calls 96661->96662 96663 4b00f8 96662->96663 96675 4b0121 LeaveCriticalSection __wsopen_s 96663->96675 96664->96663 96665 4b08fc CloseHandle 96664->96665 96719 4b039a CreateFileW 96665->96719 96667 4b0927 96668 4b095d 96667->96668 96669 4b0931 GetLastError 96667->96669 96668->96663 96720 49f2a3 20 API calls __dosmaperr 96669->96720 96671 4b093d 96721 4a5333 21 API calls 2 library calls 96671->96721 96673->96619 96674->96625 96675->96625 96677 4b0450 96676->96677 96682 4b046a 96676->96682 96677->96682 96729 49f2d9 20 API calls __dosmaperr 96677->96729 96680 4b045f 96730 4a27ec 26 API calls pre_c_initialization 96680->96730 96722 4b03bf 96682->96722 96683 4b04d1 96691 4b0524 96683->96691 96733 49d70d 26 API calls 2 library calls 96683->96733 96684 4b04a2 96684->96683 96731 49f2d9 20 API calls __dosmaperr 96684->96731 96687 4b051f 96689 4b059e 96687->96689 96687->96691 96688 4b04c6 96732 4a27ec 26 API calls pre_c_initialization 96688->96732 96734 4a27fc 11 API calls _abort 96689->96734 96691->96629 96691->96630 96693 4b05aa 96695 4a522d ___BuildCatchObject 96694->96695 96737 4a2f5e EnterCriticalSection 96695->96737 96697 4a5234 96698 4a5259 96697->96698 96703 4a52c7 EnterCriticalSection 96697->96703 96705 4a527b 96697->96705 96741 4a5000 96698->96741 96700 4a52a4 __wsopen_s 96700->96634 96704 4a52d4 LeaveCriticalSection 96703->96704 96703->96705 96704->96697 96738 4a532a 96705->96738 96707->96646 96708->96633 96709->96663 96710->96640 96711->96633 96712->96653 96713->96633 96714->96649 96715->96656 96716->96655 96717->96657 96718->96660 96719->96667 96720->96671 96721->96668 96724 4b03d7 96722->96724 96723 4b03f2 96723->96684 96724->96723 96735 49f2d9 20 API calls __dosmaperr 96724->96735 96726 4b0416 96736 4a27ec 26 API calls pre_c_initialization 96726->96736 96728 4b0421 96728->96684 96729->96680 96730->96682 96731->96688 96732->96683 96733->96687 96734->96693 96735->96726 96736->96728 96737->96697 96749 4a2fa6 LeaveCriticalSection 96738->96749 96740 4a5331 96740->96700 96742 4a4c7d __dosmaperr 20 API calls 96741->96742 96745 4a5012 96742->96745 96743 4a501f 96744 4a29c8 _free 20 API calls 96743->96744 96746 4a5071 96744->96746 96745->96743 96750 4a3405 11 API calls 2 library calls 96745->96750 96746->96705 96748 4a5147 EnterCriticalSection 96746->96748 96748->96705 96749->96740 96750->96745 96751 e29ac8 96765 e27718 96751->96765 96753 e29b9f 96768 e299b8 96753->96768 96755 e29bc8 CreateFileW 96757 e29c17 96755->96757 96758 e29c1c 96755->96758 96758->96757 96759 e29c33 VirtualAlloc 96758->96759 96759->96757 96760 e29c51 ReadFile 96759->96760 96760->96757 96761 e29c6c 96760->96761 96762 e289b8 13 API calls 96761->96762 96763 e29c9f 96762->96763 96764 e29cc2 ExitProcess 96763->96764 96764->96757 96767 e27da3 96765->96767 96771 e2abc8 GetPEB 96765->96771 96767->96753 96769 e299c1 Sleep 96768->96769 96770 e299cf 96769->96770 96771->96767 96772 471cad SystemParametersInfoW 96773 4c2a00 96787 47d7b0 messages 96773->96787 96774 47db11 PeekMessageW 96774->96787 96775 47d807 GetInputState 96775->96774 96775->96787 96777 4c1cbe TranslateAcceleratorW 96777->96787 96778 47da04 timeGetTime 96778->96787 96779 47db73 TranslateMessage DispatchMessageW 96780 47db8f PeekMessageW 96779->96780 96780->96787 96781 47dbaf Sleep 96799 47dbc0 96781->96799 96782 4c2b74 Sleep 96782->96799 96783 48e551 timeGetTime 96783->96799 96784 4c1dda timeGetTime 96950 48e300 23 API calls 96784->96950 96787->96774 96787->96775 96787->96777 96787->96778 96787->96779 96787->96780 96787->96781 96787->96782 96787->96784 96789 47d9d5 96787->96789 96801 47ec40 207 API calls 96787->96801 96805 47dd50 96787->96805 96812 47dfd0 96787->96812 96835 481310 96787->96835 96891 47bf40 96787->96891 96949 48edf6 IsDialogMessageW GetClassLongW 96787->96949 96951 4e3a2a 23 API calls 96787->96951 96952 4e359c 82 API calls __wsopen_s 96787->96952 96788 4c2c0b GetExitCodeProcess 96791 4c2c37 CloseHandle 96788->96791 96792 4c2c21 WaitForSingleObject 96788->96792 96791->96799 96792->96787 96792->96791 96793 4c2a31 96793->96789 96794 5029bf GetForegroundWindow 96794->96799 96795 4c2ca9 Sleep 96795->96787 96799->96783 96799->96787 96799->96788 96799->96789 96799->96793 96799->96794 96799->96795 96953 4f5658 23 API calls 96799->96953 96954 4de97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 96799->96954 96955 4dd4dc 47 API calls 96799->96955 96801->96787 96806 47dd83 96805->96806 96807 47dd6f 96805->96807 96957 4e359c 82 API calls __wsopen_s 96806->96957 96956 47d260 207 API calls 2 library calls 96807->96956 96809 47dd7a 96809->96787 96811 4c2f75 96811->96811 96814 47e010 96812->96814 96813 47ec40 207 API calls 96828 47e0dc messages 96813->96828 96814->96828 96961 490242 5 API calls __Init_thread_wait 96814->96961 96817 4c2fca 96819 47a961 22 API calls 96817->96819 96817->96828 96818 47a961 22 API calls 96818->96828 96820 4c2fe4 96819->96820 96962 4900a3 29 API calls __onexit 96820->96962 96824 4c2fee 96963 4901f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96824->96963 96828->96813 96828->96818 96830 4804f0 22 API calls 96828->96830 96831 47e3e1 96828->96831 96834 4e359c 82 API calls 96828->96834 96958 47a8c7 22 API calls __fread_nolock 96828->96958 96959 47a81b 41 API calls 96828->96959 96960 48a308 207 API calls 96828->96960 96964 490242 5 API calls __Init_thread_wait 96828->96964 96965 4900a3 29 API calls __onexit 96828->96965 96966 4901f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96828->96966 96967 4f47d4 207 API calls 96828->96967 96968 4f68c1 207 API calls 96828->96968 96830->96828 96831->96787 96834->96828 96836 4817b0 96835->96836 96837 481376 96835->96837 97045 490242 5 API calls __Init_thread_wait 96836->97045 96838 481390 96837->96838 96839 4c6331 96837->96839 96841 481940 9 API calls 96838->96841 97050 4f709c 207 API calls 96839->97050 96844 4813a0 96841->96844 96843 4817ba 96846 4817fb 96843->96846 96848 479cb3 22 API calls 96843->96848 96847 481940 9 API calls 96844->96847 96845 4c633d 96845->96787 96850 4c6346 96846->96850 96852 48182c 96846->96852 96849 4813b6 96847->96849 96857 4817d4 96848->96857 96849->96846 96851 4813ec 96849->96851 97051 4e359c 82 API calls __wsopen_s 96850->97051 96851->96850 96866 481408 __fread_nolock 96851->96866 97047 47aceb 23 API calls messages 96852->97047 96855 481839 97048 48d217 207 API calls 96855->97048 96856 4c6369 96856->96787 97046 4901f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96857->97046 96860 4c636e 97052 4e359c 82 API calls __wsopen_s 96860->97052 96862 48153c 96864 481940 9 API calls 96862->96864 96863 4c63d1 97054 4f5745 54 API calls _wcslen 96863->97054 96867 481549 96864->96867 96866->96855 96866->96856 96866->96860 96868 48fddb 22 API calls 96866->96868 96870 48fe0b 22 API calls 96866->96870 96874 47ec40 207 API calls 96866->96874 96875 48152f 96866->96875 96877 4c63b2 96866->96877 96872 481940 9 API calls 96867->96872 96878 4c64fa 96867->96878 96868->96866 96869 481872 97049 48faeb 23 API calls 96869->97049 96870->96866 96876 481563 96872->96876 96874->96866 96875->96862 96875->96863 96876->96878 96882 4815c7 messages 96876->96882 97055 47a8c7 22 API calls __fread_nolock 96876->97055 97053 4e359c 82 API calls __wsopen_s 96877->97053 96878->96856 97056 4e359c 82 API calls __wsopen_s 96878->97056 96881 481940 9 API calls 96881->96882 96882->96856 96882->96869 96882->96878 96882->96881 96884 48167b messages 96882->96884 96969 4e744a 96882->96969 97025 4ef0ec 96882->97025 97034 476246 96882->97034 97038 4e83da 96882->97038 97041 4f958b 96882->97041 96883 48171d 96883->96787 96884->96883 97044 48ce17 22 API calls messages 96884->97044 97350 47adf0 96891->97350 96893 47bf9d 96894 4c04b6 96893->96894 96895 47bfa9 96893->96895 97369 4e359c 82 API calls __wsopen_s 96894->97369 96897 4c04c6 96895->96897 96898 47c01e 96895->96898 97370 4e359c 82 API calls __wsopen_s 96897->97370 97355 47ac91 96898->97355 96902 47c7da 96906 48fe0b 22 API calls 96902->96906 96903 4d7120 22 API calls 96947 47c039 __fread_nolock messages 96903->96947 96913 47c808 __fread_nolock 96906->96913 96909 4c04f5 96911 4c055a 96909->96911 97371 48d217 207 API calls 96909->97371 96936 47c603 96911->96936 97372 4e359c 82 API calls __wsopen_s 96911->97372 96912 47ec40 207 API calls 96912->96947 96915 48fe0b 22 API calls 96913->96915 96914 4c091a 97382 4e3209 23 API calls 96914->97382 96948 47c350 __fread_nolock messages 96915->96948 96916 47af8a 22 API calls 96916->96947 96919 4c08a5 96920 47ec40 207 API calls 96919->96920 96922 4c08cf 96920->96922 96922->96936 97380 47a81b 41 API calls 96922->97380 96923 4c0591 97373 4e359c 82 API calls __wsopen_s 96923->97373 96924 4c08f6 97381 4e359c 82 API calls __wsopen_s 96924->97381 96929 47bbe0 40 API calls 96929->96947 96930 47c3ac 96930->96787 96932 47c237 96933 47c253 96932->96933 97383 47a8c7 22 API calls __fread_nolock 96932->97383 96937 4c0976 96933->96937 96942 47c297 messages 96933->96942 96934 48fe0b 22 API calls 96934->96947 96936->96787 97384 47aceb 23 API calls messages 96937->97384 96939 48fddb 22 API calls 96939->96947 96941 4c09bf 96941->96936 97385 4e359c 82 API calls __wsopen_s 96941->97385 96942->96941 97366 47aceb 23 API calls messages 96942->97366 96944 47c335 96944->96941 96945 47c342 96944->96945 97367 47a704 22 API calls messages 96945->97367 96947->96902 96947->96903 96947->96909 96947->96911 96947->96912 96947->96913 96947->96914 96947->96916 96947->96919 96947->96923 96947->96924 96947->96929 96947->96932 96947->96934 96947->96936 96947->96939 96947->96941 97359 47ad81 96947->97359 97374 4d7099 22 API calls __fread_nolock 96947->97374 97375 4f5745 54 API calls _wcslen 96947->97375 97376 48aa42 22 API calls messages 96947->97376 97377 4df05c 40 API calls 96947->97377 97378 47a993 41 API calls 96947->97378 97379 47aceb 23 API calls messages 96947->97379 96948->96930 97368 48ce17 22 API calls messages 96948->97368 96949->96787 96950->96787 96951->96787 96952->96787 96953->96799 96954->96799 96955->96799 96956->96809 96957->96811 96958->96828 96959->96828 96960->96828 96961->96817 96962->96824 96963->96828 96964->96828 96965->96828 96966->96828 96967->96828 96968->96828 96970 4e7474 96969->96970 96971 4e7469 96969->96971 96974 47a961 22 API calls 96970->96974 97006 4e7554 96970->97006 97088 47b567 39 API calls 96971->97088 96973 48fddb 22 API calls 96975 4e7587 96973->96975 96976 4e7495 96974->96976 96977 48fe0b 22 API calls 96975->96977 96979 47a961 22 API calls 96976->96979 96978 4e7598 96977->96978 96980 476246 CloseHandle 96978->96980 96981 4e749e 96979->96981 96982 4e75a3 96980->96982 96983 477510 53 API calls 96981->96983 96984 47a961 22 API calls 96982->96984 96985 4e74aa 96983->96985 96986 4e75ab 96984->96986 97089 47525f 22 API calls 96985->97089 96989 476246 CloseHandle 96986->96989 96988 4e74bf 97090 476350 96988->97090 96991 4e75b2 96989->96991 97057 477510 96991->97057 96994 4e754a 97101 47b567 39 API calls 96994->97101 96997 476246 CloseHandle 97000 4e75c8 96997->97000 96999 4e7502 96999->96994 97001 4e7506 96999->97001 97080 475745 97000->97080 97002 479cb3 22 API calls 97001->97002 97004 4e7513 97002->97004 97100 4dd2c1 26 API calls 97004->97100 97006->96973 97023 4e76a4 97006->97023 97008 4e76de GetLastError 97010 4e76f7 97008->97010 97009 4e75ea 97102 4753de 27 API calls messages 97009->97102 97109 476216 CloseHandle messages 97010->97109 97013 4e75f8 97103 4753c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 97013->97103 97014 4e751c 97014->96994 97016 4e7645 97017 48fddb 22 API calls 97016->97017 97019 4e7679 97017->97019 97018 4e75ff 97018->97016 97104 4dccff 97018->97104 97020 47a961 22 API calls 97019->97020 97022 4e7686 97020->97022 97022->97023 97108 4d417d 22 API calls __fread_nolock 97022->97108 97023->96882 97026 477510 53 API calls 97025->97026 97027 4ef126 97026->97027 97133 479e90 97027->97133 97029 4ef136 97030 4ef15b 97029->97030 97031 47ec40 207 API calls 97029->97031 97033 4ef15f 97030->97033 97161 479c6e 22 API calls 97030->97161 97031->97030 97033->96882 97035 476250 97034->97035 97036 47625f 97034->97036 97035->96882 97036->97035 97037 476264 CloseHandle 97036->97037 97037->97035 97174 4e98e3 97038->97174 97040 4e83ea 97040->96882 97257 4f7f59 97041->97257 97043 4f959b 97043->96882 97044->96884 97045->96843 97046->96846 97047->96855 97048->96869 97049->96869 97050->96845 97051->96856 97052->96856 97053->96856 97054->96876 97055->96882 97056->96856 97058 477525 97057->97058 97059 477522 97057->97059 97060 47752d 97058->97060 97061 47755b 97058->97061 97059->96997 97110 4951c6 26 API calls 97060->97110 97063 4b50f6 97061->97063 97066 47756d 97061->97066 97071 4b500f 97061->97071 97113 495183 26 API calls 97063->97113 97064 47753d 97070 48fddb 22 API calls 97064->97070 97111 48fb21 51 API calls 97066->97111 97068 4b510e 97068->97068 97072 477547 97070->97072 97074 48fe0b 22 API calls 97071->97074 97079 4b5088 97071->97079 97073 479cb3 22 API calls 97072->97073 97073->97059 97076 4b5058 97074->97076 97075 48fddb 22 API calls 97077 4b507f 97075->97077 97076->97075 97078 479cb3 22 API calls 97077->97078 97078->97079 97112 48fb21 51 API calls 97079->97112 97081 47575c CreateFileW 97080->97081 97082 4b4035 97080->97082 97083 47577b 97081->97083 97082->97083 97084 4b403b CreateFileW 97082->97084 97083->97008 97083->97009 97084->97083 97085 4b4063 97084->97085 97114 4754c6 SetFilePointerEx SetFilePointerEx SetFilePointerEx 97085->97114 97087 4b406e 97087->97083 97088->96970 97089->96988 97091 476362 97090->97091 97092 4b4a51 97090->97092 97115 476373 97091->97115 97125 474a88 22 API calls __fread_nolock 97092->97125 97095 4b4a5b 97097 4b4a67 97095->97097 97126 47a8c7 22 API calls __fread_nolock 97095->97126 97096 47636e 97096->96994 97099 4dd4ce lstrlenW GetFileAttributesW FindFirstFileW FindClose 97096->97099 97099->96999 97100->97014 97101->97006 97102->97013 97103->97018 97105 4dcd0e 97104->97105 97106 4dcd19 WriteFile 97104->97106 97132 4dcc37 SetFilePointerEx SetFilePointerEx SetFilePointerEx 97105->97132 97106->97016 97108->97023 97109->97023 97110->97064 97111->97064 97112->97063 97113->97068 97114->97087 97116 476382 97115->97116 97122 4763b6 __fread_nolock 97115->97122 97117 4b4a82 97116->97117 97118 4763a9 97116->97118 97116->97122 97120 48fddb 22 API calls 97117->97120 97127 47a587 97118->97127 97121 4b4a91 97120->97121 97123 48fe0b 22 API calls 97121->97123 97122->97096 97124 4b4ac5 __fread_nolock 97123->97124 97125->97095 97126->97097 97128 47a59d 97127->97128 97131 47a598 __fread_nolock 97127->97131 97129 4bf80f 97128->97129 97130 48fe0b 22 API calls 97128->97130 97130->97131 97131->97122 97132->97106 97162 476270 97133->97162 97135 479fd2 97136 47a4a1 22 API calls 97135->97136 97138 479fec 97136->97138 97138->97029 97140 47a6c3 22 API calls 97160 479eb5 97140->97160 97141 4bf7c4 97172 4d96e2 84 API calls __wsopen_s 97141->97172 97142 4bf699 97147 48fddb 22 API calls 97142->97147 97143 47a405 97143->97138 97173 4d96e2 84 API calls __wsopen_s 97143->97173 97149 4bf754 97147->97149 97148 4bf7d2 97150 47a4a1 22 API calls 97148->97150 97152 48fe0b 22 API calls 97149->97152 97151 4bf7e8 97150->97151 97151->97138 97154 47a12c __fread_nolock 97152->97154 97154->97141 97154->97143 97155 47a587 22 API calls 97155->97160 97156 47a4a1 22 API calls 97156->97160 97157 47aec9 22 API calls 97158 47a0db CharUpperBuffW 97157->97158 97168 47a673 22 API calls 97158->97168 97160->97135 97160->97140 97160->97141 97160->97142 97160->97143 97160->97154 97160->97155 97160->97156 97160->97157 97167 474573 41 API calls _wcslen 97160->97167 97169 4748c8 23 API calls 97160->97169 97170 4749bd 22 API calls __fread_nolock 97160->97170 97171 47a673 22 API calls 97160->97171 97161->97033 97163 48fe0b 22 API calls 97162->97163 97164 476295 97163->97164 97165 48fddb 22 API calls 97164->97165 97166 4762a3 97165->97166 97166->97160 97167->97160 97168->97160 97169->97160 97170->97160 97171->97160 97172->97148 97173->97138 97175 4e99e8 97174->97175 97176 4e9902 97174->97176 97232 4e9caa 39 API calls 97175->97232 97178 48fddb 22 API calls 97176->97178 97179 4e9909 97178->97179 97180 48fe0b 22 API calls 97179->97180 97181 4e991a 97180->97181 97184 476246 CloseHandle 97181->97184 97182 4e99a2 97183 4e9ac5 97182->97183 97187 4e99ca 97182->97187 97190 4e9a33 97182->97190 97225 4e1e96 97183->97225 97186 4e9925 97184->97186 97189 47a961 22 API calls 97186->97189 97187->97040 97188 4e9acc 97195 4dccff 4 API calls 97188->97195 97191 4e992d 97189->97191 97193 477510 53 API calls 97190->97193 97192 476246 CloseHandle 97191->97192 97194 4e9934 97192->97194 97203 4e9a3a 97193->97203 97196 477510 53 API calls 97194->97196 97219 4e9aa8 97195->97219 97199 4e9940 97196->97199 97197 4e9abb 97244 4dcd57 30 API calls 97197->97244 97201 476246 CloseHandle 97199->97201 97200 4e9a6e 97202 476270 22 API calls 97200->97202 97205 4e994a 97201->97205 97206 4e9a7e 97202->97206 97203->97197 97203->97200 97204 476246 CloseHandle 97207 4e9b1e 97204->97207 97208 475745 5 API calls 97205->97208 97209 4e9a8e 97206->97209 97233 47a8c7 22 API calls __fread_nolock 97206->97233 97245 476216 CloseHandle messages 97207->97245 97211 4e9959 97208->97211 97234 4733c6 97209->97234 97214 4e995d 97211->97214 97215 4e99c2 97211->97215 97229 4753de 27 API calls messages 97214->97229 97231 476216 CloseHandle messages 97215->97231 97219->97187 97219->97204 97221 4e996b 97230 4753c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 97221->97230 97223 4e9972 97223->97182 97224 4dccff 4 API calls 97223->97224 97224->97182 97226 4e1e9f 97225->97226 97228 4e1ea4 97225->97228 97246 4e0f67 24 API calls __fread_nolock 97226->97246 97228->97188 97229->97221 97230->97223 97231->97187 97232->97182 97233->97209 97235 4b30bb 97234->97235 97236 4733dd 97234->97236 97237 48fddb 22 API calls 97235->97237 97247 4733ee 97236->97247 97240 4b30c5 _wcslen 97237->97240 97239 4733e8 97243 4dcd57 30 API calls 97239->97243 97241 48fe0b 22 API calls 97240->97241 97242 4b30fe __fread_nolock 97241->97242 97243->97219 97244->97219 97245->97187 97246->97228 97248 4733fe _wcslen 97247->97248 97249 4b311d 97248->97249 97250 473411 97248->97250 97252 48fddb 22 API calls 97249->97252 97251 47a587 22 API calls 97250->97251 97254 47341e __fread_nolock 97251->97254 97253 4b3127 97252->97253 97255 48fe0b 22 API calls 97253->97255 97254->97239 97256 4b3157 __fread_nolock 97255->97256 97258 477510 53 API calls 97257->97258 97259 4f7f90 97258->97259 97262 4f7fd5 messages 97259->97262 97295 4f8cd3 97259->97295 97261 4f8049 97261->97262 97269 477510 53 API calls 97261->97269 97282 4f8281 97261->97282 97327 4d417d 22 API calls __fread_nolock 97261->97327 97328 4f851d 42 API calls _strftime 97261->97328 97262->97043 97263 4f844f 97336 4f8ee4 60 API calls 97263->97336 97266 4f845e 97267 4f828f 97266->97267 97268 4f846a 97266->97268 97308 4f7e86 97267->97308 97268->97262 97269->97261 97274 4f82c8 97323 48fc70 97274->97323 97277 4f82e8 97329 4e359c 82 API calls __wsopen_s 97277->97329 97278 4f8302 97330 4763eb 22 API calls 97278->97330 97281 4f82f3 GetCurrentProcess TerminateProcess 97281->97278 97282->97263 97282->97267 97283 4f8311 97331 476a50 22 API calls 97283->97331 97285 4f832a 97294 4f8352 97285->97294 97332 4804f0 22 API calls 97285->97332 97287 4f84c5 97287->97262 97291 4f84d9 FreeLibrary 97287->97291 97288 4f8341 97333 4f8b7b 75 API calls 97288->97333 97291->97262 97294->97287 97334 4804f0 22 API calls 97294->97334 97335 47aceb 23 API calls messages 97294->97335 97337 4f8b7b 75 API calls 97294->97337 97296 47aec9 22 API calls 97295->97296 97297 4f8cee CharLowerBuffW 97296->97297 97338 4d8e54 97297->97338 97301 47a961 22 API calls 97302 4f8d2a 97301->97302 97345 476d25 22 API calls __fread_nolock 97302->97345 97304 4f8d3e 97305 4793b2 22 API calls 97304->97305 97307 4f8d48 _wcslen 97305->97307 97306 4f8e5e _wcslen 97306->97261 97307->97306 97346 4f851d 42 API calls _strftime 97307->97346 97309 4f7ea1 97308->97309 97313 4f7eec 97308->97313 97310 48fe0b 22 API calls 97309->97310 97311 4f7ec3 97310->97311 97312 48fddb 22 API calls 97311->97312 97311->97313 97312->97311 97314 4f9096 97313->97314 97315 4f92ab messages 97314->97315 97322 4f90ba _strcat _wcslen 97314->97322 97315->97274 97316 47b6b5 39 API calls 97316->97322 97317 47b567 39 API calls 97317->97322 97318 47b38f 39 API calls 97318->97322 97319 477510 53 API calls 97319->97322 97320 49ea0c 21 API calls ___std_exception_copy 97320->97322 97322->97315 97322->97316 97322->97317 97322->97318 97322->97319 97322->97320 97349 4defae 24 API calls _wcslen 97322->97349 97324 48fc85 97323->97324 97325 48fd1d VirtualProtect 97324->97325 97326 48fceb 97324->97326 97325->97326 97326->97277 97326->97278 97327->97261 97328->97261 97329->97281 97330->97283 97331->97285 97332->97288 97333->97294 97334->97294 97335->97294 97336->97266 97337->97294 97340 4d8e74 _wcslen 97338->97340 97339 4d8f63 97339->97301 97339->97307 97340->97339 97341 4d8ea9 97340->97341 97342 4d8f68 97340->97342 97341->97339 97347 48ce60 41 API calls 97341->97347 97342->97339 97348 48ce60 41 API calls 97342->97348 97345->97304 97346->97306 97347->97341 97348->97342 97349->97322 97351 47ae01 97350->97351 97354 47ae1c messages 97350->97354 97352 47aec9 22 API calls 97351->97352 97353 47ae09 CharUpperBuffW 97352->97353 97353->97354 97354->96893 97356 47acae 97355->97356 97358 47acd1 97356->97358 97386 4e359c 82 API calls __wsopen_s 97356->97386 97358->96947 97360 4bfadb 97359->97360 97361 47ad92 97359->97361 97362 48fddb 22 API calls 97361->97362 97363 47ad99 97362->97363 97387 47adcd 97363->97387 97366->96944 97367->96948 97368->96948 97369->96897 97370->96936 97371->96911 97372->96936 97373->96936 97374->96947 97375->96947 97376->96947 97377->96947 97378->96947 97379->96947 97380->96924 97381->96936 97382->96932 97383->96933 97384->96941 97385->96936 97386->97358 97393 47addd 97387->97393 97388 47adb6 97388->96947 97389 48fddb 22 API calls 97389->97393 97390 47a961 22 API calls 97390->97393 97392 47adcd 22 API calls 97392->97393 97393->97388 97393->97389 97393->97390 97393->97392 97394 47a8c7 22 API calls __fread_nolock 97393->97394 97394->97393 97395 4c3a41 97399 4e10c0 97395->97399 97397 4c3a4c 97398 4e10c0 53 API calls 97397->97398 97398->97397 97400 4e10fa 97399->97400 97404 4e10cd 97399->97404 97400->97397 97401 4e10fc 97411 48fa11 53 API calls 97401->97411 97402 4e1101 97405 477510 53 API calls 97402->97405 97404->97400 97404->97401 97404->97402 97408 4e10f4 97404->97408 97406 4e1108 97405->97406 97407 476350 22 API calls 97406->97407 97407->97400 97410 47b270 39 API calls 97408->97410 97410->97400 97411->97402 97412 4b2ba5 97413 472b25 97412->97413 97414 4b2baf 97412->97414 97440 472b83 7 API calls 97413->97440 97455 473a5a 97414->97455 97418 4b2bb8 97420 479cb3 22 API calls 97418->97420 97422 4b2bc6 97420->97422 97421 472b2f 97432 472b44 97421->97432 97444 473837 97421->97444 97423 4b2bce 97422->97423 97424 4b2bf5 97422->97424 97427 4733c6 22 API calls 97423->97427 97426 4733c6 22 API calls 97424->97426 97428 4b2bf1 GetForegroundWindow ShellExecuteW 97426->97428 97429 4b2bd9 97427->97429 97434 4b2c26 97428->97434 97433 476350 22 API calls 97429->97433 97431 472b5f 97438 472b66 SetCurrentDirectoryW 97431->97438 97432->97431 97454 4730f2 Shell_NotifyIconW ___scrt_fastfail 97432->97454 97436 4b2be7 97433->97436 97434->97431 97437 4733c6 22 API calls 97436->97437 97437->97428 97439 472b7a 97438->97439 97462 472cd4 7 API calls 97440->97462 97442 472b2a 97443 472c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 97442->97443 97443->97421 97445 473862 ___scrt_fastfail 97444->97445 97463 474212 97445->97463 97448 4738e8 97450 473906 Shell_NotifyIconW 97448->97450 97451 4b3386 Shell_NotifyIconW 97448->97451 97467 473923 97450->97467 97453 47391c 97453->97432 97454->97431 97456 4b1f50 __wsopen_s 97455->97456 97457 473a67 GetModuleFileNameW 97456->97457 97458 479cb3 22 API calls 97457->97458 97459 473a8d 97458->97459 97460 473aa2 23 API calls 97459->97460 97461 473a97 97460->97461 97461->97418 97462->97442 97464 4738b7 97463->97464 97465 4b35a4 97463->97465 97464->97448 97489 4dc874 42 API calls _strftime 97464->97489 97465->97464 97466 4b35ad DestroyIcon 97465->97466 97466->97464 97468 47393f 97467->97468 97487 473a13 97467->97487 97469 476270 22 API calls 97468->97469 97470 47394d 97469->97470 97471 4b3393 LoadStringW 97470->97471 97472 47395a 97470->97472 97474 4b33ad 97471->97474 97473 476b57 22 API calls 97472->97473 97475 47396f 97473->97475 97482 473994 ___scrt_fastfail 97474->97482 97490 47a8c7 22 API calls __fread_nolock 97474->97490 97476 4b33c9 97475->97476 97477 47397c 97475->97477 97480 476350 22 API calls 97476->97480 97477->97474 97479 473986 97477->97479 97481 476350 22 API calls 97479->97481 97483 4b33d7 97480->97483 97481->97482 97485 4739f9 Shell_NotifyIconW 97482->97485 97483->97482 97484 4733c6 22 API calls 97483->97484 97486 4b33f9 97484->97486 97485->97487 97488 4733c6 22 API calls 97486->97488 97487->97453 97488->97482 97489->97448 97490->97482 97491 472e37 97492 47a961 22 API calls 97491->97492 97493 472e4d 97492->97493 97570 474ae3 97493->97570 97495 472e6b 97496 473a5a 24 API calls 97495->97496 97497 472e7f 97496->97497 97498 479cb3 22 API calls 97497->97498 97499 472e8c 97498->97499 97500 474ecb 94 API calls 97499->97500 97501 472ea5 97500->97501 97502 472ead 97501->97502 97503 4b2cb0 97501->97503 97584 47a8c7 22 API calls __fread_nolock 97502->97584 97504 4e2cf9 80 API calls 97503->97504 97505 4b2cc3 97504->97505 97506 4b2ccf 97505->97506 97509 474f39 68 API calls 97505->97509 97512 474f39 68 API calls 97506->97512 97508 472ec3 97585 476f88 22 API calls 97508->97585 97509->97506 97511 472ecf 97513 479cb3 22 API calls 97511->97513 97514 4b2ce5 97512->97514 97515 472edc 97513->97515 97602 473084 22 API calls 97514->97602 97586 47a81b 41 API calls 97515->97586 97518 472eec 97520 479cb3 22 API calls 97518->97520 97519 4b2d02 97603 473084 22 API calls 97519->97603 97522 472f12 97520->97522 97587 47a81b 41 API calls 97522->97587 97523 4b2d1e 97525 473a5a 24 API calls 97523->97525 97526 4b2d44 97525->97526 97604 473084 22 API calls 97526->97604 97527 472f21 97529 47a961 22 API calls 97527->97529 97531 472f3f 97529->97531 97530 4b2d50 97605 47a8c7 22 API calls __fread_nolock 97530->97605 97588 473084 22 API calls 97531->97588 97534 4b2d5e 97606 473084 22 API calls 97534->97606 97535 472f4b 97589 494a28 40 API calls 3 library calls 97535->97589 97537 4b2d6d 97607 47a8c7 22 API calls __fread_nolock 97537->97607 97539 472f59 97539->97514 97540 472f63 97539->97540 97590 494a28 40 API calls 3 library calls 97540->97590 97543 4b2d83 97608 473084 22 API calls 97543->97608 97544 472f6e 97544->97519 97546 472f78 97544->97546 97591 494a28 40 API calls 3 library calls 97546->97591 97547 4b2d90 97549 472f83 97549->97523 97550 472f8d 97549->97550 97592 494a28 40 API calls 3 library calls 97550->97592 97552 472f98 97553 472fdc 97552->97553 97593 473084 22 API calls 97552->97593 97553->97537 97554 472fe8 97553->97554 97554->97547 97596 4763eb 22 API calls 97554->97596 97556 472fbf 97594 47a8c7 22 API calls __fread_nolock 97556->97594 97559 472ff8 97597 476a50 22 API calls 97559->97597 97560 472fcd 97595 473084 22 API calls 97560->97595 97563 473006 97598 4770b0 23 API calls 97563->97598 97567 473021 97568 473065 97567->97568 97599 476f88 22 API calls 97567->97599 97600 4770b0 23 API calls 97567->97600 97601 473084 22 API calls 97567->97601 97571 474af0 __wsopen_s 97570->97571 97572 476b57 22 API calls 97571->97572 97573 474b22 97571->97573 97572->97573 97577 474b58 97573->97577 97609 474c6d 97573->97609 97575 474c29 97576 474c5e 97575->97576 97578 479cb3 22 API calls 97575->97578 97576->97495 97577->97575 97579 479cb3 22 API calls 97577->97579 97582 47515f 22 API calls 97577->97582 97583 474c6d 22 API calls 97577->97583 97580 474c52 97578->97580 97579->97577 97581 47515f 22 API calls 97580->97581 97581->97576 97582->97577 97583->97577 97584->97508 97585->97511 97586->97518 97587->97527 97588->97535 97589->97539 97590->97544 97591->97549 97592->97552 97593->97556 97594->97560 97595->97553 97596->97559 97597->97563 97598->97567 97599->97567 97600->97567 97601->97567 97602->97519 97603->97523 97604->97530 97605->97534 97606->97537 97607->97543 97608->97547 97610 47aec9 22 API calls 97609->97610 97611 474c78 97610->97611 97611->97573 97612 473156 97615 473170 97612->97615 97616 473187 97615->97616 97617 47318c 97616->97617 97618 4731eb 97616->97618 97655 4731e9 97616->97655 97619 473265 PostQuitMessage 97617->97619 97620 473199 97617->97620 97622 4b2dfb 97618->97622 97623 4731f1 97618->97623 97627 47316a 97619->97627 97625 4731a4 97620->97625 97626 4b2e7c 97620->97626 97621 4731d0 DefWindowProcW 97621->97627 97664 4718e2 10 API calls 97622->97664 97628 47321d SetTimer RegisterWindowMessageW 97623->97628 97629 4731f8 97623->97629 97631 4b2e68 97625->97631 97632 4731ae 97625->97632 97669 4dbf30 34 API calls ___scrt_fastfail 97626->97669 97628->97627 97633 473246 CreatePopupMenu 97628->97633 97635 473201 KillTimer 97629->97635 97636 4b2d9c 97629->97636 97630 4b2e1c 97665 48e499 42 API calls 97630->97665 97668 4dc161 27 API calls ___scrt_fastfail 97631->97668 97639 4b2e4d 97632->97639 97640 4731b9 97632->97640 97633->97627 97660 4730f2 Shell_NotifyIconW ___scrt_fastfail 97635->97660 97642 4b2da1 97636->97642 97643 4b2dd7 MoveWindow 97636->97643 97639->97621 97667 4d0ad7 22 API calls 97639->97667 97647 4731c4 97640->97647 97648 473253 97640->97648 97641 4b2e8e 97641->97621 97641->97627 97649 4b2da7 97642->97649 97650 4b2dc6 SetFocus 97642->97650 97643->97627 97645 473214 97661 473c50 DeleteObject DestroyWindow 97645->97661 97646 473263 97646->97627 97647->97621 97666 4730f2 Shell_NotifyIconW ___scrt_fastfail 97647->97666 97662 47326f 44 API calls ___scrt_fastfail 97648->97662 97649->97647 97653 4b2db0 97649->97653 97650->97627 97663 4718e2 10 API calls 97653->97663 97655->97621 97658 4b2e41 97659 473837 49 API calls 97658->97659 97659->97655 97660->97645 97661->97627 97662->97646 97663->97627 97664->97630 97665->97647 97666->97658 97667->97655 97668->97646 97669->97641 97670 4903fb 97671 490407 ___BuildCatchObject 97670->97671 97699 48feb1 97671->97699 97673 49040e 97674 490561 97673->97674 97677 490438 97673->97677 97726 49083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 97674->97726 97676 490568 97727 494e52 28 API calls _abort 97676->97727 97688 490477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 97677->97688 97710 4a247d 97677->97710 97679 49056e 97728 494e04 28 API calls _abort 97679->97728 97683 490576 97684 490457 97686 4904d8 97718 490959 97686->97718 97688->97686 97722 494e1a 38 API calls 2 library calls 97688->97722 97690 4904de 97691 4904f3 97690->97691 97723 490992 GetModuleHandleW 97691->97723 97693 4904fa 97693->97676 97694 4904fe 97693->97694 97695 490507 97694->97695 97724 494df5 28 API calls _abort 97694->97724 97725 490040 13 API calls 2 library calls 97695->97725 97698 49050f 97698->97684 97700 48feba 97699->97700 97729 490698 IsProcessorFeaturePresent 97700->97729 97702 48fec6 97730 492c94 10 API calls 3 library calls 97702->97730 97704 48fecb 97709 48fecf 97704->97709 97731 4a2317 97704->97731 97707 48fee6 97707->97673 97709->97673 97711 4a2494 97710->97711 97712 490a8c CatchGuardHandler 5 API calls 97711->97712 97713 490451 97712->97713 97713->97684 97714 4a2421 97713->97714 97717 4a2450 97714->97717 97715 490a8c CatchGuardHandler 5 API calls 97716 4a2479 97715->97716 97716->97688 97717->97715 97782 492340 97718->97782 97720 49096c GetStartupInfoW 97721 49097f 97720->97721 97721->97690 97722->97686 97723->97693 97724->97695 97725->97698 97726->97676 97727->97679 97728->97683 97729->97702 97730->97704 97735 4ad1f6 97731->97735 97734 492cbd 8 API calls 3 library calls 97734->97709 97736 4ad213 97735->97736 97739 4ad20f 97735->97739 97736->97739 97741 4a4bfb 97736->97741 97738 48fed8 97738->97707 97738->97734 97753 490a8c 97739->97753 97742 4a4c07 ___BuildCatchObject 97741->97742 97760 4a2f5e EnterCriticalSection 97742->97760 97744 4a4c0e 97761 4a50af 97744->97761 97746 4a4c1d 97747 4a4c2c 97746->97747 97774 4a4a8f 29 API calls 97746->97774 97776 4a4c48 LeaveCriticalSection _abort 97747->97776 97750 4a4c27 97775 4a4b45 GetStdHandle GetFileType 97750->97775 97751 4a4c3d __wsopen_s 97751->97736 97754 490a95 97753->97754 97755 490a97 IsProcessorFeaturePresent 97753->97755 97754->97738 97757 490c5d 97755->97757 97781 490c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 97757->97781 97759 490d40 97759->97738 97760->97744 97762 4a50bb ___BuildCatchObject 97761->97762 97763 4a50c8 97762->97763 97764 4a50df 97762->97764 97778 49f2d9 20 API calls __dosmaperr 97763->97778 97777 4a2f5e EnterCriticalSection 97764->97777 97767 4a50cd 97779 4a27ec 26 API calls pre_c_initialization 97767->97779 97769 4a50d7 __wsopen_s 97769->97746 97770 4a5117 97780 4a513e LeaveCriticalSection _abort 97770->97780 97772 4a50eb 97772->97770 97773 4a5000 __wsopen_s 21 API calls 97772->97773 97773->97772 97774->97750 97775->97747 97776->97751 97777->97772 97778->97767 97779->97769 97780->97769 97781->97759 97783 492357 97782->97783 97783->97720 97783->97783 97784 471033 97789 474c91 97784->97789 97788 471042 97790 47a961 22 API calls 97789->97790 97791 474cff 97790->97791 97797 473af0 97791->97797 97794 474d9c 97795 471038 97794->97795 97800 4751f7 22 API calls __fread_nolock 97794->97800 97796 4900a3 29 API calls __onexit 97795->97796 97796->97788 97801 473b1c 97797->97801 97800->97794 97802 473b0f 97801->97802 97803 473b29 97801->97803 97802->97794 97803->97802 97804 473b30 RegOpenKeyExW 97803->97804 97804->97802 97805 473b4a RegQueryValueExW 97804->97805 97806 473b80 RegCloseKey 97805->97806 97807 473b6b 97805->97807 97806->97802 97807->97806 97808 47f7bf 97809 47fcb6 97808->97809 97810 47f7d3 97808->97810 97845 47aceb 23 API calls messages 97809->97845 97812 47fcc2 97810->97812 97813 48fddb 22 API calls 97810->97813 97846 47aceb 23 API calls messages 97812->97846 97815 47f7e5 97813->97815 97815->97812 97816 47fd3d 97815->97816 97817 47f83e 97815->97817 97847 4e1155 22 API calls 97816->97847 97819 481310 207 API calls 97817->97819 97842 47ed9d messages 97817->97842 97840 47ec76 messages 97819->97840 97821 47fef7 97821->97842 97849 47a8c7 22 API calls __fread_nolock 97821->97849 97823 4c4b0b 97851 4e359c 82 API calls __wsopen_s 97823->97851 97824 4c4600 97824->97842 97848 47a8c7 22 API calls __fread_nolock 97824->97848 97829 47a8c7 22 API calls 97829->97840 97831 490242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 97831->97840 97832 47fbe3 97835 4c4bdc 97832->97835 97841 47f3ae messages 97832->97841 97832->97842 97833 47a961 22 API calls 97833->97840 97834 4900a3 29 API calls pre_c_initialization 97834->97840 97852 4e359c 82 API calls __wsopen_s 97835->97852 97837 4901f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 97837->97840 97838 4c4beb 97853 4e359c 82 API calls __wsopen_s 97838->97853 97839 48fddb 22 API calls 97839->97840 97840->97821 97840->97823 97840->97824 97840->97829 97840->97831 97840->97832 97840->97833 97840->97834 97840->97837 97840->97838 97840->97839 97840->97841 97840->97842 97843 4801e0 207 API calls 2 library calls 97840->97843 97844 4806a0 41 API calls messages 97840->97844 97841->97842 97850 4e359c 82 API calls __wsopen_s 97841->97850 97843->97840 97844->97840 97845->97812 97846->97816 97847->97842 97848->97842 97849->97842 97850->97842 97851->97842 97852->97838 97853->97842 97854 47105b 97859 47344d 97854->97859 97856 47106a 97890 4900a3 29 API calls __onexit 97856->97890 97858 471074 97860 47345d __wsopen_s 97859->97860 97861 47a961 22 API calls 97860->97861 97862 473513 97861->97862 97863 473a5a 24 API calls 97862->97863 97864 47351c 97863->97864 97891 473357 97864->97891 97867 4733c6 22 API calls 97868 473535 97867->97868 97869 47515f 22 API calls 97868->97869 97870 473544 97869->97870 97871 47a961 22 API calls 97870->97871 97872 47354d 97871->97872 97873 47a6c3 22 API calls 97872->97873 97874 473556 RegOpenKeyExW 97873->97874 97875 4b3176 RegQueryValueExW 97874->97875 97879 473578 97874->97879 97876 4b320c RegCloseKey 97875->97876 97877 4b3193 97875->97877 97876->97879 97889 4b321e _wcslen 97876->97889 97878 48fe0b 22 API calls 97877->97878 97880 4b31ac 97878->97880 97879->97856 97881 475722 22 API calls 97880->97881 97882 4b31b7 RegQueryValueExW 97881->97882 97883 4b31d4 97882->97883 97886 4b31ee messages 97882->97886 97884 476b57 22 API calls 97883->97884 97884->97886 97885 474c6d 22 API calls 97885->97889 97886->97876 97887 479cb3 22 API calls 97887->97889 97888 47515f 22 API calls 97888->97889 97889->97879 97889->97885 97889->97887 97889->97888 97890->97858 97892 4b1f50 __wsopen_s 97891->97892 97893 473364 GetFullPathNameW 97892->97893 97894 473386 97893->97894 97895 476b57 22 API calls 97894->97895 97896 4733a4 97895->97896 97896->97867 97897 471098 97902 4742de 97897->97902 97901 4710a7 97903 47a961 22 API calls 97902->97903 97904 4742f5 GetVersionExW 97903->97904 97905 476b57 22 API calls 97904->97905 97906 474342 97905->97906 97907 4793b2 22 API calls 97906->97907 97916 474378 97906->97916 97908 47436c 97907->97908 97910 4737a0 22 API calls 97908->97910 97909 47441b GetCurrentProcess IsWow64Process 97911 474437 97909->97911 97910->97916 97912 47444f LoadLibraryA 97911->97912 97913 4b3824 GetSystemInfo 97911->97913 97914 474460 GetProcAddress 97912->97914 97915 47449c GetSystemInfo 97912->97915 97914->97915 97918 474470 GetNativeSystemInfo 97914->97918 97919 474476 97915->97919 97916->97909 97917 4b37df 97916->97917 97918->97919 97920 47109d 97919->97920 97921 47447a FreeLibrary 97919->97921 97922 4900a3 29 API calls __onexit 97920->97922 97921->97920 97922->97901

                                                                          Executed Functions

                                                                          Function 004742DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 234 4742de-47434d call 47a961 GetVersionExW call 476b57 239 474353 234->239 240 4b3617-4b362a 234->240 242 474355-474357 239->242 241 4b362b-4b362f 240->241 243 4b3632-4b363e 241->243 244 4b3631 241->244 245 47435d-4743bc call 4793b2 call 4737a0 242->245 246 4b3656 242->246 243->241 247 4b3640-4b3642 243->247 244->243 263 4b37df-4b37e6 245->263 264 4743c2-4743c4 245->264 250 4b365d-4b3660 246->250 247->242 249 4b3648-4b364f 247->249 249->240 252 4b3651 249->252 253 47441b-474435 GetCurrentProcess IsWow64Process 250->253 254 4b3666-4b36a8 250->254 252->246 256 474437 253->256 257 474494-47449a 253->257 254->253 258 4b36ae-4b36b1 254->258 260 47443d-474449 256->260 257->260 261 4b36db-4b36e5 258->261 262 4b36b3-4b36bd 258->262 269 47444f-47445e LoadLibraryA 260->269 270 4b3824-4b3828 GetSystemInfo 260->270 265 4b36f8-4b3702 261->265 266 4b36e7-4b36f3 261->266 271 4b36ca-4b36d6 262->271 272 4b36bf-4b36c5 262->272 267 4b37e8 263->267 268 4b3806-4b3809 263->268 264->250 273 4743ca-4743dd 264->273 277 4b3715-4b3721 265->277 278 4b3704-4b3710 265->278 266->253 276 4b37ee 267->276 279 4b380b-4b381a 268->279 280 4b37f4-4b37fc 268->280 281 474460-47446e GetProcAddress 269->281 282 47449c-4744a6 GetSystemInfo 269->282 271->253 272->253 274 4743e3-4743e5 273->274 275 4b3726-4b372f 273->275 283 4b374d-4b3762 274->283 284 4743eb-4743ee 274->284 285 4b373c-4b3748 275->285 286 4b3731-4b3737 275->286 276->280 277->253 278->253 279->276 287 4b381c-4b3822 279->287 280->268 281->282 288 474470-474474 GetNativeSystemInfo 281->288 289 474476-474478 282->289 292 4b376f-4b377b 283->292 293 4b3764-4b376a 283->293 290 4743f4-47440f 284->290 291 4b3791-4b3794 284->291 285->253 286->253 287->280 288->289 294 474481-474493 289->294 295 47447a-47447b FreeLibrary 289->295 296 474415 290->296 297 4b3780-4b378c 290->297 291->253 298 4b379a-4b37c1 291->298 292->253 293->253 295->294 296->253 297->253 299 4b37ce-4b37da 298->299 300 4b37c3-4b37c9 298->300 299->253 300->253
                                                                          APIs
                                                                          • GetVersionExW.KERNEL32(?), ref: 0047430D
                                                                            • Part of subcall function 00476B57: _wcslen.LIBCMT ref: 00476B6A
                                                                          • GetCurrentProcess.KERNEL32(?,0050CB64,00000000,?,?), ref: 00474422
                                                                          • IsWow64Process.KERNEL32(00000000,?,?), ref: 00474429
                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00474454
                                                                          • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00474466
                                                                          • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00474474
                                                                          • FreeLibrary.KERNEL32(00000000,?,?), ref: 0047447B
                                                                          • GetSystemInfo.KERNEL32(?,?,?), ref: 004744A0
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                                                          • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                                                          • API String ID: 3290436268-3101561225
                                                                          • Opcode ID: 55bdf3649aeb081969440312967415890fdb609830571027d165c216cccf0809
                                                                          • Instruction ID: 38b5b0cebb8407a52276bbb0c40cc39daf9ac26fbec1ada124f2d84ec574bbb8
                                                                          • Opcode Fuzzy Hash: 55bdf3649aeb081969440312967415890fdb609830571027d165c216cccf0809
                                                                          • Instruction Fuzzy Hash: 48A1D87A909AD0DFC711CF697C441E57FA46B77348B148C9AD04593B22E328458DFB2E
                                                                          Function 004742A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 760 4742a2-4742ba CreateStreamOnHGlobal 761 4742bc-4742d3 FindResourceExW 760->761 762 4742da-4742dd 760->762 763 4b35ba-4b35c9 LoadResource 761->763 764 4742d9 761->764 763->764 765 4b35cf-4b35dd SizeofResource 763->765 764->762 765->764 766 4b35e3-4b35ee LockResource 765->766 766->764 767 4b35f4-4b3612 766->767 767->764
                                                                          APIs
                                                                          • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,004750AA,?,?,00000000,00000000), ref: 004742B2
                                                                          • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,004750AA,?,?,00000000,00000000), ref: 004742C9
                                                                          • LoadResource.KERNEL32(?,00000000,?,?,004750AA,?,?,00000000,00000000,?,?,?,?,?,?,00474F20), ref: 004B35BE
                                                                          • SizeofResource.KERNEL32(?,00000000,?,?,004750AA,?,?,00000000,00000000,?,?,?,?,?,?,00474F20), ref: 004B35D3
                                                                          • LockResource.KERNEL32(004750AA,?,?,004750AA,?,?,00000000,00000000,?,?,?,?,?,?,00474F20,?), ref: 004B35E6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                          • String ID: SCRIPT
                                                                          • API String ID: 3051347437-3967369404
                                                                          • Opcode ID: 02cbea129d40cec1840ce67efd5e54ec23ee4debfddf26cd7a74e251ebb535d0
                                                                          • Instruction ID: a50310e41109989142ec7f141a36499ea878d2efb338b89f3a51eda675e10915
                                                                          • Opcode Fuzzy Hash: 02cbea129d40cec1840ce67efd5e54ec23ee4debfddf26cd7a74e251ebb535d0
                                                                          • Instruction Fuzzy Hash: 2B117C74200701BFD7218B65DC48F6B7FB9EBD6B91F2082AAF40696690DB71D8149A20
                                                                          Function 004B2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00472B6B
                                                                            • Part of subcall function 00473A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00541418,?,00472E7F,?,?,?,00000000), ref: 00473A78
                                                                            • Part of subcall function 00479CB3: _wcslen.LIBCMT ref: 00479CBD
                                                                          • GetForegroundWindow.USER32(runas,?,?,?,?,?,00532224), ref: 004B2C10
                                                                          • ShellExecuteW.SHELL32(00000000,?,?,00532224), ref: 004B2C17
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                                                                          • String ID: runas
                                                                          • API String ID: 448630720-4000483414
                                                                          • Opcode ID: 52df4842e26f1f0dd0bb70e7015369942d1d7fba807b3a983100b83df91af488
                                                                          • Instruction ID: eeb95db0f1dd67f40fc99da9236fee8e1832e8eb9313fa4633815ff096e45738
                                                                          • Opcode Fuzzy Hash: 52df4842e26f1f0dd0bb70e7015369942d1d7fba807b3a983100b83df91af488
                                                                          • Instruction Fuzzy Hash: C311E7311083015ACB14FF21D9529EE7BA4ABA1749F04941FF04A120A2DF78994EE71A
                                                                          Function 0047BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: BuffCharUpper
                                                                          • String ID: p#T
                                                                          • API String ID: 3964851224-2032096206
                                                                          • Opcode ID: e5f24518952fddb7d3fc92c5c39d893be5bfda9db3534d7c51ccdc93c269735b
                                                                          • Instruction ID: d853d8f2dcdc096f18d4d945bfe70766b5d48d7e8db380b734550809178ac77f
                                                                          • Opcode Fuzzy Hash: e5f24518952fddb7d3fc92c5c39d893be5bfda9db3534d7c51ccdc93c269735b
                                                                          • Instruction Fuzzy Hash: BDA26CB4608301DFC764DF15C480B6AB7E1BF89304F14896EE99A8B352D739EC45CB9A
                                                                          Function 0047D730 Relevance: 21.6, APIs: 14, Instructions: 626windowsleeptimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetInputState.USER32 ref: 0047D807
                                                                          • timeGetTime.WINMM ref: 0047DA07
                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0047DB28
                                                                          • TranslateMessage.USER32(?), ref: 0047DB7B
                                                                          • DispatchMessageW.USER32(?), ref: 0047DB89
                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0047DB9F
                                                                          • Sleep.KERNEL32(0000000A), ref: 0047DBB1
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                                                                          • String ID:
                                                                          • API String ID: 2189390790-0
                                                                          • Opcode ID: 0f43a3a5d708df1f5a3a5368b2efc2e4c8d0d286d3fb52bb9ca33b8d5d531e03
                                                                          • Instruction ID: 744cf91ebe24e79c07cd4b57f8b3efb02f1cf26429e75ddf81fba28d3e511fb6
                                                                          • Opcode Fuzzy Hash: 0f43a3a5d708df1f5a3a5368b2efc2e4c8d0d286d3fb52bb9ca33b8d5d531e03
                                                                          • Instruction Fuzzy Hash: 5C42F174A14241DFD728DF25C844FAAB7B0BF86304F14861FE55A87391D7B8E848CB9A
                                                                          Function 00472CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetSysColorBrush.USER32(0000000F), ref: 00472D07
                                                                          • RegisterClassExW.USER32(00000030), ref: 00472D31
                                                                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00472D42
                                                                          • InitCommonControlsEx.COMCTL32(?), ref: 00472D5F
                                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00472D6F
                                                                          • LoadIconW.USER32(000000A9), ref: 00472D85
                                                                          • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00472D94
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                          • API String ID: 2914291525-1005189915
                                                                          • Opcode ID: e5a23d52a9909f217c006a5889e8ef64541eab2d8a1a3e95c1ab570c3c504774
                                                                          • Instruction ID: 0ae31cf32d430b6534a6b4b15b9aa6f64e89f969c83dc18db0b182cfbad113d9
                                                                          • Opcode Fuzzy Hash: e5a23d52a9909f217c006a5889e8ef64541eab2d8a1a3e95c1ab570c3c504774
                                                                          • Instruction Fuzzy Hash: 9621F4B5901308AFDB00DFA4EC49BDDBFB4FB1A704F00821AF511A62A0D7B10588EF94
                                                                          Function 004B065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 302 4b065b-4b068b call 4b042f 305 4b068d-4b0698 call 49f2c6 302->305 306 4b06a6-4b06b2 call 4a5221 302->306 311 4b069a-4b06a1 call 49f2d9 305->311 312 4b06cb-4b0714 call 4b039a 306->312 313 4b06b4-4b06c9 call 49f2c6 call 49f2d9 306->313 323 4b097d-4b0983 311->323 321 4b0781-4b078a GetFileType 312->321 322 4b0716-4b071f 312->322 313->311 327 4b078c-4b07bd GetLastError call 49f2a3 CloseHandle 321->327 328 4b07d3-4b07d6 321->328 325 4b0721-4b0725 322->325 326 4b0756-4b077c GetLastError call 49f2a3 322->326 325->326 331 4b0727-4b0754 call 4b039a 325->331 326->311 327->311 339 4b07c3-4b07ce call 49f2d9 327->339 329 4b07d8-4b07dd 328->329 330 4b07df-4b07e5 328->330 335 4b07e9-4b0837 call 4a516a 329->335 330->335 336 4b07e7 330->336 331->321 331->326 345 4b0839-4b0845 call 4b05ab 335->345 346 4b0847-4b086b call 4b014d 335->346 336->335 339->311 345->346 353 4b086f-4b0879 call 4a86ae 345->353 351 4b087e-4b08c1 346->351 352 4b086d 346->352 355 4b08c3-4b08c7 351->355 356 4b08e2-4b08f0 351->356 352->353 353->323 355->356 358 4b08c9-4b08dd 355->358 359 4b097b 356->359 360 4b08f6-4b08fa 356->360 358->356 359->323 360->359 361 4b08fc-4b092f CloseHandle call 4b039a 360->361 364 4b0963-4b0977 361->364 365 4b0931-4b095d GetLastError call 49f2a3 call 4a5333 361->365 364->359 365->364
                                                                          APIs
                                                                            • Part of subcall function 004B039A: CreateFileW.KERNELBASE(00000000,00000000,?,004B0704,?,?,00000000,?,004B0704,00000000,0000000C), ref: 004B03B7
                                                                          • GetLastError.KERNEL32 ref: 004B076F
                                                                          • __dosmaperr.LIBCMT ref: 004B0776
                                                                          • GetFileType.KERNELBASE(00000000), ref: 004B0782
                                                                          • GetLastError.KERNEL32 ref: 004B078C
                                                                          • __dosmaperr.LIBCMT ref: 004B0795
                                                                          • CloseHandle.KERNEL32(00000000), ref: 004B07B5
                                                                          • CloseHandle.KERNEL32(?), ref: 004B08FF
                                                                          • GetLastError.KERNEL32 ref: 004B0931
                                                                          • __dosmaperr.LIBCMT ref: 004B0938
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                          • String ID: H
                                                                          • API String ID: 4237864984-2852464175
                                                                          • Opcode ID: cb18f9704d0e1996127e410f90c157245a7c281c3dad1820270281190945ab6b
                                                                          • Instruction ID: 5f4efc576b4c9747fe8e6d91a40abb87a0b57ef741c15577bbad3ba7bf4656cd
                                                                          • Opcode Fuzzy Hash: cb18f9704d0e1996127e410f90c157245a7c281c3dad1820270281190945ab6b
                                                                          • Instruction Fuzzy Hash: BDA14732A101048FDF19AF68D851BEF7BA0AB16324F24019EF811DB3D1CB398916DBA5
                                                                          Function 0047344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                            • Part of subcall function 00473A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00541418,?,00472E7F,?,?,?,00000000), ref: 00473A78
                                                                            • Part of subcall function 00473357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00473379
                                                                          • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0047356A
                                                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 004B318D
                                                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 004B31CE
                                                                          • RegCloseKey.ADVAPI32(?), ref: 004B3210
                                                                          • _wcslen.LIBCMT ref: 004B3277
                                                                          • _wcslen.LIBCMT ref: 004B3286
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                                                          • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                          • API String ID: 98802146-2727554177
                                                                          • Opcode ID: 6e4c32f96c5dd24a5c48ad88ad919d319252bcc0bee3fd6f7b9937eea58f5d9d
                                                                          • Instruction ID: 316e534060527b257b8257e1c62cb5e65253fc33d60a2de24d3f59d340697fdb
                                                                          • Opcode Fuzzy Hash: 6e4c32f96c5dd24a5c48ad88ad919d319252bcc0bee3fd6f7b9937eea58f5d9d
                                                                          • Instruction Fuzzy Hash: B67170714043109EC314EF66DC468EBBBF8FF96748F80492EF549931A0DB389A48DB66
                                                                          Function 00472B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetSysColorBrush.USER32(0000000F), ref: 00472B8E
                                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 00472B9D
                                                                          • LoadIconW.USER32(00000063), ref: 00472BB3
                                                                          • LoadIconW.USER32(000000A4), ref: 00472BC5
                                                                          • LoadIconW.USER32(000000A2), ref: 00472BD7
                                                                          • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00472BEF
                                                                          • RegisterClassExW.USER32(?), ref: 00472C40
                                                                            • Part of subcall function 00472CD4: GetSysColorBrush.USER32(0000000F), ref: 00472D07
                                                                            • Part of subcall function 00472CD4: RegisterClassExW.USER32(00000030), ref: 00472D31
                                                                            • Part of subcall function 00472CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00472D42
                                                                            • Part of subcall function 00472CD4: InitCommonControlsEx.COMCTL32(?), ref: 00472D5F
                                                                            • Part of subcall function 00472CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00472D6F
                                                                            • Part of subcall function 00472CD4: LoadIconW.USER32(000000A9), ref: 00472D85
                                                                            • Part of subcall function 00472CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00472D94
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                          • String ID: #$0$AutoIt v3
                                                                          • API String ID: 423443420-4155596026
                                                                          • Opcode ID: ebd82b6ad2e29d6d53acfab9cdb26f2ed32a34065142ecb78494fcb87d1eddd8
                                                                          • Instruction ID: f4b4ccd97fe59358d1e0b2bf1fb23e0834038d8a448a54b33ac119d0bdf1e65b
                                                                          • Opcode Fuzzy Hash: ebd82b6ad2e29d6d53acfab9cdb26f2ed32a34065142ecb78494fcb87d1eddd8
                                                                          • Instruction Fuzzy Hash: A0215E78E40714AFDB109FA5EC45BDD7FB4FB1AB54F00491AF500A66A0D3B10588EF98
                                                                          Function 0047B710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __Init_thread_footer.LIBCMT ref: 0047BB4E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Init_thread_footer
                                                                          • String ID: p#T$p#T$p#T$p#T$p%T$p%T$x#T$x#T
                                                                          • API String ID: 1385522511-3627864947
                                                                          • Opcode ID: 59a2c502f4f9f127d5668c76fde4f3764df9e12aa73ffce9c7fea5667d26fcd2
                                                                          • Instruction ID: 63780ac5bfc5a33bafd4eaf62c33feb128d5272e5ad74aea98e6119b5aaf307f
                                                                          • Opcode Fuzzy Hash: 59a2c502f4f9f127d5668c76fde4f3764df9e12aa73ffce9c7fea5667d26fcd2
                                                                          • Instruction Fuzzy Hash: E3329C74A00219DFDB14DF54C894BFAB7B5EF44304F14805AE919AB361C778AD42CB9A
                                                                          Function 00473170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 650 473170-473185 651 473187-47318a 650->651 652 4731e5-4731e7 650->652 653 47318c-473193 651->653 654 4731eb 651->654 652->651 655 4731e9 652->655 656 473265-47326d PostQuitMessage 653->656 657 473199-47319e 653->657 659 4b2dfb-4b2e23 call 4718e2 call 48e499 654->659 660 4731f1-4731f6 654->660 658 4731d0-4731d8 DefWindowProcW 655->658 665 473219-47321b 656->665 662 4731a4-4731a8 657->662 663 4b2e7c-4b2e90 call 4dbf30 657->663 664 4731de-4731e4 658->664 694 4b2e28-4b2e2f 659->694 666 47321d-473244 SetTimer RegisterWindowMessageW 660->666 667 4731f8-4731fb 660->667 669 4b2e68-4b2e77 call 4dc161 662->669 670 4731ae-4731b3 662->670 663->665 688 4b2e96 663->688 665->664 666->665 671 473246-473251 CreatePopupMenu 666->671 673 473201-473214 KillTimer call 4730f2 call 473c50 667->673 674 4b2d9c-4b2d9f 667->674 669->665 677 4b2e4d-4b2e54 670->677 678 4731b9-4731be 670->678 671->665 673->665 680 4b2da1-4b2da5 674->680 681 4b2dd7-4b2df6 MoveWindow 674->681 677->658 691 4b2e5a-4b2e63 call 4d0ad7 677->691 686 4731c4-4731ca 678->686 687 473253-473263 call 47326f 678->687 689 4b2da7-4b2daa 680->689 690 4b2dc6-4b2dd2 SetFocus 680->690 681->665 686->658 686->694 687->665 688->658 689->686 695 4b2db0-4b2dc1 call 4718e2 689->695 690->665 691->658 694->658 699 4b2e35-4b2e48 call 4730f2 call 473837 694->699 695->665 699->658
                                                                          APIs
                                                                          • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0047316A,?,?), ref: 004731D8
                                                                          • KillTimer.USER32(?,00000001,?,?,?,?,?,0047316A,?,?), ref: 00473204
                                                                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00473227
                                                                          • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0047316A,?,?), ref: 00473232
                                                                          • CreatePopupMenu.USER32 ref: 00473246
                                                                          • PostQuitMessage.USER32(00000000), ref: 00473267
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                          • String ID: TaskbarCreated
                                                                          • API String ID: 129472671-2362178303
                                                                          • Opcode ID: a9da451a8f321f4b807950e980fd99630845a03f7ee5ec36e10b2d9b94ff589d
                                                                          • Instruction ID: 4aa4644b0e6ef7ec443349bcea01dc1f28db9584bf79f8239d43df9216d3265f
                                                                          • Opcode Fuzzy Hash: a9da451a8f321f4b807950e980fd99630845a03f7ee5ec36e10b2d9b94ff589d
                                                                          • Instruction Fuzzy Hash: DC415A35250204A7DB141F788D09BFE3F59E71634AF14821BF50A863A2CB7C9E85B76E
                                                                          Function 00E29D18 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 706 e29d18-e29dc6 call e27718 709 e29dcd-e29df3 call e2ac28 CreateFileW 706->709 712 e29df5 709->712 713 e29dfa-e29e0a 709->713 714 e29f45-e29f49 712->714 718 e29e11-e29e2b VirtualAlloc 713->718 719 e29e0c 713->719 716 e29f8b-e29f8e 714->716 717 e29f4b-e29f4f 714->717 720 e29f91-e29f98 716->720 721 e29f51-e29f54 717->721 722 e29f5b-e29f5f 717->722 725 e29e32-e29e49 ReadFile 718->725 726 e29e2d 718->726 719->714 727 e29f9a-e29fa5 720->727 728 e29fed-e2a002 720->728 721->722 723 e29f61-e29f6b 722->723 724 e29f6f-e29f73 722->724 723->724 731 e29f83 724->731 732 e29f75-e29f7f 724->732 733 e29e50-e29e90 VirtualAlloc 725->733 734 e29e4b 725->734 726->714 735 e29fa7 727->735 736 e29fa9-e29fb5 727->736 729 e2a012-e2a01a 728->729 730 e2a004-e2a00f VirtualFree 728->730 730->729 731->716 732->731 737 e29e92 733->737 738 e29e97-e29eb2 call e2ae78 733->738 734->714 735->728 739 e29fb7-e29fc7 736->739 740 e29fc9-e29fd5 736->740 737->714 746 e29ebd-e29ec7 738->746 742 e29feb 739->742 743 e29fe2-e29fe8 740->743 744 e29fd7-e29fe0 740->744 742->720 743->742 744->742 747 e29efa-e29f0e call e2ac88 746->747 748 e29ec9-e29ef8 call e2ae78 746->748 754 e29f12-e29f16 747->754 755 e29f10 747->755 748->746 756 e29f22-e29f26 754->756 757 e29f18-e29f1c CloseHandle 754->757 755->714 758 e29f36-e29f3f 756->758 759 e29f28-e29f33 VirtualFree 756->759 757->756 758->709 758->714 759->758
                                                                          APIs
                                                                          • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00E29DE9
                                                                          • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00E2A00F
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2054709991.0000000000E27000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E27000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_e27000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: CreateFileFreeVirtual
                                                                          • String ID:
                                                                          • API String ID: 204039940-0
                                                                          • Opcode ID: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
                                                                          • Instruction ID: fc7518eeb1abd0d850e1e80567773de3bcbe345681b892a15fb629e0da0daf88
                                                                          • Opcode Fuzzy Hash: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
                                                                          • Instruction Fuzzy Hash: 44A13770E00218EBEB54CFA4D995BEEBBB5FF48304F20A159E515BB281D7759A80CF50
                                                                          Function 00472C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 770 472c63-472cd3 CreateWindowExW * 2 ShowWindow * 2
                                                                          APIs
                                                                          • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00472C91
                                                                          • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00472CB2
                                                                          • ShowWindow.USER32(00000000,?,?,?,?,?,?,00471CAD,?), ref: 00472CC6
                                                                          • ShowWindow.USER32(00000000,?,?,?,?,?,?,00471CAD,?), ref: 00472CCF
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Window$CreateShow
                                                                          • String ID: AutoIt v3$edit
                                                                          • API String ID: 1584632944-3779509399
                                                                          • Opcode ID: 9b0851c21ca9c3df0ff536c5fd11a22d7c09a877fec3cdcf471e8a56e7f0d31c
                                                                          • Instruction ID: 8773c2434deec4e2d8e2920224a7c62925568af535555c43489ba57847c0bae5
                                                                          • Opcode Fuzzy Hash: 9b0851c21ca9c3df0ff536c5fd11a22d7c09a877fec3cdcf471e8a56e7f0d31c
                                                                          • Instruction Fuzzy Hash: E6F0F4795406907AE7311B176C48EBB3EBDD7D7F54F00045DF900935A0C6711898EAB4
                                                                          Function 00E29AC8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 152fileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 885 e29ac8-e29c15 call e27718 call e299b8 CreateFileW 892 e29c17 885->892 893 e29c1c-e29c2c 885->893 894 e29ccc-e29cd1 892->894 896 e29c33-e29c4d VirtualAlloc 893->896 897 e29c2e 893->897 898 e29c51-e29c68 ReadFile 896->898 899 e29c4f 896->899 897->894 900 e29c6a 898->900 901 e29c6c-e29ca6 call e299f8 call e289b8 898->901 899->894 900->894 906 e29cc2-e29cca ExitProcess 901->906 907 e29ca8-e29cbd call e29a48 901->907 906->894 907->906
                                                                          APIs
                                                                            • Part of subcall function 00E299B8: Sleep.KERNELBASE(000001F4), ref: 00E299C9
                                                                          • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00E29C0B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2054709991.0000000000E27000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E27000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_e27000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: CreateFileSleep
                                                                          • String ID: Z8VAGN67HMRPZQGMIDI0
                                                                          • API String ID: 2694422964-2913798188
                                                                          • Opcode ID: bf976573e63f49229b84d397462e629d387055bb8caac9fbe073314a681ca9d5
                                                                          • Instruction ID: 9a61939ce32ca320f8a77ffb8ff0ed2e255fc0d3fef6d7d65786bd704ecf926d
                                                                          • Opcode Fuzzy Hash: bf976573e63f49229b84d397462e629d387055bb8caac9fbe073314a681ca9d5
                                                                          • Instruction Fuzzy Hash: 4F51B130D04258EAEF11DBA4D845BEEBBB9AF18304F045598E248BB2C1D7BA0B45CB65
                                                                          Function 00473B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1219 473b1c-473b27 1220 473b99-473b9b 1219->1220 1221 473b29-473b2e 1219->1221 1222 473b8c-473b8f 1220->1222 1221->1220 1223 473b30-473b48 RegOpenKeyExW 1221->1223 1223->1220 1224 473b4a-473b69 RegQueryValueExW 1223->1224 1225 473b80-473b8b RegCloseKey 1224->1225 1226 473b6b-473b76 1224->1226 1225->1222 1227 473b90-473b97 1226->1227 1228 473b78-473b7a 1226->1228 1229 473b7e 1227->1229 1228->1229 1229->1225
                                                                          APIs
                                                                          • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00473B0F,SwapMouseButtons,00000004,?), ref: 00473B40
                                                                          • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00473B0F,SwapMouseButtons,00000004,?), ref: 00473B61
                                                                          • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00473B0F,SwapMouseButtons,00000004,?), ref: 00473B83
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpenQueryValue
                                                                          • String ID: Control Panel\Mouse
                                                                          • API String ID: 3677997916-824357125
                                                                          • Opcode ID: ecedaffa49e3c6c12ffb0fa5f9fb382622a685abc106724dfe5cf2e94ab57342
                                                                          • Instruction ID: c4d8cad4f951a302d017bb82a7356b88755919caca2e6ac34dbc803851b55abf
                                                                          • Opcode Fuzzy Hash: ecedaffa49e3c6c12ffb0fa5f9fb382622a685abc106724dfe5cf2e94ab57342
                                                                          • Instruction Fuzzy Hash: 15112AB5510208FFDB208FA5DC48AEFBBBCEF05745B10855AA809D7211D235AE44A7A4
                                                                          Function 00E289B8 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1230 e289b8-e28a58 call e2ae58 * 3 1237 e28a5a-e28a64 1230->1237 1238 e28a6f 1230->1238 1237->1238 1240 e28a66-e28a6d 1237->1240 1239 e28a76-e28a7f 1238->1239 1241 e28a86-e29138 1239->1241 1240->1239 1242 e2913a-e2913e 1241->1242 1243 e2914b-e29178 1241->1243 1244 e29140-e29144 1242->1244 1245 e29184-e291b1 1242->1245 1257 e29182 1243->1257 1258 e2917a-e2917d 1243->1258 1247 e29146 1244->1247 1248 e291bd-e291ea CreateProcessW 1244->1248 1267 e291b3-e291b6 1245->1267 1268 e291bb 1245->1268 1249 e291f4-e2920e Wow64GetThreadContext 1247->1249 1248->1249 1261 e291ec-e291ef 1248->1261 1252 e29210 1249->1252 1253 e29215-e29230 ReadProcessMemory 1249->1253 1259 e29522-e29526 1252->1259 1255 e29232 1253->1255 1256 e29237-e29240 1253->1256 1255->1259 1263 e29242-e29251 1256->1263 1264 e29269-e29288 call e2a4d8 1256->1264 1257->1249 1262 e29579-e2957b 1258->1262 1265 e29577 1259->1265 1266 e29528-e2952c 1259->1266 1261->1249 1261->1262 1263->1264 1269 e29253-e29262 call e2a428 1263->1269 1281 e2928a 1264->1281 1282 e2928f-e292b2 call e2a618 1264->1282 1265->1262 1270 e29541-e29545 1266->1270 1271 e2952e-e2953a 1266->1271 1267->1262 1268->1249 1269->1264 1285 e29264 1269->1285 1275 e29551-e29555 1270->1275 1276 e29547-e2954a 1270->1276 1271->1270 1277 e29561-e29565 1275->1277 1278 e29557-e2955a 1275->1278 1276->1275 1283 e29572-e29575 1277->1283 1284 e29567-e2956d call e2a428 1277->1284 1278->1277 1281->1259 1289 e292b4-e292bb 1282->1289 1290 e292fc-e2931d call e2a618 1282->1290 1283->1262 1284->1283 1285->1259 1291 e292f7 1289->1291 1292 e292bd-e292ee call e2a618 1289->1292 1297 e29324-e29342 call e2ae78 1290->1297 1298 e2931f 1290->1298 1291->1259 1299 e292f0 1292->1299 1300 e292f5 1292->1300 1303 e2934d-e29357 1297->1303 1298->1259 1299->1259 1300->1290 1304 e29359-e2938b call e2ae78 1303->1304 1305 e2938d-e29391 1303->1305 1304->1303 1307 e29397-e293a7 1305->1307 1308 e2947c-e29499 call e2a028 1305->1308 1307->1308 1311 e293ad-e293bd 1307->1311 1315 e294a0-e294bf Wow64SetThreadContext 1308->1315 1316 e2949b 1308->1316 1311->1308 1314 e293c3-e293e7 1311->1314 1317 e293ea-e293ee 1314->1317 1318 e294c3-e294ce call e2a358 1315->1318 1319 e294c1 1315->1319 1316->1259 1317->1308 1320 e293f4-e29409 1317->1320 1326 e294d2-e294d6 1318->1326 1327 e294d0 1318->1327 1319->1259 1322 e2941d-e29421 1320->1322 1324 e29423-e2942f 1322->1324 1325 e2945f-e29477 1322->1325 1328 e29431-e2945b 1324->1328 1329 e2945d 1324->1329 1325->1317 1330 e294e2-e294e6 1326->1330 1331 e294d8-e294db 1326->1331 1327->1259 1328->1329 1329->1322 1333 e294f2-e294f6 1330->1333 1334 e294e8-e294eb 1330->1334 1331->1330 1335 e29502-e29506 1333->1335 1336 e294f8-e294fb 1333->1336 1334->1333 1337 e29513-e2951c 1335->1337 1338 e29508-e2950e call e2a428 1335->1338 1336->1335 1337->1241 1337->1259 1338->1337
                                                                          APIs
                                                                          • CreateProcessW.KERNELBASE(?,00000000), ref: 00E291E5
                                                                          • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00E29209
                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00E2922B
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2054709991.0000000000E27000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E27000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_e27000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                          • String ID:
                                                                          • API String ID: 2438371351-0
                                                                          • Opcode ID: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
                                                                          • Instruction ID: 04ac9d6475380545f8a4f92f9cf93e8374f479ff37d07b164e014562238fe231
                                                                          • Opcode Fuzzy Hash: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
                                                                          • Instruction Fuzzy Hash: 88620A30A14218DBEB24DBA4D850BDEB376EF58300F10A1A9D11DFB2A1E7759E81CB59
                                                                          Function 00473923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1340 473923-473939 1341 473a13-473a17 1340->1341 1342 47393f-473954 call 476270 1340->1342 1345 4b3393-4b33a2 LoadStringW 1342->1345 1346 47395a-473976 call 476b57 1342->1346 1348 4b33ad-4b33b6 1345->1348 1352 4b33c9-4b33e5 call 476350 call 473fcf 1346->1352 1353 47397c-473980 1346->1353 1350 473994-473a0e call 492340 call 473a18 call 494983 Shell_NotifyIconW call 47988f 1348->1350 1351 4b33bc-4b33c4 call 47a8c7 1348->1351 1350->1341 1351->1350 1352->1350 1366 4b33eb-4b3409 call 4733c6 call 473fcf call 4733c6 1352->1366 1353->1348 1355 473986-47398f call 476350 1353->1355 1355->1350 1366->1350
                                                                          APIs
                                                                          • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 004B33A2
                                                                            • Part of subcall function 00476B57: _wcslen.LIBCMT ref: 00476B6A
                                                                          • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00473A04
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: IconLoadNotifyShell_String_wcslen
                                                                          • String ID: Line:
                                                                          • API String ID: 2289894680-1585850449
                                                                          • Opcode ID: b5b1d54c15c74a37ad2d2b648a4c1a731014110d35d9ed22ea59fee53e5b5bdc
                                                                          • Instruction ID: 93521fb2dfe8a56becd4d0c862ab13062d977b9b7f378bcb3ba2f6d54b69a061
                                                                          • Opcode Fuzzy Hash: b5b1d54c15c74a37ad2d2b648a4c1a731014110d35d9ed22ea59fee53e5b5bdc
                                                                          • Instruction Fuzzy Hash: BD31D2B1408300AAC720EF21DC45BEBB7D8AB91719F00892FF59D93191DB789A49D7DA
                                                                          Function 00472DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetOpenFileNameW.COMDLG32(?), ref: 004B2C8C
                                                                            • Part of subcall function 00473AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00473A97,?,?,00472E7F,?,?,?,00000000), ref: 00473AC2
                                                                            • Part of subcall function 00472DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00472DC4
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Name$Path$FileFullLongOpen
                                                                          • String ID: X$`eS
                                                                          • API String ID: 779396738-1127096306
                                                                          • Opcode ID: 34d1f5f73ed00eb30f2a2da10eeded6f1fe1e1b6b56baff01c089b49ba4b606c
                                                                          • Instruction ID: 455ed2338e2cbf9c4baf81624ada7b0e2e80ea54c89472a300c5644f5e1237a3
                                                                          • Opcode Fuzzy Hash: 34d1f5f73ed00eb30f2a2da10eeded6f1fe1e1b6b56baff01c089b49ba4b606c
                                                                          • Instruction Fuzzy Hash: 8E219371A00258AFDF11DF95C845BEE7BF8AF49308F00805EE409B7241DBF85A898B65
                                                                          Function 0048FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00490668
                                                                            • Part of subcall function 004932A4: RaiseException.KERNEL32(?,?,?,0049068A,?,00541444,?,?,?,?,?,?,0049068A,00471129,00538738,00471129), ref: 00493304
                                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00490685
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Exception@8Throw$ExceptionRaise
                                                                          • String ID: Unknown exception
                                                                          • API String ID: 3476068407-410509341
                                                                          • Opcode ID: a9823c3177a804231d8281667a7640c5717c0c64afbc149a2ee159502a677044
                                                                          • Instruction ID: bf368b729c98a388234baf7db640f32c75e647cb4858a24f694c8339daebe3b7
                                                                          • Opcode Fuzzy Hash: a9823c3177a804231d8281667a7640c5717c0c64afbc149a2ee159502a677044
                                                                          • Instruction Fuzzy Hash: 0AF0F4208002087B8F00BAA5D846C9E7FAC6E00314B604437B924C25D1EF79DA1AC688
                                                                          Function 004F7F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 004F82F5
                                                                          • TerminateProcess.KERNEL32(00000000), ref: 004F82FC
                                                                          • FreeLibrary.KERNEL32(?,?,?,?), ref: 004F84DD
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Process$CurrentFreeLibraryTerminate
                                                                          • String ID:
                                                                          • API String ID: 146820519-0
                                                                          • Opcode ID: 765000d9521462e3a65925d511b2c7778d85fc14f50a57c47c2051ba2b8e0ff3
                                                                          • Instruction ID: d6329747bdf1462b124f15c7ff84b389d174dbcea9951dae7d5658eeb7689630
                                                                          • Opcode Fuzzy Hash: 765000d9521462e3a65925d511b2c7778d85fc14f50a57c47c2051ba2b8e0ff3
                                                                          • Instruction Fuzzy Hash: 24128D719083059FC714DF28C484B6ABBE1BF85318F04895EE9898B392DB39ED45CF96
                                                                          Function 004710F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00471BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00471BF4
                                                                            • Part of subcall function 00471BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00471BFC
                                                                            • Part of subcall function 00471BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00471C07
                                                                            • Part of subcall function 00471BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00471C12
                                                                            • Part of subcall function 00471BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00471C1A
                                                                            • Part of subcall function 00471BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00471C22
                                                                            • Part of subcall function 00471B4A: RegisterWindowMessageW.USER32(00000004,?,004712C4), ref: 00471BA2
                                                                          • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0047136A
                                                                          • OleInitialize.OLE32 ref: 00471388
                                                                          • CloseHandle.KERNEL32(00000000,00000000), ref: 004B24AB
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                          • String ID:
                                                                          • API String ID: 1986988660-0
                                                                          • Opcode ID: 0960bbb9d9a0891153ef0367500a8fd97e161ce67e25e98a9ddbcba9f52511cf
                                                                          • Instruction ID: aef96b8be3a904249a29a839edc00e66748b0a34c97371ee012be330b7b45be4
                                                                          • Opcode Fuzzy Hash: 0960bbb9d9a0891153ef0367500a8fd97e161ce67e25e98a9ddbcba9f52511cf
                                                                          • Instruction Fuzzy Hash: 3C71ACBC911A048EC784DF7AE9456D93EE0FBAA34C714862ED51AC7261EB3444C8EF4C
                                                                          Function 004A86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CloseHandle.KERNELBASE(00000000,00000000,?,?,004A85CC,?,00538CC8,0000000C), ref: 004A8704
                                                                          • GetLastError.KERNEL32(?,004A85CC,?,00538CC8,0000000C), ref: 004A870E
                                                                          • __dosmaperr.LIBCMT ref: 004A8739
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: CloseErrorHandleLast__dosmaperr
                                                                          • String ID:
                                                                          • API String ID: 2583163307-0
                                                                          • Opcode ID: b30ec3d4449974dc85af4beb7790e9c00cba919a7e0c8d418a6f19d9373bd20d
                                                                          • Instruction ID: 0de42b230528bc897c8caa8f6485e0c15860d8ddc551bb390bbe9aebe1f52711
                                                                          • Opcode Fuzzy Hash: b30ec3d4449974dc85af4beb7790e9c00cba919a7e0c8d418a6f19d9373bd20d
                                                                          • Instruction Fuzzy Hash: D2014C3260552026E62063346945B6F2B55CBB3778F38011FEC048B2D2DD6C8C858298
                                                                          Function 00481310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __Init_thread_footer.LIBCMT ref: 004817F6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Init_thread_footer
                                                                          • String ID: CALL
                                                                          • API String ID: 1385522511-4196123274
                                                                          • Opcode ID: 3b46d98fb30919659d324a60467ef00b9fd43a2aea0a39fc70a17862ab1ce725
                                                                          • Instruction ID: 7f408fe518a088465f19c082a07e2492b55b028f737932f80d76138b38d14094
                                                                          • Opcode Fuzzy Hash: 3b46d98fb30919659d324a60467ef00b9fd43a2aea0a39fc70a17862ab1ce725
                                                                          • Instruction Fuzzy Hash: D3228B746082419FC714EF15C480B2EBBE5BF85318F24896FF4968B3A1D739E846CB4A
                                                                          Function 00473837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00473908
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: IconNotifyShell_
                                                                          • String ID:
                                                                          • API String ID: 1144537725-0
                                                                          • Opcode ID: 09254f49730e49cfaac9eb50360f5bd4cd0faebafd864cf0989eb8ae5fba13b2
                                                                          • Instruction ID: 3844370b75cd977ed38a2e12e72205bd863066a167b6ede2624c18913448d5d9
                                                                          • Opcode Fuzzy Hash: 09254f49730e49cfaac9eb50360f5bd4cd0faebafd864cf0989eb8ae5fba13b2
                                                                          • Instruction Fuzzy Hash: 7C317CB05047019FD720EF65D8847DBBBE8FB59709F00092FF99983240E775AA48DB5A
                                                                          Function 00475745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0047949C,?,00008000), ref: 00475773
                                                                          • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,0047949C,?,00008000), ref: 004B4052
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: CreateFile
                                                                          • String ID:
                                                                          • API String ID: 823142352-0
                                                                          • Opcode ID: 72c6098fef5e15d91b2e3b560267f1a134c5a16a78139182fb1d820de29f9953
                                                                          • Instruction ID: 322c28218c7613e9f7fcd83c2947442741ae765eab63d4d427e2957665748f3a
                                                                          • Opcode Fuzzy Hash: 72c6098fef5e15d91b2e3b560267f1a134c5a16a78139182fb1d820de29f9953
                                                                          • Instruction Fuzzy Hash: 95016D30245625B6E3341A2A8C0EFD77E98EF027B0F10C301BA9C5E1E186B85855CB94
                                                                          Function 00E289B5 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateProcessW.KERNELBASE(?,00000000), ref: 00E291E5
                                                                          • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00E29209
                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00E2922B
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2054709991.0000000000E27000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E27000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_e27000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                          • String ID:
                                                                          • API String ID: 2438371351-0
                                                                          • Opcode ID: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
                                                                          • Instruction ID: 8ad97966231da82cd60303f0b107c15a53e7e1b9efcc6d68a47ad6bf75dfd194
                                                                          • Opcode Fuzzy Hash: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
                                                                          • Instruction Fuzzy Hash: 4112BE24E14658C6EB24DF64D8507DEB232FF68300F10A0E9910DEB7A5E77A4F81CB5A
                                                                          Function 0048FC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                          • Instruction ID: 775d088872568993a35b7aedb481adb30835668c2fde654434a8a2c7191b7913
                                                                          • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                          • Instruction Fuzzy Hash: F4310474A001099BD718EF59D48096EF7A2FF49300B248AA6E80ACF751D735EEC5CBC5
                                                                          Function 00474ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00474E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00474EDD,?,00541418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00474E9C
                                                                            • Part of subcall function 00474E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00474EAE
                                                                            • Part of subcall function 00474E90: FreeLibrary.KERNEL32(00000000,?,?,00474EDD,?,00541418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00474EC0
                                                                          • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00541418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00474EFD
                                                                            • Part of subcall function 00474E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,004B3CDE,?,00541418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00474E62
                                                                            • Part of subcall function 00474E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00474E74
                                                                            • Part of subcall function 00474E59: FreeLibrary.KERNEL32(00000000,?,?,004B3CDE,?,00541418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00474E87
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Library$Load$AddressFreeProc
                                                                          • String ID:
                                                                          • API String ID: 2632591731-0
                                                                          • Opcode ID: 04b06da8217ca6d1328e9d412dc94596df0b4a83ae34620409b2498fec8058e2
                                                                          • Instruction ID: f4c7d4e6508179ee552df5e50f8306b7139444fd4968e1c0c54682431b7844e3
                                                                          • Opcode Fuzzy Hash: 04b06da8217ca6d1328e9d412dc94596df0b4a83ae34620409b2498fec8058e2
                                                                          • Instruction Fuzzy Hash: 9011C432600205AADB14BF62DC06BFD7BA5AF80715F10C42FF546AA1C1DFB89A059758
                                                                          Function 004A8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: __wsopen_s
                                                                          • String ID:
                                                                          • API String ID: 3347428461-0
                                                                          • Opcode ID: 3dc38b6d1b85d3bcaf0b13cff46fcdd8b3475c173f10b924ed9cd0a0cee63e26
                                                                          • Instruction ID: 4d5f0b0655f84bc795bc4ff65f9c878fef3e749b8c164a5c01941cbeea93d3ca
                                                                          • Opcode Fuzzy Hash: 3dc38b6d1b85d3bcaf0b13cff46fcdd8b3475c173f10b924ed9cd0a0cee63e26
                                                                          • Instruction Fuzzy Hash: AE11487590420AAFCB05DF58E9409DF7BF8EF49304F10405AF808AB312EA30DA11CBA9
                                                                          Function 004A5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 004A4C7D: RtlAllocateHeap.NTDLL(00000008,00471129,00000000,?,004A2E29,00000001,00000364,?,?,?,0049F2DE,004A3863,00541444,?,0048FDF5,?), ref: 004A4CBE
                                                                          • _free.LIBCMT ref: 004A506C
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: AllocateHeap_free
                                                                          • String ID:
                                                                          • API String ID: 614378929-0
                                                                          • Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                                                          • Instruction ID: a73a174df72b15ef75f99d1c4a73296a12c2646623fbf4fed4508cc5213cffd0
                                                                          • Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                                                          • Instruction Fuzzy Hash: 92014EB22047045BE3318F55DC41A5BFBECFB9A370F25051EE184932C0E6746805C778
                                                                          Function 0049E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                                          • Instruction ID: 7e7ef289032d3034477982bb430ae84475feedfd1289145c51c7b9bed4e3e3cf
                                                                          • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                                          • Instruction Fuzzy Hash: 93F0DB32511A1096DE317A6B8C05B573B589FB2338F10073FF410962D1DA7C9801859D
                                                                          Function 00479CB3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: _wcslen
                                                                          • String ID:
                                                                          • API String ID: 176396367-0
                                                                          • Opcode ID: daa1ec522d7e5d217855691e78f7439a1b365263ee3c5ae7c9657e0e4f3ea7de
                                                                          • Instruction ID: caa38179363c9ce492a7db7412c15722f0a99b71b446eba355620a898623cb24
                                                                          • Opcode Fuzzy Hash: daa1ec522d7e5d217855691e78f7439a1b365263ee3c5ae7c9657e0e4f3ea7de
                                                                          • Instruction Fuzzy Hash: 0BF02DB31006006ED7106F29C806EABBB94EB44760F10853FFA19CB1D1DB35E41487A4
                                                                          Function 004A4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RtlAllocateHeap.NTDLL(00000008,00471129,00000000,?,004A2E29,00000001,00000364,?,?,?,0049F2DE,004A3863,00541444,?,0048FDF5,?), ref: 004A4CBE
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: AllocateHeap
                                                                          • String ID:
                                                                          • API String ID: 1279760036-0
                                                                          • Opcode ID: 5dbddd9d5946a7cb4a47c2369abdc387f50958e1a0dfe5f71616169b030fa874
                                                                          • Instruction ID: 021bcc3de6bb4cac89837e5b53209b31a97328d4138db7665923d8723e099cdb
                                                                          • Opcode Fuzzy Hash: 5dbddd9d5946a7cb4a47c2369abdc387f50958e1a0dfe5f71616169b030fa874
                                                                          • Instruction Fuzzy Hash: 7DF0BB3150612466DF215F629D05F5F3B48AFF3774B164127B81D972C5CAF8D8025698
                                                                          Function 004A3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RtlAllocateHeap.NTDLL(00000000,?,00541444,?,0048FDF5,?,?,0047A976,00000010,00541440,004713FC,?,004713C6,?,00471129), ref: 004A3852
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: AllocateHeap
                                                                          • String ID:
                                                                          • API String ID: 1279760036-0
                                                                          • Opcode ID: 250a27421a3015d611e94bbccb587d53d8698bdb820a068a75651ea2369e34b3
                                                                          • Instruction ID: aa147f2934e9835df6985756c1c37a8926670a836d7fc416079c4cd35c8c7576
                                                                          • Opcode Fuzzy Hash: 250a27421a3015d611e94bbccb587d53d8698bdb820a068a75651ea2369e34b3
                                                                          • Instruction Fuzzy Hash: 25E0A03110122456DA213F679C04B9B3AC8ABA37B6B05013FB804926C0EB1D9D0282AD
                                                                          Function 00474F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FreeLibrary.KERNEL32(?,?,00541418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00474F6D
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: FreeLibrary
                                                                          • String ID:
                                                                          • API String ID: 3664257935-0
                                                                          • Opcode ID: f9ed9391c3f2789858b6326f8112aab9aa6fcb76b351e36a03d245b5c9c39f19
                                                                          • Instruction ID: 5b321b09011458d2c894f32bd146ec2cff63eeedf43130c86fe3f20d42406d24
                                                                          • Opcode Fuzzy Hash: f9ed9391c3f2789858b6326f8112aab9aa6fcb76b351e36a03d245b5c9c39f19
                                                                          • Instruction Fuzzy Hash: 1AF08570005302CFCB349F24D4908A2BBE0AF95329320CA7FE1EE82620C73A9848DB08
                                                                          Function 004DCCFF Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,?,004BEE51,00533630,00000002), ref: 004DCD26
                                                                            • Part of subcall function 004DCC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,00000000,?,00000000,?,?,?,004DCD19,?,?,?), ref: 004DCC59
                                                                            • Part of subcall function 004DCC37: SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000001,?,004DCD19,?,?,?,?,004BEE51,00533630,00000002), ref: 004DCC6E
                                                                            • Part of subcall function 004DCC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,004DCD19,?,?,?,?,004BEE51,00533630,00000002), ref: 004DCC7A
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: File$Pointer$Write
                                                                          • String ID:
                                                                          • API String ID: 3847668363-0
                                                                          • Opcode ID: 203c38a367c6f8d2d82977a18ae655aea7b7070a4ce03a954a61871013a9ad5f
                                                                          • Instruction ID: 00f662e18de25daf609e08900200bf6689bf525cda43bfdc6b2cfed62070cc11
                                                                          • Opcode Fuzzy Hash: 203c38a367c6f8d2d82977a18ae655aea7b7070a4ce03a954a61871013a9ad5f
                                                                          • Instruction Fuzzy Hash: B5E06576500704EFC7219F46DD4089BBBF9FF85750710852FE955C2110D375AA14DF60
                                                                          Function 00472DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00472DC4
                                                                            • Part of subcall function 00476B57: _wcslen.LIBCMT ref: 00476B6A
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: LongNamePath_wcslen
                                                                          • String ID:
                                                                          • API String ID: 541455249-0
                                                                          • Opcode ID: 1b55c2f552a9776e02e9aeed03c20d2a304af208028447565b7db53d28e9bb2c
                                                                          • Instruction ID: dd6de412b157095009c753d020d2f305b9ec459d6b3e85664be59330c0383658
                                                                          • Opcode Fuzzy Hash: 1b55c2f552a9776e02e9aeed03c20d2a304af208028447565b7db53d28e9bb2c
                                                                          • Instruction Fuzzy Hash: 31E07D726001241BC71093588C05FEA77DDDFC8390F000176FC09E3208D964AD80C554
                                                                          Function 00472B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00473837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00473908
                                                                            • Part of subcall function 0047D730: GetInputState.USER32 ref: 0047D807
                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00472B6B
                                                                            • Part of subcall function 004730F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0047314E
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: IconNotifyShell_$CurrentDirectoryInputState
                                                                          • String ID:
                                                                          • API String ID: 3667716007-0
                                                                          • Opcode ID: 33fb19030588243d1a8193fb740be0189a441f1d2a1bc1c2088d644b4dea50ea
                                                                          • Instruction ID: f197e01f7311b9d5e75dbf50eb98323990d525ffdfd494c39375b89a63942b68
                                                                          • Opcode Fuzzy Hash: 33fb19030588243d1a8193fb740be0189a441f1d2a1bc1c2088d644b4dea50ea
                                                                          • Instruction Fuzzy Hash: E6E0262130024802CA08BF3298124EDAB999BE235EF00953FF04A431A3CF2C4989521A
                                                                          Function 004B039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateFileW.KERNELBASE(00000000,00000000,?,004B0704,?,?,00000000,?,004B0704,00000000,0000000C), ref: 004B03B7
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: CreateFile
                                                                          • String ID:
                                                                          • API String ID: 823142352-0
                                                                          • Opcode ID: c4d217e07b97edcacbedda96fdc7d27ee5055422a3e2069502622cf68fb8400c
                                                                          • Instruction ID: 72d26cefe72c14ca3f8bf6fa4f5992220bdd40f2e6100744fc98f2519833f12c
                                                                          • Opcode Fuzzy Hash: c4d217e07b97edcacbedda96fdc7d27ee5055422a3e2069502622cf68fb8400c
                                                                          • Instruction Fuzzy Hash: F5D06C3204010DBBDF028F84DD06EDA3FAAFB48714F014100BE1856020C732E821EB90
                                                                          Function 00471CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00471CBC
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: InfoParametersSystem
                                                                          • String ID:
                                                                          • API String ID: 3098949447-0
                                                                          • Opcode ID: 03928b945279cefb274caff0bcd2f64a119bb327a2d9a1a946b33d9997fa2598
                                                                          • Instruction ID: 987a21a7152be67b2f3e5586eee0a9dd361419b61540cddc45a799314fa4ee62
                                                                          • Opcode Fuzzy Hash: 03928b945279cefb274caff0bcd2f64a119bb327a2d9a1a946b33d9997fa2598
                                                                          • Instruction Fuzzy Hash: 17C09B3D2803049FF2144B80BC4BF947754A369F05F444401F609595E3C3A11454FA54
                                                                          Function 004E744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00475745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0047949C,?,00008000), ref: 00475773
                                                                          • GetLastError.KERNEL32(00000002,00000000), ref: 004E76DE
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: CreateErrorFileLast
                                                                          • String ID:
                                                                          • API String ID: 1214770103-0
                                                                          • Opcode ID: 7ee0e4c2a3c5a379d62eba637c68567278eef1d1caf695ab92733fb0c76cfe4d
                                                                          • Instruction ID: 283d9d446cea7f7fef4da4ee1fbbd951980c86b509fb51c0d76d17f1350b170c
                                                                          • Opcode Fuzzy Hash: 7ee0e4c2a3c5a379d62eba637c68567278eef1d1caf695ab92733fb0c76cfe4d
                                                                          • Instruction Fuzzy Hash: 5481A5302047419FC714EF25C491AAEB7E1BF85368F04855EF88A5B392DB38ED45CB5A
                                                                          Function 00476246 Relevance: 1.3, APIs: 1, Instructions: 19COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CloseHandle.KERNELBASE(?,?,00000000,004B24E0), ref: 00476266
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: CloseHandle
                                                                          • String ID:
                                                                          • API String ID: 2962429428-0
                                                                          • Opcode ID: daa446a2759038c2456792f0f7893e5bbcbd1a1760c16736bd56bc9365f41260
                                                                          • Instruction ID: 41d52fd5f9d933920ab213664b456e202e0e660a26d920d110868d4d7a4a80d6
                                                                          • Opcode Fuzzy Hash: daa446a2759038c2456792f0f7893e5bbcbd1a1760c16736bd56bc9365f41260
                                                                          • Instruction Fuzzy Hash: 27E0B675400B01CFC3715F1AE804492FBF6FFE13613218AAFD0E9A2662E3B4588A9F54
                                                                          Function 00E299B8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • Sleep.KERNELBASE(000001F4), ref: 00E299C9
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2054709991.0000000000E27000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E27000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_e27000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Sleep
                                                                          • String ID:
                                                                          • API String ID: 3472027048-0
                                                                          • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                          • Instruction ID: fd99d72207c90df04fd303c6c0cbd03b4c75de8558d9fe0868f881edfc0ebcfa
                                                                          • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                          • Instruction Fuzzy Hash: C0E0E67494010DDFDB00DFB4D5496AD7BB4EF04301F104165FD05E2280D6309D508A62

                                                                          Non-executed Functions

                                                                          Function 00509576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00489BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00489BB2
                                                                          • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0050961A
                                                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0050965B
                                                                          • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0050969F
                                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005096C9
                                                                          • SendMessageW.USER32 ref: 005096F2
                                                                          • GetKeyState.USER32(00000011), ref: 0050978B
                                                                          • GetKeyState.USER32(00000009), ref: 00509798
                                                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 005097AE
                                                                          • GetKeyState.USER32(00000010), ref: 005097B8
                                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005097E9
                                                                          • SendMessageW.USER32 ref: 00509810
                                                                          • SendMessageW.USER32(?,00001030,?,00507E95), ref: 00509918
                                                                          • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0050992E
                                                                          • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00509941
                                                                          • SetCapture.USER32(?), ref: 0050994A
                                                                          • ClientToScreen.USER32(?,?), ref: 005099AF
                                                                          • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 005099BC
                                                                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 005099D6
                                                                          • ReleaseCapture.USER32 ref: 005099E1
                                                                          • GetCursorPos.USER32(?), ref: 00509A19
                                                                          • ScreenToClient.USER32(?,?), ref: 00509A26
                                                                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 00509A80
                                                                          • SendMessageW.USER32 ref: 00509AAE
                                                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 00509AEB
                                                                          • SendMessageW.USER32 ref: 00509B1A
                                                                          • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00509B3B
                                                                          • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00509B4A
                                                                          • GetCursorPos.USER32(?), ref: 00509B68
                                                                          • ScreenToClient.USER32(?,?), ref: 00509B75
                                                                          • GetParent.USER32(?), ref: 00509B93
                                                                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 00509BFA
                                                                          • SendMessageW.USER32 ref: 00509C2B
                                                                          • ClientToScreen.USER32(?,?), ref: 00509C84
                                                                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00509CB4
                                                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 00509CDE
                                                                          • SendMessageW.USER32 ref: 00509D01
                                                                          • ClientToScreen.USER32(?,?), ref: 00509D4E
                                                                          • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00509D82
                                                                            • Part of subcall function 00489944: GetWindowLongW.USER32(?,000000EB), ref: 00489952
                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00509E05
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                                                                          • String ID: @GUI_DRAGID$F$p#T
                                                                          • API String ID: 3429851547-2265911392
                                                                          • Opcode ID: 9f3045fd067788ca97ce948f9fa7484273eda8924aabc502b225d157595b0df4
                                                                          • Instruction ID: 552ea61230036aa49b262d02b643d9a468b333070a4ea8e2abf9d82cd9ffe350
                                                                          • Opcode Fuzzy Hash: 9f3045fd067788ca97ce948f9fa7484273eda8924aabc502b225d157595b0df4
                                                                          • Instruction Fuzzy Hash: E8429035508201AFDB24CF24CC44AAEBFE5FF4A314F184A1DF6558B2E6D732A854DB51
                                                                          Function 00504873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 005048F3
                                                                          • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00504908
                                                                          • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00504927
                                                                          • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0050494B
                                                                          • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0050495C
                                                                          • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0050497B
                                                                          • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 005049AE
                                                                          • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 005049D4
                                                                          • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00504A0F
                                                                          • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00504A56
                                                                          • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00504A7E
                                                                          • IsMenu.USER32(?), ref: 00504A97
                                                                          • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00504AF2
                                                                          • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00504B20
                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00504B94
                                                                          • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00504BE3
                                                                          • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00504C82
                                                                          • wsprintfW.USER32 ref: 00504CAE
                                                                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00504CC9
                                                                          • GetWindowTextW.USER32(?,00000000,00000001), ref: 00504CF1
                                                                          • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00504D13
                                                                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00504D33
                                                                          • GetWindowTextW.USER32(?,00000000,00000001), ref: 00504D5A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                                                                          • String ID: %d/%02d/%02d
                                                                          • API String ID: 4054740463-328681919
                                                                          • Opcode ID: 1bdab42407bf0b4ddfcc9f7d0a43cbc727c9dad2637961343035fc22aa522ca0
                                                                          • Instruction ID: 759005c288b41ad39d2ed28a15d9d4af3f355c76c05448918c3a50a40602d6c9
                                                                          • Opcode Fuzzy Hash: 1bdab42407bf0b4ddfcc9f7d0a43cbc727c9dad2637961343035fc22aa522ca0
                                                                          • Instruction Fuzzy Hash: E812EEB1600205ABEB249F28CD49FAE7FB8FF85314F104629FA15EA2E1DB749945CF50
                                                                          Function 0048F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0048F998
                                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004CF474
                                                                          • IsIconic.USER32(00000000), ref: 004CF47D
                                                                          • ShowWindow.USER32(00000000,00000009), ref: 004CF48A
                                                                          • SetForegroundWindow.USER32(00000000), ref: 004CF494
                                                                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004CF4AA
                                                                          • GetCurrentThreadId.KERNEL32 ref: 004CF4B1
                                                                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004CF4BD
                                                                          • AttachThreadInput.USER32(?,00000000,00000001), ref: 004CF4CE
                                                                          • AttachThreadInput.USER32(?,00000000,00000001), ref: 004CF4D6
                                                                          • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 004CF4DE
                                                                          • SetForegroundWindow.USER32(00000000), ref: 004CF4E1
                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 004CF4F6
                                                                          • keybd_event.USER32(00000012,00000000), ref: 004CF501
                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 004CF50B
                                                                          • keybd_event.USER32(00000012,00000000), ref: 004CF510
                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 004CF519
                                                                          • keybd_event.USER32(00000012,00000000), ref: 004CF51E
                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 004CF528
                                                                          • keybd_event.USER32(00000012,00000000), ref: 004CF52D
                                                                          • SetForegroundWindow.USER32(00000000), ref: 004CF530
                                                                          • AttachThreadInput.USER32(?,000000FF,00000000), ref: 004CF557
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                          • String ID: Shell_TrayWnd
                                                                          • API String ID: 4125248594-2988720461
                                                                          • Opcode ID: 1f506f47616cb971d3f7813fb3b4aa04fa43975414dee1ec04c175d56d904706
                                                                          • Instruction ID: f1b214ad4fc0bc4b8529a24d8936e3aba309b6096e04516cfc95db0ac848fe8b
                                                                          • Opcode Fuzzy Hash: 1f506f47616cb971d3f7813fb3b4aa04fa43975414dee1ec04c175d56d904706
                                                                          • Instruction Fuzzy Hash: 3B319075A40218BFEB306FB54C4AFBF7E6DEB45B50F10012AFA00E61D1C7B55D04AAA5
                                                                          Function 004D1201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 004D16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 004D170D
                                                                            • Part of subcall function 004D16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 004D173A
                                                                            • Part of subcall function 004D16C3: GetLastError.KERNEL32 ref: 004D174A
                                                                          • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 004D1286
                                                                          • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 004D12A8
                                                                          • CloseHandle.KERNEL32(?), ref: 004D12B9
                                                                          • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004D12D1
                                                                          • GetProcessWindowStation.USER32 ref: 004D12EA
                                                                          • SetProcessWindowStation.USER32(00000000), ref: 004D12F4
                                                                          • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004D1310
                                                                            • Part of subcall function 004D10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004D11FC), ref: 004D10D4
                                                                            • Part of subcall function 004D10BF: CloseHandle.KERNEL32(?,?,004D11FC), ref: 004D10E9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                                                                          • String ID: $default$winsta0$ZS
                                                                          • API String ID: 22674027-27793362
                                                                          • Opcode ID: 38d4506cd1ff87792bb55fe6ef3a866555a68102067a728cfae1930605507e5f
                                                                          • Instruction ID: 6dbca37d1f53ef13dfd402accb93674e6fa1f7e4115bcbcfa2c7fc03393b0a3b
                                                                          • Opcode Fuzzy Hash: 38d4506cd1ff87792bb55fe6ef3a866555a68102067a728cfae1930605507e5f
                                                                          • Instruction Fuzzy Hash: AE817871900208BBDF219FA4DC59BEF7BB9AF05708F14422BF910A62A0D7798945DB68
                                                                          Function 004D0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 004D10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 004D1114
                                                                            • Part of subcall function 004D10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,004D0B9B,?,?,?), ref: 004D1120
                                                                            • Part of subcall function 004D10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,004D0B9B,?,?,?), ref: 004D112F
                                                                            • Part of subcall function 004D10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,004D0B9B,?,?,?), ref: 004D1136
                                                                            • Part of subcall function 004D10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 004D114D
                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 004D0BCC
                                                                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004D0C00
                                                                          • GetLengthSid.ADVAPI32(?), ref: 004D0C17
                                                                          • GetAce.ADVAPI32(?,00000000,?), ref: 004D0C51
                                                                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 004D0C6D
                                                                          • GetLengthSid.ADVAPI32(?), ref: 004D0C84
                                                                          • GetProcessHeap.KERNEL32(00000008,00000008), ref: 004D0C8C
                                                                          • HeapAlloc.KERNEL32(00000000), ref: 004D0C93
                                                                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 004D0CB4
                                                                          • CopySid.ADVAPI32(00000000), ref: 004D0CBB
                                                                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004D0CEA
                                                                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004D0D0C
                                                                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 004D0D1E
                                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004D0D45
                                                                          • HeapFree.KERNEL32(00000000), ref: 004D0D4C
                                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004D0D55
                                                                          • HeapFree.KERNEL32(00000000), ref: 004D0D5C
                                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004D0D65
                                                                          • HeapFree.KERNEL32(00000000), ref: 004D0D6C
                                                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 004D0D78
                                                                          • HeapFree.KERNEL32(00000000), ref: 004D0D7F
                                                                            • Part of subcall function 004D1193: GetProcessHeap.KERNEL32(00000008,004D0BB1,?,00000000,?,004D0BB1,?), ref: 004D11A1
                                                                            • Part of subcall function 004D1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,004D0BB1,?), ref: 004D11A8
                                                                            • Part of subcall function 004D1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,004D0BB1,?), ref: 004D11B7
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                          • String ID:
                                                                          • API String ID: 4175595110-0
                                                                          • Opcode ID: cd1e4914347315c1ff27775724d6519db4c548c7789da346ac6c8b5c68223693
                                                                          • Instruction ID: 1cc5f6b24425ba2fc263965423e05156a95a01f3cbf3272432773e1b3ee11b40
                                                                          • Opcode Fuzzy Hash: cd1e4914347315c1ff27775724d6519db4c548c7789da346ac6c8b5c68223693
                                                                          • Instruction Fuzzy Hash: 3D717A7290020AAFDF10DFA4DD58BAFBBB9BF16700F044617E914A7391D779AA05CB60
                                                                          Function 004EEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • OpenClipboard.USER32(0050CC08), ref: 004EEB29
                                                                          • IsClipboardFormatAvailable.USER32(0000000D), ref: 004EEB37
                                                                          • GetClipboardData.USER32(0000000D), ref: 004EEB43
                                                                          • CloseClipboard.USER32 ref: 004EEB4F
                                                                          • GlobalLock.KERNEL32(00000000), ref: 004EEB87
                                                                          • CloseClipboard.USER32 ref: 004EEB91
                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 004EEBBC
                                                                          • IsClipboardFormatAvailable.USER32(00000001), ref: 004EEBC9
                                                                          • GetClipboardData.USER32(00000001), ref: 004EEBD1
                                                                          • GlobalLock.KERNEL32(00000000), ref: 004EEBE2
                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 004EEC22
                                                                          • IsClipboardFormatAvailable.USER32(0000000F), ref: 004EEC38
                                                                          • GetClipboardData.USER32(0000000F), ref: 004EEC44
                                                                          • GlobalLock.KERNEL32(00000000), ref: 004EEC55
                                                                          • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 004EEC77
                                                                          • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 004EEC94
                                                                          • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 004EECD2
                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 004EECF3
                                                                          • CountClipboardFormats.USER32 ref: 004EED14
                                                                          • CloseClipboard.USER32 ref: 004EED59
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                                                                          • String ID:
                                                                          • API String ID: 420908878-0
                                                                          • Opcode ID: 8485c57ac56f2b723c7628ef08ecd1946009e144cf703271fe81130e0c83218b
                                                                          • Instruction ID: ae5502adcea6aabae1b819fae05a6f0e222cfd7aaa0fc68ecc1194e08b414eed
                                                                          • Opcode Fuzzy Hash: 8485c57ac56f2b723c7628ef08ecd1946009e144cf703271fe81130e0c83218b
                                                                          • Instruction Fuzzy Hash: EF6111342042429FD310EF26C884F7E7BA4AF95705F04465EF456872A2CB39ED0ADB66
                                                                          Function 004E698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 004E69BE
                                                                          • FindClose.KERNEL32(00000000), ref: 004E6A12
                                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 004E6A4E
                                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 004E6A75
                                                                            • Part of subcall function 00479CB3: _wcslen.LIBCMT ref: 00479CBD
                                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 004E6AB2
                                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 004E6ADF
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                                                                          • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                                                                          • API String ID: 3830820486-3289030164
                                                                          • Opcode ID: 24fb68c6d92f090179af6c1af79d60b909de6afee60af02c91f328b985b26ef4
                                                                          • Instruction ID: ce33c415656137898d939a2ae3ce9ec260c19077486d1454fdac05427a2d5879
                                                                          • Opcode Fuzzy Hash: 24fb68c6d92f090179af6c1af79d60b909de6afee60af02c91f328b985b26ef4
                                                                          • Instruction Fuzzy Hash: 8ED15271508340AFC710EBA5C881EAFB7ECAF99708F44491EF589C7191EB78DA48C766
                                                                          Function 004E9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 004E9663
                                                                          • GetFileAttributesW.KERNEL32(?), ref: 004E96A1
                                                                          • SetFileAttributesW.KERNEL32(?,?), ref: 004E96BB
                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 004E96D3
                                                                          • FindClose.KERNEL32(00000000), ref: 004E96DE
                                                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 004E96FA
                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 004E974A
                                                                          • SetCurrentDirectoryW.KERNEL32(00536B7C), ref: 004E9768
                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 004E9772
                                                                          • FindClose.KERNEL32(00000000), ref: 004E977F
                                                                          • FindClose.KERNEL32(00000000), ref: 004E978F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                                          • String ID: *.*
                                                                          • API String ID: 1409584000-438819550
                                                                          • Opcode ID: 010eaf240c2615175e8df5463294c6e517646e4dc5172969d509dc4f242cc42e
                                                                          • Instruction ID: 2b669297dece625c6640684105b0f62bf2af08c75fcfeefa23e776c4bdeba765
                                                                          • Opcode Fuzzy Hash: 010eaf240c2615175e8df5463294c6e517646e4dc5172969d509dc4f242cc42e
                                                                          • Instruction Fuzzy Hash: 1631F632500259BADF10AFB6DC09ADF7BACAF0A321F1041A7F855E21D1DB38DD488E18
                                                                          Function 004E979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 004E97BE
                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 004E9819
                                                                          • FindClose.KERNEL32(00000000), ref: 004E9824
                                                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 004E9840
                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 004E9890
                                                                          • SetCurrentDirectoryW.KERNEL32(00536B7C), ref: 004E98AE
                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 004E98B8
                                                                          • FindClose.KERNEL32(00000000), ref: 004E98C5
                                                                          • FindClose.KERNEL32(00000000), ref: 004E98D5
                                                                            • Part of subcall function 004DDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 004DDB00
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                                          • String ID: *.*
                                                                          • API String ID: 2640511053-438819550
                                                                          • Opcode ID: 803850ac900858ab3426149891063069ac97b4af30c00ea3a1c56f9ca783b18d
                                                                          • Instruction ID: 8225b70cdd8a0816ee862f67d692141e0b628aa0bd19b105800562fd31bcc1e5
                                                                          • Opcode Fuzzy Hash: 803850ac900858ab3426149891063069ac97b4af30c00ea3a1c56f9ca783b18d
                                                                          • Instruction Fuzzy Hash: 0731C7315002596ADF10AFB6DC49ADF7BACBF06325F1441ABE850E22E1DB34DD498F29
                                                                          Function 004E8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetLocalTime.KERNEL32(?), ref: 004E8257
                                                                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 004E8267
                                                                          • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 004E8273
                                                                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 004E8310
                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 004E8324
                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 004E8356
                                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 004E838C
                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 004E8395
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentDirectoryTime$File$Local$System
                                                                          • String ID: *.*
                                                                          • API String ID: 1464919966-438819550
                                                                          • Opcode ID: 1d549f7a32fef3eebf84926ebf0aef71d5df3f1786454390f21f9e482c46f2a1
                                                                          • Instruction ID: 54292d544e795a0569e973315904940f041904f0978c034d75459653729fec68
                                                                          • Opcode Fuzzy Hash: 1d549f7a32fef3eebf84926ebf0aef71d5df3f1786454390f21f9e482c46f2a1
                                                                          • Instruction Fuzzy Hash: 2A619D725043459FCB10EF62C84199FB3E8FF89318F04892EF98997251DB39E905CB96
                                                                          Function 004DD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00473AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00473A97,?,?,00472E7F,?,?,?,00000000), ref: 00473AC2
                                                                            • Part of subcall function 004DE199: GetFileAttributesW.KERNEL32(?,004DCF95), ref: 004DE19A
                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 004DD122
                                                                          • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 004DD1DD
                                                                          • MoveFileW.KERNEL32(?,?), ref: 004DD1F0
                                                                          • DeleteFileW.KERNEL32(?,?,?,?), ref: 004DD20D
                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 004DD237
                                                                            • Part of subcall function 004DD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,004DD21C,?,?), ref: 004DD2B2
                                                                          • FindClose.KERNEL32(00000000,?,?,?), ref: 004DD253
                                                                          • FindClose.KERNEL32(00000000), ref: 004DD264
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                                                          • String ID: \*.*
                                                                          • API String ID: 1946585618-1173974218
                                                                          • Opcode ID: cf8d3be80fc96988fc104a41e31d94f5d01fb3ae6a5c6168483b1dc1ad4035ee
                                                                          • Instruction ID: 89d319a7b1196f65f0293633fcb7ffa77c3190f420668c9c9892966151d9edb5
                                                                          • Opcode Fuzzy Hash: cf8d3be80fc96988fc104a41e31d94f5d01fb3ae6a5c6168483b1dc1ad4035ee
                                                                          • Instruction Fuzzy Hash: 1E61AF31C0110D9ACF05EBE1CDA29EEB7B5AF55304F2481ABE40677291EB385F09DB65
                                                                          Function 004EED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                          • String ID:
                                                                          • API String ID: 1737998785-0
                                                                          • Opcode ID: 5b6191954b263f3ff1ef4111f0d0d843cf8466cd7c96ffe880349795000d33a4
                                                                          • Instruction ID: b3da2898fd92c4b72cef94944a404745a11c0a668cae205ba2ddb26717e2146c
                                                                          • Opcode Fuzzy Hash: 5b6191954b263f3ff1ef4111f0d0d843cf8466cd7c96ffe880349795000d33a4
                                                                          • Instruction Fuzzy Hash: 6941EF34604651AFD320CF1AD888F5ABBE1EF45319F14C19EE4598B7A2C73AEC46CB84
                                                                          Function 004DE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 004D16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 004D170D
                                                                            • Part of subcall function 004D16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 004D173A
                                                                            • Part of subcall function 004D16C3: GetLastError.KERNEL32 ref: 004D174A
                                                                          • ExitWindowsEx.USER32(?,00000000), ref: 004DE932
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                          • String ID: $ $@$SeShutdownPrivilege
                                                                          • API String ID: 2234035333-3163812486
                                                                          • Opcode ID: 8e760592ee4b2606073bec2327384fb83b7416f76266be6ebc7b90429b794341
                                                                          • Instruction ID: 04583a36d6a5a455aba12b14367503feff94a004c0303dfb72cc41b193c2a086
                                                                          • Opcode Fuzzy Hash: 8e760592ee4b2606073bec2327384fb83b7416f76266be6ebc7b90429b794341
                                                                          • Instruction Fuzzy Hash: 530126B2611211BBEB1433B69CBAFBF769CA714744F140967FC03E63E2D5A85C448198
                                                                          Function 004F1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • socket.WSOCK32(00000002,00000001,00000006), ref: 004F1276
                                                                          • WSAGetLastError.WSOCK32 ref: 004F1283
                                                                          • bind.WSOCK32(00000000,?,00000010), ref: 004F12BA
                                                                          • WSAGetLastError.WSOCK32 ref: 004F12C5
                                                                          • closesocket.WSOCK32(00000000), ref: 004F12F4
                                                                          • listen.WSOCK32(00000000,00000005), ref: 004F1303
                                                                          • WSAGetLastError.WSOCK32 ref: 004F130D
                                                                          • closesocket.WSOCK32(00000000), ref: 004F133C
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast$closesocket$bindlistensocket
                                                                          • String ID:
                                                                          • API String ID: 540024437-0
                                                                          • Opcode ID: bae9789fa87d7dcb4e10e1a3695e5df80de6cabc9c83be3cedc7a412b532d6f8
                                                                          • Instruction ID: 547bb06de2073c3097ee85def4ad4b4f0420a055d1557bfd7b00d8e3df4859a3
                                                                          • Opcode Fuzzy Hash: bae9789fa87d7dcb4e10e1a3695e5df80de6cabc9c83be3cedc7a412b532d6f8
                                                                          • Instruction Fuzzy Hash: EE41AD30600104DFD710DF64C488B2ABBE5AF46318F19818AE9569F3E2C735EC85CBA5
                                                                          Function 004AB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _free.LIBCMT ref: 004AB9D4
                                                                          • _free.LIBCMT ref: 004AB9F8
                                                                          • _free.LIBCMT ref: 004ABB7F
                                                                          • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00513700), ref: 004ABB91
                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,0054121C,000000FF,00000000,0000003F,00000000,?,?), ref: 004ABC09
                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00541270,000000FF,?,0000003F,00000000,?), ref: 004ABC36
                                                                          • _free.LIBCMT ref: 004ABD4B
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                                          • String ID:
                                                                          • API String ID: 314583886-0
                                                                          • Opcode ID: 3d205e94188bcd37f34e09d410ec38c15bf0bbd58085407f0051bb3c2f0b74a6
                                                                          • Instruction ID: 3dcc215a0c16c74486f235d87c8bca65cecfa27c510f364db253d0f49a08773c
                                                                          • Opcode Fuzzy Hash: 3d205e94188bcd37f34e09d410ec38c15bf0bbd58085407f0051bb3c2f0b74a6
                                                                          • Instruction Fuzzy Hash: 08C13475A04204AFCB209F6A9841AAF7BA8EF63314F14419FE891D7353E7389E41D7D8
                                                                          Function 004DD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00473AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00473A97,?,?,00472E7F,?,?,?,00000000), ref: 00473AC2
                                                                            • Part of subcall function 004DE199: GetFileAttributesW.KERNEL32(?,004DCF95), ref: 004DE19A
                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 004DD420
                                                                          • DeleteFileW.KERNEL32(?,?,?,?), ref: 004DD470
                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 004DD481
                                                                          • FindClose.KERNEL32(00000000), ref: 004DD498
                                                                          • FindClose.KERNEL32(00000000), ref: 004DD4A1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                          • String ID: \*.*
                                                                          • API String ID: 2649000838-1173974218
                                                                          • Opcode ID: 0a5f6eafcc99facd77ebbfdb427f02a4bd3cf7a7da44b21db404dd7de02bcfa2
                                                                          • Instruction ID: df30adc7f7ee44bdd5387b3873a3e00f19f612a513bd988f70e0bbce1c9e2876
                                                                          • Opcode Fuzzy Hash: 0a5f6eafcc99facd77ebbfdb427f02a4bd3cf7a7da44b21db404dd7de02bcfa2
                                                                          • Instruction Fuzzy Hash: 733172714183459BC300EF65C8528EF77A8AEA2308F448E1FF4D552291EB38AA1DD76B
                                                                          Function 004AE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: __floor_pentium4
                                                                          • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                          • API String ID: 4168288129-2761157908
                                                                          • Opcode ID: aa1f74930eb6007da51bab4db76c188fa97d478a9eb460f5aa7ef42602ff3ccb
                                                                          • Instruction ID: 7284ac4cba3b7f77139319a45079c13eab2b619fc6b501948f1dfe71919fbd6c
                                                                          • Opcode Fuzzy Hash: aa1f74930eb6007da51bab4db76c188fa97d478a9eb460f5aa7ef42602ff3ccb
                                                                          • Instruction Fuzzy Hash: BBC26B71E086288FDB24CE69DD407EAB7B5EB6A304F1441EBD41DE7240E778AE858F44
                                                                          Function 004E648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _wcslen.LIBCMT ref: 004E64DC
                                                                          • CoInitialize.OLE32(00000000), ref: 004E6639
                                                                          • CoCreateInstance.OLE32(0050FCF8,00000000,00000001,0050FB68,?), ref: 004E6650
                                                                          • CoUninitialize.OLE32 ref: 004E68D4
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                          • String ID: .lnk
                                                                          • API String ID: 886957087-24824748
                                                                          • Opcode ID: 327e86b1bea4ac3ea48e1f7eb79f5609c79e52efe9f6483e3b82ba6c85584cfc
                                                                          • Instruction ID: 6c2a79e292524704cc66534d34339a15aa53b4e4f1a4e8e715daeaa0a8d007a1
                                                                          • Opcode Fuzzy Hash: 327e86b1bea4ac3ea48e1f7eb79f5609c79e52efe9f6483e3b82ba6c85584cfc
                                                                          • Instruction Fuzzy Hash: 54D15C71608241AFC314EF25C881DABB7E9FF95348F00896EF5998B291DB34ED05CB96
                                                                          Function 004F22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetForegroundWindow.USER32(?,?,00000000), ref: 004F22E8
                                                                            • Part of subcall function 004EE4EC: GetWindowRect.USER32(?,?), ref: 004EE504
                                                                          • GetDesktopWindow.USER32 ref: 004F2312
                                                                          • GetWindowRect.USER32(00000000), ref: 004F2319
                                                                          • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 004F2355
                                                                          • GetCursorPos.USER32(?), ref: 004F2381
                                                                          • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 004F23DF
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                                                          • String ID:
                                                                          • API String ID: 2387181109-0
                                                                          • Opcode ID: 927c8f39924af614e15a11a39e9b286ed52f35718331ef746d3b1e3d6ed3429d
                                                                          • Instruction ID: 442470e2cb7f721247ec17d8b216e9adbe1381a203e27ef9f5735cdae91f261b
                                                                          • Opcode Fuzzy Hash: 927c8f39924af614e15a11a39e9b286ed52f35718331ef746d3b1e3d6ed3429d
                                                                          • Instruction Fuzzy Hash: DF31D2B25053199FC720DF25C845F6BBBA9FF85314F000A1EF98597291D778EA08CB96
                                                                          Function 004E9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00479CB3: _wcslen.LIBCMT ref: 00479CBD
                                                                          • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 004E9B78
                                                                          • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 004E9C8B
                                                                            • Part of subcall function 004E3874: GetInputState.USER32 ref: 004E38CB
                                                                            • Part of subcall function 004E3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004E3966
                                                                          • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 004E9BA8
                                                                          • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 004E9C75
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                                                          • String ID: *.*
                                                                          • API String ID: 1972594611-438819550
                                                                          • Opcode ID: 998d62fce67e93296edf3903062ec1c88604cdb5372b578a8a4d9a351ef9c04e
                                                                          • Instruction ID: 7e85b223efb8c9dc76bc52fbc8b281396de8510268be8e5ed11d2d2c598e8135
                                                                          • Opcode Fuzzy Hash: 998d62fce67e93296edf3903062ec1c88604cdb5372b578a8a4d9a351ef9c04e
                                                                          • Instruction Fuzzy Hash: 3C41957190024A9FDF14EF65C849AEE7BB4FF05305F20415BE805A22D1D7349E44CF65
                                                                          Function 0048997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00489BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00489BB2
                                                                          • DefDlgProcW.USER32(?,?,?,?,?), ref: 00489A4E
                                                                          • GetSysColor.USER32(0000000F), ref: 00489B23
                                                                          • SetBkColor.GDI32(?,00000000), ref: 00489B36
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Color$LongProcWindow
                                                                          • String ID:
                                                                          • API String ID: 3131106179-0
                                                                          • Opcode ID: 453163e167e3d2203eba8fa89a2d62cfc6bbd0aeb6f022d38d1c464faf84b491
                                                                          • Instruction ID: a2a1a0a49c410e35c24479cd9f63541ab3af6207ec87bc79b681227c8cb9d8bf
                                                                          • Opcode Fuzzy Hash: 453163e167e3d2203eba8fa89a2d62cfc6bbd0aeb6f022d38d1c464faf84b491
                                                                          • Instruction Fuzzy Hash: 27A10A74205C44BFE668BA298C48E7F299DEB82354B1C050FF502C6BD5CA2D9D42D77E
                                                                          Function 004F1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 004F304E: inet_addr.WSOCK32(?), ref: 004F307A
                                                                            • Part of subcall function 004F304E: _wcslen.LIBCMT ref: 004F309B
                                                                          • socket.WSOCK32(00000002,00000002,00000011), ref: 004F185D
                                                                          • WSAGetLastError.WSOCK32 ref: 004F1884
                                                                          • bind.WSOCK32(00000000,?,00000010), ref: 004F18DB
                                                                          • WSAGetLastError.WSOCK32 ref: 004F18E6
                                                                          • closesocket.WSOCK32(00000000), ref: 004F1915
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                                                          • String ID:
                                                                          • API String ID: 1601658205-0
                                                                          • Opcode ID: 28c999c03233a1431aa15738782aea01a09ce4f29ac7b7b0b2222ea339040ad9
                                                                          • Instruction ID: e3ef8214e10ce7033970c22dae77b2cb746cbf795876f8ccf1d557fb2e522192
                                                                          • Opcode Fuzzy Hash: 28c999c03233a1431aa15738782aea01a09ce4f29ac7b7b0b2222ea339040ad9
                                                                          • Instruction Fuzzy Hash: CB51B171A00200AFD710AF24C886F6A77A5AB45718F14C49EFA0A5F3D3C679AD418BA5
                                                                          Function 00501C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                          • String ID:
                                                                          • API String ID: 292994002-0
                                                                          • Opcode ID: c0dfa0a7e6f6e9bd18417927f4e56988811f500ad7e72775e77ea2940bedc6a9
                                                                          • Instruction ID: 5a7fbf7cc8da7caf7dde50b8c8262b2d52be04982129b7581713e5eba5a1e1df
                                                                          • Opcode Fuzzy Hash: c0dfa0a7e6f6e9bd18417927f4e56988811f500ad7e72775e77ea2940bedc6a9
                                                                          • Instruction Fuzzy Hash: 1E219131740A115FE7208F2AC888B6E7FA5FF95315F19806DE84A8B291CB71DC42CB99
                                                                          Function 00478060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                                                          • API String ID: 0-1546025612
                                                                          • Opcode ID: 8c22bb71e7ce617497f333cceda56bd42c9065c130f72fb1617ecf6418989798
                                                                          • Instruction ID: 4d8c4f25e7ea104b3c62a0fe6341c91825bb76950de611264b3d298c3bcc51bb
                                                                          • Opcode Fuzzy Hash: 8c22bb71e7ce617497f333cceda56bd42c9065c130f72fb1617ecf6418989798
                                                                          • Instruction Fuzzy Hash: E4A28F70E4021ACBDF24CF58C9447EEB7B1BB54310F2581ABD819A7381EB789D81CB69
                                                                          Function 004D8298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • lstrlenW.KERNEL32(?,?,?,00000000), ref: 004D82AA
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: lstrlen
                                                                          • String ID: ($tbS$|
                                                                          • API String ID: 1659193697-2799688314
                                                                          • Opcode ID: f75c758b0711aed4079b6e1ecd716c68d6a4f1e39a705f78b70e5ece247b15da
                                                                          • Instruction ID: ad2dc3d88c26bc99d052ca5f51719c4087ce4f1f697e856188c0b297a4d8cfe7
                                                                          • Opcode Fuzzy Hash: f75c758b0711aed4079b6e1ecd716c68d6a4f1e39a705f78b70e5ece247b15da
                                                                          • Instruction Fuzzy Hash: 2A324474A006059FCB28DF19C491A6AB7F0FF48720B15C56FE89ADB3A1EB74E941CB44
                                                                          Function 004FA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateToolhelp32Snapshot.KERNEL32 ref: 004FA6AC
                                                                          • Process32FirstW.KERNEL32(00000000,?), ref: 004FA6BA
                                                                            • Part of subcall function 00479CB3: _wcslen.LIBCMT ref: 00479CBD
                                                                          • Process32NextW.KERNEL32(00000000,?), ref: 004FA79C
                                                                          • CloseHandle.KERNEL32(00000000), ref: 004FA7AB
                                                                            • Part of subcall function 0048CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,004B3303,?), ref: 0048CE8A
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                                                                          • String ID:
                                                                          • API String ID: 1991900642-0
                                                                          • Opcode ID: a4fcfcb2351a248dbf98b4325ecd66ccffc05f9772bcf1f892dc924a3951f9e3
                                                                          • Instruction ID: 2833be44a6898bed500a4a20a34ef235a22d448519161ce8e3be2051d8e256cc
                                                                          • Opcode Fuzzy Hash: a4fcfcb2351a248dbf98b4325ecd66ccffc05f9772bcf1f892dc924a3951f9e3
                                                                          • Instruction Fuzzy Hash: F3511CB15083009FD710EF25C886A6FBBE8FF99758F00891EF58997252EB74D904CB96
                                                                          Function 004DAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 004DAAAC
                                                                          • SetKeyboardState.USER32(00000080), ref: 004DAAC8
                                                                          • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 004DAB36
                                                                          • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 004DAB88
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: KeyboardState$InputMessagePostSend
                                                                          • String ID:
                                                                          • API String ID: 432972143-0
                                                                          • Opcode ID: adf277207e91e7a5ec5c625a1b5937cf817d8f35e5a2050650bbf37233e8ed17
                                                                          • Instruction ID: e2798ae596a3af6ee5da1c089fc8117d5d3b7e42c40c2da92cd35f99352803f1
                                                                          • Opcode Fuzzy Hash: adf277207e91e7a5ec5c625a1b5937cf817d8f35e5a2050650bbf37233e8ed17
                                                                          • Instruction Fuzzy Hash: 2A310C30A40204AEEF35CB658C257FB7BA6AB45310F04431BF281553D0D37D99A6D75B
                                                                          Function 004ECE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InternetReadFile.WININET(?,?,00000400,?), ref: 004ECE89
                                                                          • GetLastError.KERNEL32(?,00000000), ref: 004ECEEA
                                                                          • SetEvent.KERNEL32(?,?,00000000), ref: 004ECEFE
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorEventFileInternetLastRead
                                                                          • String ID:
                                                                          • API String ID: 234945975-0
                                                                          • Opcode ID: 438a916bfd350bd4fffe6e53245edb653e44fcd6fd35f5945b8c2652ee5d2866
                                                                          • Instruction ID: 511edc5a3887e8c896285fc7e5f27ca6ff0b3a3f42c508f349b15a023c3bcb0d
                                                                          • Opcode Fuzzy Hash: 438a916bfd350bd4fffe6e53245edb653e44fcd6fd35f5945b8c2652ee5d2866
                                                                          • Instruction Fuzzy Hash: 3D21D171500305AFDB20DF5AC985BAB7BF8EB10315F10441FE54292251D738ED069B58
                                                                          Function 004DDBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • lstrlenW.KERNEL32(?,004B5222), ref: 004DDBCE
                                                                          • GetFileAttributesW.KERNEL32(?), ref: 004DDBDD
                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 004DDBEE
                                                                          • FindClose.KERNEL32(00000000), ref: 004DDBFA
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: FileFind$AttributesCloseFirstlstrlen
                                                                          • String ID:
                                                                          • API String ID: 2695905019-0
                                                                          • Opcode ID: 8885e94747f7df804867c6e06065e03534af13a2124c7e3b4c2adc5780b45602
                                                                          • Instruction ID: e5b800ddae7633de396a2619014e6981c0beefa09c4b651cefb6aefabbcb3632
                                                                          • Opcode Fuzzy Hash: 8885e94747f7df804867c6e06065e03534af13a2124c7e3b4c2adc5780b45602
                                                                          • Instruction Fuzzy Hash: 3BF0A03082091057C2206B78AC0E8BF3B6C9F42334F204703F876C22E1EBB45959D69A
                                                                          Function 004E5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 004E5CC1
                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 004E5D17
                                                                          • FindClose.KERNEL32(?), ref: 004E5D5F
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Find$File$CloseFirstNext
                                                                          • String ID:
                                                                          • API String ID: 3541575487-0
                                                                          • Opcode ID: 40d49ba4b1605fc5c836a2d8af64ab4118d7ac5a746f3c17d0e1837fc5b33c4e
                                                                          • Instruction ID: 25d3b4417b2d355ca48267bc05a7314c838c37789e4abdae96caf1058ec0df7b
                                                                          • Opcode Fuzzy Hash: 40d49ba4b1605fc5c836a2d8af64ab4118d7ac5a746f3c17d0e1837fc5b33c4e
                                                                          • Instruction Fuzzy Hash: 9B51CC346006419FC714DF29C894E9ABBE4FF4A318F14855EE95A8B3A2CB34EC04CF95
                                                                          Function 004A2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • IsDebuggerPresent.KERNEL32 ref: 004A271A
                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004A2724
                                                                          • UnhandledExceptionFilter.KERNEL32(?), ref: 004A2731
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                          • String ID:
                                                                          • API String ID: 3906539128-0
                                                                          • Opcode ID: 6293a6d1677b8babb7504e201f59c53d01d8a2da946795d3019095ab5d38f32f
                                                                          • Instruction ID: 81a7f77907eb639c95462be8683d33348b8dab5378d93f49e78e9d5ca0b093c2
                                                                          • Opcode Fuzzy Hash: 6293a6d1677b8babb7504e201f59c53d01d8a2da946795d3019095ab5d38f32f
                                                                          • Instruction Fuzzy Hash: BE31D87491121CABCB21DF69DD887DDBBB8AF18310F5041EAE80CA7260E7749F859F48
                                                                          Function 004E51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(00000001), ref: 004E51DA
                                                                          • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 004E5238
                                                                          • SetErrorMode.KERNEL32(00000000), ref: 004E52A1
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorMode$DiskFreeSpace
                                                                          • String ID:
                                                                          • API String ID: 1682464887-0
                                                                          • Opcode ID: 19dd4ca66a196f03bca311105e44d08aeaab6850ccb85a3372cf626f62e73eaf
                                                                          • Instruction ID: 8ee761871a2e6577a4fcd7e5072e09a808b0cd48d5ce16282ce2e2ab44f61349
                                                                          • Opcode Fuzzy Hash: 19dd4ca66a196f03bca311105e44d08aeaab6850ccb85a3372cf626f62e73eaf
                                                                          • Instruction Fuzzy Hash: 02318035A00608DFDB00DF55D884EADBBB4FF09318F04809AE9099B392CB35E845CB94
                                                                          Function 004D16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0048FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00490668
                                                                            • Part of subcall function 0048FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00490685
                                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 004D170D
                                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 004D173A
                                                                          • GetLastError.KERNEL32 ref: 004D174A
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                                                                          • String ID:
                                                                          • API String ID: 577356006-0
                                                                          • Opcode ID: 25d7dcf227dcbfef096c302765abccdce19e9b9064519654c8c5e6b879570d7d
                                                                          • Instruction ID: 5ccdd258cb5c5f62f222c5e22cff65f60cfbc64cb107904acde3459ddab26884
                                                                          • Opcode Fuzzy Hash: 25d7dcf227dcbfef096c302765abccdce19e9b9064519654c8c5e6b879570d7d
                                                                          • Instruction Fuzzy Hash: 3C11BCB2400204BFE728AF64DC86D6FBBFDEB04714B20852FE45652251EB74BC458B24
                                                                          Function 004DD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 004DD608
                                                                          • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 004DD645
                                                                          • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 004DD650
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: CloseControlCreateDeviceFileHandle
                                                                          • String ID:
                                                                          • API String ID: 33631002-0
                                                                          • Opcode ID: ac23e92b3ab0b28097b03ac316bc68d2dba4ce26d6bf755cc47478025a3d88ec
                                                                          • Instruction ID: e74748311718ed9827ca3cd6eebc9cf13b771d7d0215917ebfb5ad9368f78ec5
                                                                          • Opcode Fuzzy Hash: ac23e92b3ab0b28097b03ac316bc68d2dba4ce26d6bf755cc47478025a3d88ec
                                                                          • Instruction Fuzzy Hash: D3113C75E05228BBDB108F959C45FAFBFBCEB45B50F108156F904E7290D6704A059BA1
                                                                          Function 004D1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 004D168C
                                                                          • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 004D16A1
                                                                          • FreeSid.ADVAPI32(?), ref: 004D16B1
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                          • String ID:
                                                                          • API String ID: 3429775523-0
                                                                          • Opcode ID: ac32cb7cca0647c8254db13463fbc681f7323a3eb5d1c3b54717584c64142bf7
                                                                          • Instruction ID: aa21faa6c93250fd73c1b715bed8c1f44d97167b201acf93b67b6b56e539538b
                                                                          • Opcode Fuzzy Hash: ac32cb7cca0647c8254db13463fbc681f7323a3eb5d1c3b54717584c64142bf7
                                                                          • Instruction Fuzzy Hash: 7AF0F471950309FBEB00DFE49D89EAEBBBCEB08604F504565E901E2191E774AA489A54
                                                                          Function 00494CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCurrentProcess.KERNEL32(004A28E9,?,00494CBE,004A28E9,005388B8,0000000C,00494E15,004A28E9,00000002,00000000,?,004A28E9), ref: 00494D09
                                                                          • TerminateProcess.KERNEL32(00000000,?,00494CBE,004A28E9,005388B8,0000000C,00494E15,004A28E9,00000002,00000000,?,004A28E9), ref: 00494D10
                                                                          • ExitProcess.KERNEL32 ref: 00494D22
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Process$CurrentExitTerminate
                                                                          • String ID:
                                                                          • API String ID: 1703294689-0
                                                                          • Opcode ID: f2a0bd81915a11ba990cc634bfdd47239e00a7e736dbf3e07ece5a95e0397964
                                                                          • Instruction ID: 3eb8d316f3a556261b7d418b1fb50ba0a53551462f4b91235093f52fe8f1e205
                                                                          • Opcode Fuzzy Hash: f2a0bd81915a11ba990cc634bfdd47239e00a7e736dbf3e07ece5a95e0397964
                                                                          • Instruction Fuzzy Hash: F5E04631010108ABCF21AF10DD09E893F29FB96785B008629FC048A222CB39DD42DA84
                                                                          Function 004AC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: /
                                                                          • API String ID: 0-2043925204
                                                                          • Opcode ID: 5dcb998fb6ac1ec1efadab724574d77ace26ae360412d37e34f945ae47d89415
                                                                          • Instruction ID: 442088b00bdd758fe8a4fafa3f1c3bc0b98c5bdc61d8cb2fcb4a10e110809593
                                                                          • Opcode Fuzzy Hash: 5dcb998fb6ac1ec1efadab724574d77ace26ae360412d37e34f945ae47d89415
                                                                          • Instruction Fuzzy Hash: F6415B769002186FCB20DFB9CC88EBB77B8EB96314F1042AEF905D7280E6749D41CB58
                                                                          Function 004CD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetUserNameW.ADVAPI32(?,?), ref: 004CD28C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: NameUser
                                                                          • String ID: X64
                                                                          • API String ID: 2645101109-893830106
                                                                          • Opcode ID: e5c3610d2a980a71810a56064f827639f37a732fbf82958dac789b4d9c065969
                                                                          • Instruction ID: 5263b6728c58246a4bb8f71183cbf74d4165a1f400d398e7153593ba7a6cd82a
                                                                          • Opcode Fuzzy Hash: e5c3610d2a980a71810a56064f827639f37a732fbf82958dac789b4d9c065969
                                                                          • Instruction Fuzzy Hash: 9FD0C9B4C0111DEACB94DB90DC8CDDDB77CBB15305F1006A6F106A2040D734954A9F10
                                                                          Function 0049CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                                          • Instruction ID: 951b8168aeb770427b09f0bfecd071762aa7dcb49093e11a2ce9375d68cfe763
                                                                          • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                                          • Instruction Fuzzy Hash: 2B021D71E002199FDF14CFA9C9C06AEFBF1EF48314F25426AD919E7384D735AA418B94
                                                                          Function 0047CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: Variable is not of type 'Object'.$p#T
                                                                          • API String ID: 0-1037378240
                                                                          • Opcode ID: b036504e9a2c92c7a67d87f5b2476f243f7175249b8e1a5851a28dc807c6b50a
                                                                          • Instruction ID: 729409fcfda955506dbf407aa3ad557c2e3594ee704f05bfe0071501bda9289a
                                                                          • Opcode Fuzzy Hash: b036504e9a2c92c7a67d87f5b2476f243f7175249b8e1a5851a28dc807c6b50a
                                                                          • Instruction Fuzzy Hash: D3326B74900218DBDF24DF94C885BEEB7B5BF05308F14805FE80AAB291D779AE46CB59
                                                                          Function 004E68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 004E6918
                                                                          • FindClose.KERNEL32(00000000), ref: 004E6961
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Find$CloseFileFirst
                                                                          • String ID:
                                                                          • API String ID: 2295610775-0
                                                                          • Opcode ID: e5498c3f6ad93921122a1a139cc10458eed299905c4386ab379444f24b270301
                                                                          • Instruction ID: b5c36253c56810442aa49081718d891614c3c46d7724f2367a359b4c40eb0eb9
                                                                          • Opcode Fuzzy Hash: e5498c3f6ad93921122a1a139cc10458eed299905c4386ab379444f24b270301
                                                                          • Instruction Fuzzy Hash: E211BE756042419FC710DF2AC484A1ABBE1EF85329F15C69EE4698F7A2C734EC05CB91
                                                                          Function 004E37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,004F4891,?,?,00000035,?), ref: 004E37E4
                                                                          • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,004F4891,?,?,00000035,?), ref: 004E37F4
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFormatLastMessage
                                                                          • String ID:
                                                                          • API String ID: 3479602957-0
                                                                          • Opcode ID: 827fabef39d8d870c8cb509090880ecb958a49602f9d89f0cb56fdef84d621da
                                                                          • Instruction ID: ba2889a00e33a3296c419c00f1870b7f8d5577edd47add23e7af6f635019cbab
                                                                          • Opcode Fuzzy Hash: 827fabef39d8d870c8cb509090880ecb958a49602f9d89f0cb56fdef84d621da
                                                                          • Instruction Fuzzy Hash: 2FF05C706002142AD72017674C4CFEB7A9DDFC5762F00022AF109D3280C5604D04C6B4
                                                                          Function 004DB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 004DB25D
                                                                          • keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 004DB270
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: InputSendkeybd_event
                                                                          • String ID:
                                                                          • API String ID: 3536248340-0
                                                                          • Opcode ID: 1ef27eba9d8ee38937fcb26efe0edec434be44981ec516dde47df3ee7cb4073a
                                                                          • Instruction ID: 642d378b55bd597ce691d4286d203acebe1a4bf71aef72d54baab7705d4cd0d5
                                                                          • Opcode Fuzzy Hash: 1ef27eba9d8ee38937fcb26efe0edec434be44981ec516dde47df3ee7cb4073a
                                                                          • Instruction Fuzzy Hash: FAF01D7580424DABDB059FA0C806BAE7FB4FF05305F00804AF955A5291C37986159F94
                                                                          Function 004D10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004D11FC), ref: 004D10D4
                                                                          • CloseHandle.KERNEL32(?,?,004D11FC), ref: 004D10E9
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: AdjustCloseHandlePrivilegesToken
                                                                          • String ID:
                                                                          • API String ID: 81990902-0
                                                                          • Opcode ID: 146c1bbab52285b3e20fdee76d1a7b2b0f7ed11d7bf20edf94824fc58f178d19
                                                                          • Instruction ID: 1b93297f0e6f6bd26864825b3bc8681f823e18d9487f13a2c7465e5a88f7e2ad
                                                                          • Opcode Fuzzy Hash: 146c1bbab52285b3e20fdee76d1a7b2b0f7ed11d7bf20edf94824fc58f178d19
                                                                          • Instruction Fuzzy Hash: C3E04F32014600EEE7252B11FC09E7B7BE9EB04310B10892EF5A6805B1DB626CA4EB14
                                                                          Function 004A676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004A6766,?,?,00000008,?,?,004AFEFE,00000000), ref: 004A6998
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionRaise
                                                                          • String ID:
                                                                          • API String ID: 3997070919-0
                                                                          • Opcode ID: e2a4c42b4943d3c3e045a3979ddfede52119fd9f4e26c7f53993898c12f5fea8
                                                                          • Instruction ID: 7f5facac500619a4bbb2d457943e15993d293cb1c4f8a0b554624891b7bdb28a
                                                                          • Opcode Fuzzy Hash: e2a4c42b4943d3c3e045a3979ddfede52119fd9f4e26c7f53993898c12f5fea8
                                                                          • Instruction Fuzzy Hash: DBB15D716106089FD715CF28C48AB667BE0FF16364F2A865DE899CF2A1C339D992CB44
                                                                          Function 0048B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID: 0-3916222277
                                                                          • Opcode ID: 42986f747aef5da1225b8a39a6f328adab294fcbd7609416a78b976ecd6f8012
                                                                          • Instruction ID: 7dcbc91222f533880d8cc3a3db9d94e32ad18e0eadbbb4f052c5708a11903e0c
                                                                          • Opcode Fuzzy Hash: 42986f747aef5da1225b8a39a6f328adab294fcbd7609416a78b976ecd6f8012
                                                                          • Instruction Fuzzy Hash: D6126F759002299FCB54DF58C881BEEB7B5FF48710F14859BE809EB251DB389E81CB94
                                                                          Function 004EEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • BlockInput.USER32(00000001), ref: 004EEABD
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: BlockInput
                                                                          • String ID:
                                                                          • API String ID: 3456056419-0
                                                                          • Opcode ID: e445a2ba84b749deeaa7bdbc471cda796d91a4e142dd69f8ee9f5f2eb1069989
                                                                          • Instruction ID: 4c555fd026f450e56b1e55e3f1a6857d8436146f6f55f5f645b396af3298beb2
                                                                          • Opcode Fuzzy Hash: e445a2ba84b749deeaa7bdbc471cda796d91a4e142dd69f8ee9f5f2eb1069989
                                                                          • Instruction Fuzzy Hash: 9EE01A31200204AFC710EF6BD844E9ABBE9AF99764F00842BFC49C7391DB74A8418B95
                                                                          Function 004909D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,004903EE), ref: 004909DA
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterUnhandled
                                                                          • String ID:
                                                                          • API String ID: 3192549508-0
                                                                          • Opcode ID: e44d2b2d5ab2048c99f9d9e07b443abca4f4950fb2ade50f3bec88928d4c0b37
                                                                          • Instruction ID: 229da2da639e2117a622fc914b35f8fd352f5341fad6e4a413bc482743502d3d
                                                                          • Opcode Fuzzy Hash: e44d2b2d5ab2048c99f9d9e07b443abca4f4950fb2ade50f3bec88928d4c0b37
                                                                          • Instruction Fuzzy Hash:
                                                                          Function 0049781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 0
                                                                          • API String ID: 0-4108050209
                                                                          • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                                          • Instruction ID: c0d6977a491d5e5ab168146f9bf2e32c85bb4f8bd67a0d15dca91974692d9f58
                                                                          • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                                          • Instruction Fuzzy Hash: 4A5113A163C6055AEF38E669889D7BF2F85DB42344F18093BD88297382C61DDE06D35E
                                                                          Function 004E2046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 0&T
                                                                          • API String ID: 0-1962027595
                                                                          • Opcode ID: 5f81ef7029f2cbdcee1e558265b644e10609613b13fbeb356fbf6cd93205b0d1
                                                                          • Instruction ID: 002f98e614d521b53f73e2985056ffd7cfad467afbc9fc68202f6ec7d86ddfef
                                                                          • Opcode Fuzzy Hash: 5f81ef7029f2cbdcee1e558265b644e10609613b13fbeb356fbf6cd93205b0d1
                                                                          • Instruction Fuzzy Hash: 19212B322201108BD728CF7AC9136BE73E9A764314F558A2EE4A3C37C0DE79A904D784
                                                                          Function 004A6DD9 Relevance: .6, Instructions: 637COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 924e5d974267278247ab6e60cc120f9bf1f1f09cd826890a8eee4b9e6510756f
                                                                          • Instruction ID: f4c7e2c35f2d3a63c6ca2315a44a985e4f3ddd255a12d4cb541841ad5bc34975
                                                                          • Opcode Fuzzy Hash: 924e5d974267278247ab6e60cc120f9bf1f1f09cd826890a8eee4b9e6510756f
                                                                          • Instruction Fuzzy Hash: F0322122D29F014DD7239634DC22336A68DAFB73C5F15D737E81AB5EAAEB29C4835104
                                                                          Function 0048CC39 Relevance: .6, Instructions: 635COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0aa60a66ea56df9f1b959b63bb25c4c1a1a1cee1f2eca4a9a93b0d4ff804eee1
                                                                          • Instruction ID: e1560e0b6d2309b8d3d6fbc817e667c9be78a4f928917f34b26fc3b871865a2e
                                                                          • Opcode Fuzzy Hash: 0aa60a66ea56df9f1b959b63bb25c4c1a1a1cee1f2eca4a9a93b0d4ff804eee1
                                                                          • Instruction Fuzzy Hash: 5132E439A001158BDF68DE29C4D4B7E77A1EB45300F28856FD44E9B391E23CDD82DB69
                                                                          Function 00477920 Relevance: .6, Instructions: 563COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4a84052fb78987ed0329674e2be688832ad7fe5f02a4538d799da2cb807adde6
                                                                          • Instruction ID: 11bdd68d0044604d9b775129fa16bf29a1c15df0dc26cc1e401ccf35690eae18
                                                                          • Opcode Fuzzy Hash: 4a84052fb78987ed0329674e2be688832ad7fe5f02a4538d799da2cb807adde6
                                                                          • Instruction Fuzzy Hash: 0622BEB0A006099FDF14DF65C881BEEB3B5FF48304F14852AE816A7391E739AD15CB69
                                                                          Function 004791C0 Relevance: .5, Instructions: 475COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4324bf78266ccedbb2815cc976c16bac962e13e6954421d2df1b67b9ccd7e9b6
                                                                          • Instruction ID: a2030e80a574d06cd4e654fb72cf8bb6b695d2e72761e7266a898127f32bcaff
                                                                          • Opcode Fuzzy Hash: 4324bf78266ccedbb2815cc976c16bac962e13e6954421d2df1b67b9ccd7e9b6
                                                                          • Instruction Fuzzy Hash: 1F02D8B0A00105EBDF04DF65D841AEEB7B5FF44304F10856AE80ADB391E739AE25CB99
                                                                          Function 00491C77 Relevance: .3, Instructions: 254COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                          • Instruction ID: 013814413c50ce5158f7550436b7b89d5bc7aad2f51b9ddb305a79f632a7367e
                                                                          • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                          • Instruction Fuzzy Hash: CB9188722080A34ADF2D463A857443FFFE15A523A131A07BFD4F2CA2E5EE28D555D624
                                                                          Function 004919B0 Relevance: .2, Instructions: 240COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                          • Instruction ID: 794a426036d23ac38b7e7f5f77a7e8f48b6d7a0675139f5f663f8d11cc6a4bde
                                                                          • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                          • Instruction Fuzzy Hash: 3A9164722090A34EDF29427A857403FFFE15A923A231A07BFD4F2CA2E1FD189955D624
                                                                          Function 00497A4A Relevance: .2, Instructions: 237COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5c89906bce008d40f50601f0e192e32164b3a128ec775462853151169f534371
                                                                          • Instruction ID: cb436bd4c9a37e490c8ff17575930050b94e4b0618b74e3d0c9742dd71f81fb3
                                                                          • Opcode Fuzzy Hash: 5c89906bce008d40f50601f0e192e32164b3a128ec775462853151169f534371
                                                                          • Instruction Fuzzy Hash: 3D61477122870966DE389A2C8895BBF3F95DF41708F14093FE942DB392D61DAE42835E
                                                                          Function 00497CA7 Relevance: .2, Instructions: 237COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ff4614865d6065ffdda920728db324008718a8f0062e60348ccee717eae450af
                                                                          • Instruction ID: 2adaa4b4850a0b9be3608b0dc38b0474482684e51bc9b6865dfedab184da19c2
                                                                          • Opcode Fuzzy Hash: ff4614865d6065ffdda920728db324008718a8f0062e60348ccee717eae450af
                                                                          • Instruction Fuzzy Hash: 3D61797126870997DE384A2C5895BBF2F84AF42748F140A7FE942DB381DA1E9D42835E
                                                                          Function 00491706 Relevance: .2, Instructions: 232COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                          • Instruction ID: 16344dd00831e33e31a195d26569a79f8374e84062745fd91d69c546acacf672
                                                                          • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                          • Instruction Fuzzy Hash: 1B8166726090A30DDF6D8279857443FFFE15A923A131A07BFD4F2CA2E1EE28D554E624
                                                                          Function 004C3CD2 Relevance: .2, Instructions: 181COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e4dd540916ce42f0aea2cfc9a48b6f1b2512c92cedef763eb96d4eb625dfc953
                                                                          • Instruction ID: 641d18d1bd2320c4e68d753df540fa88c8b597c7e7ee4246fd13df77f2601f16
                                                                          • Opcode Fuzzy Hash: e4dd540916ce42f0aea2cfc9a48b6f1b2512c92cedef763eb96d4eb625dfc953
                                                                          • Instruction Fuzzy Hash: 466109B45186C09FC7B5CF208598EA6BFE0EF16315B1AC8EFC5460F293D634994AC74A
                                                                          Function 004F2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DeleteObject.GDI32(00000000), ref: 004F2B30
                                                                          • DeleteObject.GDI32(00000000), ref: 004F2B43
                                                                          • DestroyWindow.USER32 ref: 004F2B52
                                                                          • GetDesktopWindow.USER32 ref: 004F2B6D
                                                                          • GetWindowRect.USER32(00000000), ref: 004F2B74
                                                                          • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 004F2CA3
                                                                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 004F2CB1
                                                                          • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004F2CF8
                                                                          • GetClientRect.USER32(00000000,?), ref: 004F2D04
                                                                          • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 004F2D40
                                                                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004F2D62
                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004F2D75
                                                                          • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004F2D80
                                                                          • GlobalLock.KERNEL32(00000000), ref: 004F2D89
                                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004F2D98
                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 004F2DA1
                                                                          • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004F2DA8
                                                                          • GlobalFree.KERNEL32(00000000), ref: 004F2DB3
                                                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004F2DC5
                                                                          • OleLoadPicture.OLEAUT32(?,00000000,00000000,0050FC38,00000000), ref: 004F2DDB
                                                                          • GlobalFree.KERNEL32(00000000), ref: 004F2DEB
                                                                          • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 004F2E11
                                                                          • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 004F2E30
                                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004F2E52
                                                                          • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004F303F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                          • String ID: $AutoIt v3$DISPLAY$static
                                                                          • API String ID: 2211948467-2373415609
                                                                          • Opcode ID: 05afdc4302cb5fecdf0bb9e10a4b065dd7a3ef6cbb6ea611da23c1dbb18a56d1
                                                                          • Instruction ID: 907824631e14efb9081bed39fb8d66520fe033513a72645bc4158bdcaf45bbe8
                                                                          • Opcode Fuzzy Hash: 05afdc4302cb5fecdf0bb9e10a4b065dd7a3ef6cbb6ea611da23c1dbb18a56d1
                                                                          • Instruction Fuzzy Hash: CD02BE71900208AFDB14CF64CD89EAE7BB9FF49714F008619F915AB2A1CB74AD05DB64
                                                                          Function 005070D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetTextColor.GDI32(?,00000000), ref: 0050712F
                                                                          • GetSysColorBrush.USER32(0000000F), ref: 00507160
                                                                          • GetSysColor.USER32(0000000F), ref: 0050716C
                                                                          • SetBkColor.GDI32(?,000000FF), ref: 00507186
                                                                          • SelectObject.GDI32(?,?), ref: 00507195
                                                                          • InflateRect.USER32(?,000000FF,000000FF), ref: 005071C0
                                                                          • GetSysColor.USER32(00000010), ref: 005071C8
                                                                          • CreateSolidBrush.GDI32(00000000), ref: 005071CF
                                                                          • FrameRect.USER32(?,?,00000000), ref: 005071DE
                                                                          • DeleteObject.GDI32(00000000), ref: 005071E5
                                                                          • InflateRect.USER32(?,000000FE,000000FE), ref: 00507230
                                                                          • FillRect.USER32(?,?,?), ref: 00507262
                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00507284
                                                                            • Part of subcall function 005073E8: GetSysColor.USER32(00000012), ref: 00507421
                                                                            • Part of subcall function 005073E8: SetTextColor.GDI32(?,?), ref: 00507425
                                                                            • Part of subcall function 005073E8: GetSysColorBrush.USER32(0000000F), ref: 0050743B
                                                                            • Part of subcall function 005073E8: GetSysColor.USER32(0000000F), ref: 00507446
                                                                            • Part of subcall function 005073E8: GetSysColor.USER32(00000011), ref: 00507463
                                                                            • Part of subcall function 005073E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00507471
                                                                            • Part of subcall function 005073E8: SelectObject.GDI32(?,00000000), ref: 00507482
                                                                            • Part of subcall function 005073E8: SetBkColor.GDI32(?,00000000), ref: 0050748B
                                                                            • Part of subcall function 005073E8: SelectObject.GDI32(?,?), ref: 00507498
                                                                            • Part of subcall function 005073E8: InflateRect.USER32(?,000000FF,000000FF), ref: 005074B7
                                                                            • Part of subcall function 005073E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 005074CE
                                                                            • Part of subcall function 005073E8: GetWindowLongW.USER32(00000000,000000F0), ref: 005074DB
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                                          • String ID:
                                                                          • API String ID: 4124339563-0
                                                                          • Opcode ID: e91d2e597209b30b73da173f675b4808fc560d33a4f06e2a95803ebc07224cf1
                                                                          • Instruction ID: bbd7800c65417a87e1334c053de96f87b89253bf4895fc671e228418217c4b77
                                                                          • Opcode Fuzzy Hash: e91d2e597209b30b73da173f675b4808fc560d33a4f06e2a95803ebc07224cf1
                                                                          • Instruction Fuzzy Hash: 2DA1AF76408306AFDB109F64DC48A6F7FA9FF9A320F100B19F962961E1D731E948DB51
                                                                          Function 00488D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DestroyWindow.USER32(?,?), ref: 00488E14
                                                                          • SendMessageW.USER32(?,00001308,?,00000000), ref: 004C6AC5
                                                                          • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 004C6AFE
                                                                          • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004C6F43
                                                                            • Part of subcall function 00488F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00488BE8,?,00000000,?,?,?,?,00488BBA,00000000,?), ref: 00488FC5
                                                                          • SendMessageW.USER32(?,00001053), ref: 004C6F7F
                                                                          • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 004C6F96
                                                                          • ImageList_Destroy.COMCTL32(00000000,?), ref: 004C6FAC
                                                                          • ImageList_Destroy.COMCTL32(00000000,?), ref: 004C6FB7
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                                                                          • String ID: 0
                                                                          • API String ID: 2760611726-4108050209
                                                                          • Opcode ID: b73ecaaf743d58781997c37bda4f4a390afbbe746070d4fb8367df7704569939
                                                                          • Instruction ID: 9b617b17e55d7d5bdaa55607a9c5899dabf440afbe464ee5bc9b95035f767cb6
                                                                          • Opcode Fuzzy Hash: b73ecaaf743d58781997c37bda4f4a390afbbe746070d4fb8367df7704569939
                                                                          • Instruction Fuzzy Hash: 1A12DC382006019FCB64DF24C844FBABBE1FB59304F55896EE485CB261CB39EC96DB59
                                                                          Function 004F2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DestroyWindow.USER32(00000000), ref: 004F273E
                                                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004F286A
                                                                          • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 004F28A9
                                                                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 004F28B9
                                                                          • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 004F2900
                                                                          • GetClientRect.USER32(00000000,?), ref: 004F290C
                                                                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 004F2955
                                                                          • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004F2964
                                                                          • GetStockObject.GDI32(00000011), ref: 004F2974
                                                                          • SelectObject.GDI32(00000000,00000000), ref: 004F2978
                                                                          • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 004F2988
                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004F2991
                                                                          • DeleteDC.GDI32(00000000), ref: 004F299A
                                                                          • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004F29C6
                                                                          • SendMessageW.USER32(00000030,00000000,00000001), ref: 004F29DD
                                                                          • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 004F2A1D
                                                                          • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 004F2A31
                                                                          • SendMessageW.USER32(00000404,00000001,00000000), ref: 004F2A42
                                                                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 004F2A77
                                                                          • GetStockObject.GDI32(00000011), ref: 004F2A82
                                                                          • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 004F2A8D
                                                                          • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 004F2A97
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                          • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                          • API String ID: 2910397461-517079104
                                                                          • Opcode ID: 381e0339cfc5708c17363e4ca4368ce5dec7b08463b1480a4b3b49c67ef9284f
                                                                          • Instruction ID: e6b3a28c258c30203b9e0ba342cc9ac1a29afd81eb96f8f826a84a1783a4d0c2
                                                                          • Opcode Fuzzy Hash: 381e0339cfc5708c17363e4ca4368ce5dec7b08463b1480a4b3b49c67ef9284f
                                                                          • Instruction Fuzzy Hash: 5CB18D75A00209BFEB10DFA8CD45FAE7BA9EB09714F008619FA15E72D0D774AD44CB94
                                                                          Function 004E4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(00000001), ref: 004E4AED
                                                                          • GetDriveTypeW.KERNEL32(?,0050CB68,?,\\.\,0050CC08), ref: 004E4BCA
                                                                          • SetErrorMode.KERNEL32(00000000,0050CB68,?,\\.\,0050CC08), ref: 004E4D36
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorMode$DriveType
                                                                          • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                          • API String ID: 2907320926-4222207086
                                                                          • Opcode ID: 4330017dc0f5556c32d4fd7612cb3ae82c8dc02f29d0615244746f0379e7911e
                                                                          • Instruction ID: bec797f404f64bc2a8d0ac712a977249236b126bee90154083472bdee5b213d5
                                                                          • Opcode Fuzzy Hash: 4330017dc0f5556c32d4fd7612cb3ae82c8dc02f29d0615244746f0379e7911e
                                                                          • Instruction Fuzzy Hash: BA61C330601145ABCB04DF16C9819AD7BA0BB85306B35851BE80AAB751DB3DED42DB5A
                                                                          Function 005073E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetSysColor.USER32(00000012), ref: 00507421
                                                                          • SetTextColor.GDI32(?,?), ref: 00507425
                                                                          • GetSysColorBrush.USER32(0000000F), ref: 0050743B
                                                                          • GetSysColor.USER32(0000000F), ref: 00507446
                                                                          • CreateSolidBrush.GDI32(?), ref: 0050744B
                                                                          • GetSysColor.USER32(00000011), ref: 00507463
                                                                          • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00507471
                                                                          • SelectObject.GDI32(?,00000000), ref: 00507482
                                                                          • SetBkColor.GDI32(?,00000000), ref: 0050748B
                                                                          • SelectObject.GDI32(?,?), ref: 00507498
                                                                          • InflateRect.USER32(?,000000FF,000000FF), ref: 005074B7
                                                                          • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 005074CE
                                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 005074DB
                                                                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0050752A
                                                                          • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00507554
                                                                          • InflateRect.USER32(?,000000FD,000000FD), ref: 00507572
                                                                          • DrawFocusRect.USER32(?,?), ref: 0050757D
                                                                          • GetSysColor.USER32(00000011), ref: 0050758E
                                                                          • SetTextColor.GDI32(?,00000000), ref: 00507596
                                                                          • DrawTextW.USER32(?,005070F5,000000FF,?,00000000), ref: 005075A8
                                                                          • SelectObject.GDI32(?,?), ref: 005075BF
                                                                          • DeleteObject.GDI32(?), ref: 005075CA
                                                                          • SelectObject.GDI32(?,?), ref: 005075D0
                                                                          • DeleteObject.GDI32(?), ref: 005075D5
                                                                          • SetTextColor.GDI32(?,?), ref: 005075DB
                                                                          • SetBkColor.GDI32(?,?), ref: 005075E5
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                          • String ID:
                                                                          • API String ID: 1996641542-0
                                                                          • Opcode ID: 8c1d41a936deb4acba85ef46c251ac1bee2eb824cb2a906f0a43ae7a3041b355
                                                                          • Instruction ID: 02a186dbade919a13c23a9bafbaa47cf517eaca337852e65a3a640246d4b74dc
                                                                          • Opcode Fuzzy Hash: 8c1d41a936deb4acba85ef46c251ac1bee2eb824cb2a906f0a43ae7a3041b355
                                                                          • Instruction Fuzzy Hash: FC617976D00218AFDF019FA4DC48AEEBFB9FB0A320F144615F911AB2E1D774A940DB90
                                                                          Function 00500FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCursorPos.USER32(?), ref: 00501128
                                                                          • GetDesktopWindow.USER32 ref: 0050113D
                                                                          • GetWindowRect.USER32(00000000), ref: 00501144
                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00501199
                                                                          • DestroyWindow.USER32(?), ref: 005011B9
                                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 005011ED
                                                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0050120B
                                                                          • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0050121D
                                                                          • SendMessageW.USER32(00000000,00000421,?,?), ref: 00501232
                                                                          • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00501245
                                                                          • IsWindowVisible.USER32(00000000), ref: 005012A1
                                                                          • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 005012BC
                                                                          • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 005012D0
                                                                          • GetWindowRect.USER32(00000000,?), ref: 005012E8
                                                                          • MonitorFromPoint.USER32(?,?,00000002), ref: 0050130E
                                                                          • GetMonitorInfoW.USER32(00000000,?), ref: 00501328
                                                                          • CopyRect.USER32(?,?), ref: 0050133F
                                                                          • SendMessageW.USER32(00000000,00000412,00000000), ref: 005013AA
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                          • String ID: ($0$tooltips_class32
                                                                          • API String ID: 698492251-4156429822
                                                                          • Opcode ID: c95c65180b62c4a07389aa6813809e090686557e106aef1a7787aa01fa74a6c0
                                                                          • Instruction ID: d37f2b257eb1106737e965b9766fee60c987c4a632c805882f04d47ade7f9bd8
                                                                          • Opcode Fuzzy Hash: c95c65180b62c4a07389aa6813809e090686557e106aef1a7787aa01fa74a6c0
                                                                          • Instruction Fuzzy Hash: 44B16771604741AFD714DF65C888BAEBBE4FB84744F00891DF9999B2A1CB31E844CB9A
                                                                          Function 00500241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CharUpperBuffW.USER32(?,?), ref: 005002E5
                                                                          • _wcslen.LIBCMT ref: 0050031F
                                                                          • _wcslen.LIBCMT ref: 00500389
                                                                          • _wcslen.LIBCMT ref: 005003F1
                                                                          • _wcslen.LIBCMT ref: 00500475
                                                                          • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 005004C5
                                                                          • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00500504
                                                                            • Part of subcall function 0048F9F2: _wcslen.LIBCMT ref: 0048F9FD
                                                                            • Part of subcall function 004D223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004D2258
                                                                            • Part of subcall function 004D223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 004D228A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                          • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                          • API String ID: 1103490817-719923060
                                                                          • Opcode ID: 0c403f98302c2908b7d34ca95fdd8e9b1080ee91f3e1a5b44d4808d168e613b1
                                                                          • Instruction ID: e395fc6169ba717abd77e66eb8e2e60ad788cb640431e9c46cac981b22c854c1
                                                                          • Opcode Fuzzy Hash: 0c403f98302c2908b7d34ca95fdd8e9b1080ee91f3e1a5b44d4808d168e613b1
                                                                          • Instruction Fuzzy Hash: E0E1DF712082059FCB24DF25C550A6EBBE2FF88318F14995EF89A9B2E1DB34ED45CB41
                                                                          Function 00488891 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 282windowtimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00488968
                                                                          • GetSystemMetrics.USER32(00000007), ref: 00488970
                                                                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0048899B
                                                                          • GetSystemMetrics.USER32(00000008), ref: 004889A3
                                                                          • GetSystemMetrics.USER32(00000004), ref: 004889C8
                                                                          • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 004889E5
                                                                          • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 004889F5
                                                                          • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00488A28
                                                                          • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00488A3C
                                                                          • GetClientRect.USER32(00000000,000000FF), ref: 00488A5A
                                                                          • GetStockObject.GDI32(00000011), ref: 00488A76
                                                                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 00488A81
                                                                            • Part of subcall function 0048912D: GetCursorPos.USER32(?), ref: 00489141
                                                                            • Part of subcall function 0048912D: ScreenToClient.USER32(00000000,?), ref: 0048915E
                                                                            • Part of subcall function 0048912D: GetAsyncKeyState.USER32(00000001), ref: 00489183
                                                                            • Part of subcall function 0048912D: GetAsyncKeyState.USER32(00000002), ref: 0048919D
                                                                          • SetTimer.USER32(00000000,00000000,00000028,004890FC), ref: 00488AA8
                                                                          Strings
                                                                          • AutoIt v3 GUI, xrefs: 00488A20
                                                                          • 047b34541495fff38564b61b03a3648b35e555a09b9434844b7395a38a84d464e1e72494d58ae545747b3454549105e3856411fb038364865a9505a5bb9444944b, xrefs: 004C67BA
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                          • String ID: 047b34541495fff38564b61b03a3648b35e555a09b9434844b7395a38a84d464e1e72494d58ae545747b3454549105e3856411fb038364865a9505a5bb9444944b$AutoIt v3 GUI
                                                                          • API String ID: 1458621304-3501398320
                                                                          • Opcode ID: e03d6646a25b389c0d4b61f88a08d6d5da962dc0b56f1cbe320447c1c33d6231
                                                                          • Instruction ID: ce94df75b962b748732101d83eb325fe8ccc15da656636364a7f03e2b0cc99ae
                                                                          • Opcode Fuzzy Hash: e03d6646a25b389c0d4b61f88a08d6d5da962dc0b56f1cbe320447c1c33d6231
                                                                          • Instruction Fuzzy Hash: C9B18E79A002099FDB14EF68CC45BEE3BB5FB48314F11462AFA15A7290DB38A841DF59
                                                                          Function 004D0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 004D10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 004D1114
                                                                            • Part of subcall function 004D10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,004D0B9B,?,?,?), ref: 004D1120
                                                                            • Part of subcall function 004D10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,004D0B9B,?,?,?), ref: 004D112F
                                                                            • Part of subcall function 004D10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,004D0B9B,?,?,?), ref: 004D1136
                                                                            • Part of subcall function 004D10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 004D114D
                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 004D0DF5
                                                                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004D0E29
                                                                          • GetLengthSid.ADVAPI32(?), ref: 004D0E40
                                                                          • GetAce.ADVAPI32(?,00000000,?), ref: 004D0E7A
                                                                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 004D0E96
                                                                          • GetLengthSid.ADVAPI32(?), ref: 004D0EAD
                                                                          • GetProcessHeap.KERNEL32(00000008,00000008), ref: 004D0EB5
                                                                          • HeapAlloc.KERNEL32(00000000), ref: 004D0EBC
                                                                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 004D0EDD
                                                                          • CopySid.ADVAPI32(00000000), ref: 004D0EE4
                                                                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004D0F13
                                                                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004D0F35
                                                                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 004D0F47
                                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004D0F6E
                                                                          • HeapFree.KERNEL32(00000000), ref: 004D0F75
                                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004D0F7E
                                                                          • HeapFree.KERNEL32(00000000), ref: 004D0F85
                                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004D0F8E
                                                                          • HeapFree.KERNEL32(00000000), ref: 004D0F95
                                                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 004D0FA1
                                                                          • HeapFree.KERNEL32(00000000), ref: 004D0FA8
                                                                            • Part of subcall function 004D1193: GetProcessHeap.KERNEL32(00000008,004D0BB1,?,00000000,?,004D0BB1,?), ref: 004D11A1
                                                                            • Part of subcall function 004D1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,004D0BB1,?), ref: 004D11A8
                                                                            • Part of subcall function 004D1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,004D0BB1,?), ref: 004D11B7
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                          • String ID:
                                                                          • API String ID: 4175595110-0
                                                                          • Opcode ID: e30bce50480fb6c33bc395661610ed51d63c1a8771b25a583243cb690e463512
                                                                          • Instruction ID: bb3bcdbdc316accf112743a502c5c023a4cd2ce63aa5cb866b439022c49eb137
                                                                          • Opcode Fuzzy Hash: e30bce50480fb6c33bc395661610ed51d63c1a8771b25a583243cb690e463512
                                                                          • Instruction Fuzzy Hash: BC716C7290020AABDF209FA5DC58FEFBBB8BF15300F14421AF919A7291D775D909CB64
                                                                          Function 004FC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004FC4BD
                                                                          • RegCreateKeyExW.ADVAPI32(?,?,00000000,0050CC08,00000000,?,00000000,?,?), ref: 004FC544
                                                                          • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 004FC5A4
                                                                          • _wcslen.LIBCMT ref: 004FC5F4
                                                                          • _wcslen.LIBCMT ref: 004FC66F
                                                                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 004FC6B2
                                                                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 004FC7C1
                                                                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 004FC84D
                                                                          • RegCloseKey.ADVAPI32(?), ref: 004FC881
                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 004FC88E
                                                                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 004FC960
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                                                          • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                          • API String ID: 9721498-966354055
                                                                          • Opcode ID: ce8dca87f879644c8c115f0dd3e0ec7094c385aa7614a3aa7a8cbf2a95e3d8e2
                                                                          • Instruction ID: 8b8b140ed84fa1fb4d6ce41b09c5ecb0bf6b7b03db863301848d5ee26a16d9d4
                                                                          • Opcode Fuzzy Hash: ce8dca87f879644c8c115f0dd3e0ec7094c385aa7614a3aa7a8cbf2a95e3d8e2
                                                                          • Instruction Fuzzy Hash: 53129D316042059FC714DF15C981E6ABBE5FF88758F14885EF94A9B3A2DB39EC01CB89
                                                                          Function 0050091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CharUpperBuffW.USER32(?,?), ref: 005009C6
                                                                          • _wcslen.LIBCMT ref: 00500A01
                                                                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00500A54
                                                                          • _wcslen.LIBCMT ref: 00500A8A
                                                                          • _wcslen.LIBCMT ref: 00500B06
                                                                          • _wcslen.LIBCMT ref: 00500B81
                                                                            • Part of subcall function 0048F9F2: _wcslen.LIBCMT ref: 0048F9FD
                                                                            • Part of subcall function 004D2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004D2BFA
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                          • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                          • API String ID: 1103490817-4258414348
                                                                          • Opcode ID: c06283fb7da015fe9410a50c18539b5b979f37479363047abe20e22d54e10480
                                                                          • Instruction ID: 81e6e6d2316d146a77e613afbf4c4e3950a00e24d0aff2f17b7349bb8e761c4a
                                                                          • Opcode Fuzzy Hash: c06283fb7da015fe9410a50c18539b5b979f37479363047abe20e22d54e10480
                                                                          • Instruction Fuzzy Hash: 44E177712083019FC714EF25C450A6EBBE1BF98318F14895EE89A9B3E2DB34ED45CB95
                                                                          Function 004FC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: _wcslen$BuffCharUpper
                                                                          • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                          • API String ID: 1256254125-909552448
                                                                          • Opcode ID: cfaf9a9b40bc876bb430664fa956a4f25761bd3c4e5d8bcc5eee419349cb6e36
                                                                          • Instruction ID: 4373094494b1a0179f766a249ba9dae95fc95158476296e3ceea0560c00bf100
                                                                          • Opcode Fuzzy Hash: cfaf9a9b40bc876bb430664fa956a4f25761bd3c4e5d8bcc5eee419349cb6e36
                                                                          • Instruction Fuzzy Hash: 10713772A0016E8BCB20DE3DDA816BF3391AFA0754F11052AFE5597384E63DED45C3A8
                                                                          Function 0050833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _wcslen.LIBCMT ref: 0050835A
                                                                          • _wcslen.LIBCMT ref: 0050836E
                                                                          • _wcslen.LIBCMT ref: 00508391
                                                                          • _wcslen.LIBCMT ref: 005083B4
                                                                          • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 005083F2
                                                                          • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00505BF2), ref: 0050844E
                                                                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00508487
                                                                          • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 005084CA
                                                                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00508501
                                                                          • FreeLibrary.KERNEL32(?), ref: 0050850D
                                                                          • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0050851D
                                                                          • DestroyIcon.USER32(?,?,?,?,?,00505BF2), ref: 0050852C
                                                                          • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00508549
                                                                          • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00508555
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                                                          • String ID: .dll$.exe$.icl
                                                                          • API String ID: 799131459-1154884017
                                                                          • Opcode ID: 4239bf586ce5fba6bc606b112a1bb6146d7673f89f93c324dcda756c99f8b809
                                                                          • Instruction ID: 5763da7ecb7b380d51c35c311be98f3c120742172de5159ad2c6fe82614408ca
                                                                          • Opcode Fuzzy Hash: 4239bf586ce5fba6bc606b112a1bb6146d7673f89f93c324dcda756c99f8b809
                                                                          • Instruction Fuzzy Hash: 8661E071900219BAEF14CF64CC81FBE7FA8BB49B25F10461AF855D61D1DB78A980DBA0
                                                                          Function 004900FD Relevance: 29.8, APIs: 12, Strings: 5, Instructions: 82libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InitializeCriticalSectionAndSpinCount.KERNEL32(0054070C,00000FA0,802D3AA9), ref: 0049011C
                                                                          • GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll), ref: 00490127
                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00490138
                                                                          • GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0049014E
                                                                          • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0049015C
                                                                          • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0049016A
                                                                          • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00490195
                                                                          • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 004901A0
                                                                          • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 004901B5
                                                                          • ___scrt_fastfail.LIBCMT ref: 004901D6
                                                                          • DeleteCriticalSection.KERNEL32(0054070C,00000007), ref: 004901E1
                                                                          • CloseHandle.KERNEL32(00000000), ref: 004901F1
                                                                          Strings
                                                                          • WakeAllConditionVariable, xrefs: 00490162
                                                                          • kernel32.dll, xrefs: 00490133
                                                                          • SleepConditionVariableCS, xrefs: 00490154
                                                                          • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00490122
                                                                          • InitializeConditionVariable, xrefs: 00490148
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: AddressHandleProc$CriticalModuleSection__crt_fast_encode_pointer$CloseCountCreateDeleteEventInitializeSpin___scrt_fastfail
                                                                          • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                          • API String ID: 2634751764-1714406822
                                                                          • Opcode ID: 57fd1303d28994d8fd15471b63fa3249e1b40b4c15f9725976f20b7706cb8391
                                                                          • Instruction ID: 2bc36bd7cdc3bf610471ed98157f99762bad810b6026709a707431e265c79f4d
                                                                          • Opcode Fuzzy Hash: 57fd1303d28994d8fd15471b63fa3249e1b40b4c15f9725976f20b7706cb8391
                                                                          • Instruction Fuzzy Hash: DD21B636A41300AFEB105BA4AC4AAAF3FA8FF15B55F10063AFD01D23D0DB799804DB55
                                                                          Function 00477778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                          • API String ID: 0-1645009161
                                                                          • Opcode ID: 4062aaafdb00d2d6ab0d26cd2e12abab095684b8ac5f378434b39c7c49c047bd
                                                                          • Instruction ID: ee7b83eb88106c18485cbc569f98f043cede682af45b12a0850a9122cecbfb54
                                                                          • Opcode Fuzzy Hash: 4062aaafdb00d2d6ab0d26cd2e12abab095684b8ac5f378434b39c7c49c047bd
                                                                          • Instruction Fuzzy Hash: 4A81E871604205BBDF25AF65CC42FEF7B64BF15304F04802BF909AA296EB7C9911C7A9
                                                                          Function 004D5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadIconW.USER32(00000063), ref: 004D5A2E
                                                                          • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 004D5A40
                                                                          • SetWindowTextW.USER32(?,?), ref: 004D5A57
                                                                          • GetDlgItem.USER32(?,000003EA), ref: 004D5A6C
                                                                          • SetWindowTextW.USER32(00000000,?), ref: 004D5A72
                                                                          • GetDlgItem.USER32(?,000003E9), ref: 004D5A82
                                                                          • SetWindowTextW.USER32(00000000,?), ref: 004D5A88
                                                                          • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 004D5AA9
                                                                          • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 004D5AC3
                                                                          • GetWindowRect.USER32(?,?), ref: 004D5ACC
                                                                          • _wcslen.LIBCMT ref: 004D5B33
                                                                          • SetWindowTextW.USER32(?,?), ref: 004D5B6F
                                                                          • GetDesktopWindow.USER32 ref: 004D5B75
                                                                          • GetWindowRect.USER32(00000000), ref: 004D5B7C
                                                                          • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 004D5BD3
                                                                          • GetClientRect.USER32(?,?), ref: 004D5BE0
                                                                          • PostMessageW.USER32(?,00000005,00000000,?), ref: 004D5C05
                                                                          • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 004D5C2F
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                                                          • String ID:
                                                                          • API String ID: 895679908-0
                                                                          • Opcode ID: e122ff9eecd754573061a3f20903038f58a37baed2b2edfa4671c8f0e64f44fe
                                                                          • Instruction ID: 5e3f3caef9cdaefa45df05e7499372e6ef99ae1581a14acb9e1e15fdf13d6d5e
                                                                          • Opcode Fuzzy Hash: e122ff9eecd754573061a3f20903038f58a37baed2b2edfa4671c8f0e64f44fe
                                                                          • Instruction Fuzzy Hash: 4C718F31900B05AFDB20DFA8CE95A6FBBF5FF48704F10461AE142A66A0DB79F944CB14
                                                                          Function 004D30F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: _wcslen
                                                                          • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[S
                                                                          • API String ID: 176396367-308041520
                                                                          • Opcode ID: 887e7484ede443866726726f14e66d0faa6ac9c7ee949301ce3e631f6eefb786
                                                                          • Instruction ID: 2e88205f15e678de66e4796ed2ed8aa3b8499d2df037ca2eb20e6eeba4501236
                                                                          • Opcode Fuzzy Hash: 887e7484ede443866726726f14e66d0faa6ac9c7ee949301ce3e631f6eefb786
                                                                          • Instruction Fuzzy Hash: 10E1F432A00516ABCF14DF78C4716EEFBB0BF54715F14816BE856A3340DB38AE4987A6
                                                                          Function 004E44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CharLowerBuffW.USER32(00000000,00000000,0050CC08), ref: 004E4527
                                                                          • _wcslen.LIBCMT ref: 004E453B
                                                                          • _wcslen.LIBCMT ref: 004E4599
                                                                          • _wcslen.LIBCMT ref: 004E45F4
                                                                          • _wcslen.LIBCMT ref: 004E463F
                                                                          • _wcslen.LIBCMT ref: 004E46A7
                                                                            • Part of subcall function 0048F9F2: _wcslen.LIBCMT ref: 0048F9FD
                                                                          • GetDriveTypeW.KERNEL32(?,00536BF0,00000061), ref: 004E4743
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: _wcslen$BuffCharDriveLowerType
                                                                          • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                          • API String ID: 2055661098-1000479233
                                                                          • Opcode ID: 502893da7aff60729dacbc4c889ff42e67b75cd357aca713fa481a36fa3f835c
                                                                          • Instruction ID: b676cb8ecb243e1d6b92ce75db99ddf3c3e9cf748d12323f87eceee33b02ef2a
                                                                          • Opcode Fuzzy Hash: 502893da7aff60729dacbc4c889ff42e67b75cd357aca713fa481a36fa3f835c
                                                                          • Instruction Fuzzy Hash: 32B121306083429BC710DF2AC890A6BB7E1BFE5725F10891EF09A87391D738D845CB9A
                                                                          Function 0050911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00489BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00489BB2
                                                                          • DragQueryPoint.SHELL32(?,?), ref: 00509147
                                                                            • Part of subcall function 00507674: ClientToScreen.USER32(?,?), ref: 0050769A
                                                                            • Part of subcall function 00507674: GetWindowRect.USER32(?,?), ref: 00507710
                                                                            • Part of subcall function 00507674: PtInRect.USER32(?,?,00508B89), ref: 00507720
                                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 005091B0
                                                                          • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 005091BB
                                                                          • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 005091DE
                                                                          • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00509225
                                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 0050923E
                                                                          • SendMessageW.USER32(?,000000B1,?,?), ref: 00509255
                                                                          • SendMessageW.USER32(?,000000B1,?,?), ref: 00509277
                                                                          • DragFinish.SHELL32(?), ref: 0050927E
                                                                          • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00509371
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                                                                          • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#T
                                                                          • API String ID: 221274066-474986928
                                                                          • Opcode ID: 055fc18862a2382ffc6453411b766c865f36fdac3d8740426a2e4c803c3505d4
                                                                          • Instruction ID: 28eb67bd989fc5f349ba0d50683b885c66e4bbfb71f894d009d16b8a00d2f9ac
                                                                          • Opcode Fuzzy Hash: 055fc18862a2382ffc6453411b766c865f36fdac3d8740426a2e4c803c3505d4
                                                                          • Instruction Fuzzy Hash: A2616471108301AFC701EF65C889DAFBFE8FB99354F004A2EF596961A1DB309A49CB56
                                                                          Function 004FAFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _wcslen.LIBCMT ref: 004FB198
                                                                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 004FB1B0
                                                                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 004FB1D4
                                                                          • _wcslen.LIBCMT ref: 004FB200
                                                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 004FB214
                                                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 004FB236
                                                                          • _wcslen.LIBCMT ref: 004FB332
                                                                            • Part of subcall function 004E05A7: GetStdHandle.KERNEL32(000000F6), ref: 004E05C6
                                                                          • _wcslen.LIBCMT ref: 004FB34B
                                                                          • _wcslen.LIBCMT ref: 004FB366
                                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 004FB3B6
                                                                          • GetLastError.KERNEL32(00000000), ref: 004FB407
                                                                          • CloseHandle.KERNEL32(?), ref: 004FB439
                                                                          • CloseHandle.KERNEL32(00000000), ref: 004FB44A
                                                                          • CloseHandle.KERNEL32(00000000), ref: 004FB45C
                                                                          • CloseHandle.KERNEL32(00000000), ref: 004FB46E
                                                                          • CloseHandle.KERNEL32(?), ref: 004FB4E3
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                                                                          • String ID:
                                                                          • API String ID: 2178637699-0
                                                                          • Opcode ID: 522eeb327cce6c49eb6cf9f96fa42464dfa4c85754e5b78ff91032dec94835e0
                                                                          • Instruction ID: 8ac4019db47ff4cb286d04a68c8893a0be140390c0f555206c80460e6ea2936d
                                                                          • Opcode Fuzzy Hash: 522eeb327cce6c49eb6cf9f96fa42464dfa4c85754e5b78ff91032dec94835e0
                                                                          • Instruction Fuzzy Hash: A1F19C315042049FC714EF25C881B6FBBE1EF86318F14855EF9994B2A2CB39EC45CB9A
                                                                          Function 0047326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetMenuItemCount.USER32(00541990), ref: 004B2F8D
                                                                          • GetMenuItemCount.USER32(00541990), ref: 004B303D
                                                                          • GetCursorPos.USER32(?), ref: 004B3081
                                                                          • SetForegroundWindow.USER32(00000000), ref: 004B308A
                                                                          • TrackPopupMenuEx.USER32(00541990,00000000,?,00000000,00000000,00000000), ref: 004B309D
                                                                          • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 004B30A9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                                                                          • String ID: 0
                                                                          • API String ID: 36266755-4108050209
                                                                          • Opcode ID: c4a576f8c33fed17d953a3b612085e19e7bafb0afcaf96a01c88ad1b7a34ec99
                                                                          • Instruction ID: 81c5cb878bcc7d652d93555e6a0720508aa90e8aad4684f6b38e35845f181fed
                                                                          • Opcode Fuzzy Hash: c4a576f8c33fed17d953a3b612085e19e7bafb0afcaf96a01c88ad1b7a34ec99
                                                                          • Instruction Fuzzy Hash: 96710870640205BAEB219F25CD49FEABF64FF05324F204207F518662E1C7B5AD14E769
                                                                          Function 00506CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DestroyWindow.USER32(?,?), ref: 00506DEB
                                                                            • Part of subcall function 00476B57: _wcslen.LIBCMT ref: 00476B6A
                                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00506E5F
                                                                          • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00506E81
                                                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00506E94
                                                                          • DestroyWindow.USER32(?), ref: 00506EB5
                                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00470000,00000000), ref: 00506EE4
                                                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00506EFD
                                                                          • GetDesktopWindow.USER32 ref: 00506F16
                                                                          • GetWindowRect.USER32(00000000), ref: 00506F1D
                                                                          • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00506F35
                                                                          • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00506F4D
                                                                            • Part of subcall function 00489944: GetWindowLongW.USER32(?,000000EB), ref: 00489952
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                                                                          • String ID: 0$tooltips_class32
                                                                          • API String ID: 2429346358-3619404913
                                                                          • Opcode ID: 5b93dc024db90668b15e060bfe276eec456e15f856ee7210e9215902302683d7
                                                                          • Instruction ID: 3454c3fc960066405cc6cdb74a8fee2ebdd3b1f86749b580eaef5acbfe4c0054
                                                                          • Opcode Fuzzy Hash: 5b93dc024db90668b15e060bfe276eec456e15f856ee7210e9215902302683d7
                                                                          • Instruction Fuzzy Hash: F4717A74104345AFDB21CF18DC84EABBFE9FB9A304F04091DF9898B2A1C771A95ADB15
                                                                          Function 004EC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 004EC4B0
                                                                          • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 004EC4C3
                                                                          • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 004EC4D7
                                                                          • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 004EC4F0
                                                                          • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 004EC533
                                                                          • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 004EC549
                                                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004EC554
                                                                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 004EC584
                                                                          • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 004EC5DC
                                                                          • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 004EC5F0
                                                                          • InternetCloseHandle.WININET(00000000), ref: 004EC5FB
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                                                          • String ID:
                                                                          • API String ID: 3800310941-3916222277
                                                                          • Opcode ID: 65fa91af580f7079435809f9e4f987f67920ec96646bddedc6d454811f5d21e8
                                                                          • Instruction ID: 174c0922cf6b89f401ba745fc775213375cef8a47c061d9f95e1d01312dda8e9
                                                                          • Opcode Fuzzy Hash: 65fa91af580f7079435809f9e4f987f67920ec96646bddedc6d454811f5d21e8
                                                                          • Instruction Fuzzy Hash: B6518BB0500748BFDB219F66C988AAB7FBCFF19345F00451EF94696250DB38E909AB64
                                                                          Function 0050856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00508592
                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005085A2
                                                                          • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005085AD
                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005085BA
                                                                          • GlobalLock.KERNEL32(00000000), ref: 005085C8
                                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005085D7
                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 005085E0
                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005085E7
                                                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005085F8
                                                                          • OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0050FC38,?), ref: 00508611
                                                                          • GlobalFree.KERNEL32(00000000), ref: 00508621
                                                                          • GetObjectW.GDI32(?,00000018,?), ref: 00508641
                                                                          • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00508671
                                                                          • DeleteObject.GDI32(?), ref: 00508699
                                                                          • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 005086AF
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                          • String ID:
                                                                          • API String ID: 3840717409-0
                                                                          • Opcode ID: e42488399fc65ed3a5061977f41b8e8c6e54b932425e48419c6946cb0b4adde3
                                                                          • Instruction ID: 9d1fc444eef6130c0c8f3aa18d74e5d0159b04d7e272075b5125e044151ace6e
                                                                          • Opcode Fuzzy Hash: e42488399fc65ed3a5061977f41b8e8c6e54b932425e48419c6946cb0b4adde3
                                                                          • Instruction Fuzzy Hash: E1413975600204BFDB119FA5CC88EAE7FB8FF9A711F108158F945E72A0DB319905DB20
                                                                          Function 004E14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VariantInit.OLEAUT32(00000000), ref: 004E1502
                                                                          • VariantCopy.OLEAUT32(?,?), ref: 004E150B
                                                                          • VariantClear.OLEAUT32(?), ref: 004E1517
                                                                          • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 004E15FB
                                                                          • VarR8FromDec.OLEAUT32(?,?), ref: 004E1657
                                                                          • VariantInit.OLEAUT32(?), ref: 004E1708
                                                                          • SysFreeString.OLEAUT32(?), ref: 004E178C
                                                                          • VariantClear.OLEAUT32(?), ref: 004E17D8
                                                                          • VariantClear.OLEAUT32(?), ref: 004E17E7
                                                                          • VariantInit.OLEAUT32(00000000), ref: 004E1823
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                                                                          • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                          • API String ID: 1234038744-3931177956
                                                                          • Opcode ID: 0ebef0be66d731d5ef2186629df24e9e6db319b41a74b8ba209129a926482124
                                                                          • Instruction ID: 231bf8bb931fd873d2c841c23a26e62927faefd33999ac02a92be7bbfd396c1f
                                                                          • Opcode Fuzzy Hash: 0ebef0be66d731d5ef2186629df24e9e6db319b41a74b8ba209129a926482124
                                                                          • Instruction Fuzzy Hash: 30D14671640140EBDB00AF67D884BBEB7B1BF45702F10855BF806AB2A4DB38DC46DB5A
                                                                          Function 004FB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00479CB3: _wcslen.LIBCMT ref: 00479CBD
                                                                            • Part of subcall function 004FC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,004FB6AE,?,?), ref: 004FC9B5
                                                                            • Part of subcall function 004FC998: _wcslen.LIBCMT ref: 004FC9F1
                                                                            • Part of subcall function 004FC998: _wcslen.LIBCMT ref: 004FCA68
                                                                            • Part of subcall function 004FC998: _wcslen.LIBCMT ref: 004FCA9E
                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004FB6F4
                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004FB772
                                                                          • RegDeleteValueW.ADVAPI32(?,?), ref: 004FB80A
                                                                          • RegCloseKey.ADVAPI32(?), ref: 004FB87E
                                                                          • RegCloseKey.ADVAPI32(?), ref: 004FB89C
                                                                          • LoadLibraryA.KERNEL32(advapi32.dll), ref: 004FB8F2
                                                                          • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 004FB904
                                                                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 004FB922
                                                                          • FreeLibrary.KERNEL32(00000000), ref: 004FB983
                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 004FB994
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                                                                          • String ID: RegDeleteKeyExW$advapi32.dll
                                                                          • API String ID: 146587525-4033151799
                                                                          • Opcode ID: 4e7f00c8582986acad26e6ff462cd720486a9bbbdd5062f5fd7aff2f62d1f731
                                                                          • Instruction ID: 5eb18f29bd562c6d59b1a8640e9b66dfc6614d18af47fe0cd1e8aa4a1f1ceb51
                                                                          • Opcode Fuzzy Hash: 4e7f00c8582986acad26e6ff462cd720486a9bbbdd5062f5fd7aff2f62d1f731
                                                                          • Instruction Fuzzy Hash: 74C19D70204205AFD710DF25C494F2ABBE1FF85308F14855EE69A8B3A2CB79EC45CB86
                                                                          Function 004F255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetDC.USER32(00000000), ref: 004F25D8
                                                                          • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004F25E8
                                                                          • CreateCompatibleDC.GDI32(?), ref: 004F25F4
                                                                          • SelectObject.GDI32(00000000,?), ref: 004F2601
                                                                          • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 004F266D
                                                                          • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 004F26AC
                                                                          • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 004F26D0
                                                                          • SelectObject.GDI32(?,?), ref: 004F26D8
                                                                          • DeleteObject.GDI32(?), ref: 004F26E1
                                                                          • DeleteDC.GDI32(?), ref: 004F26E8
                                                                          • ReleaseDC.USER32(00000000,?), ref: 004F26F3
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                          • String ID: (
                                                                          • API String ID: 2598888154-3887548279
                                                                          • Opcode ID: b3919acbd2366a27fe4fdfa971c1f853a23fee4a1d68438a585b9d8221aa47fc
                                                                          • Instruction ID: cd9ba32a36be859a1750890e6b6dde178e25a6bfa40dbc10284d5c15d13c3ead
                                                                          • Opcode Fuzzy Hash: b3919acbd2366a27fe4fdfa971c1f853a23fee4a1d68438a585b9d8221aa47fc
                                                                          • Instruction Fuzzy Hash: 2E611275D00219EFCF04CFA8C984AAEBBF5FF48310F20852AEA55A7250D774A951DF54
                                                                          Function 004ADA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ___free_lconv_mon.LIBCMT ref: 004ADAA1
                                                                            • Part of subcall function 004AD63C: _free.LIBCMT ref: 004AD659
                                                                            • Part of subcall function 004AD63C: _free.LIBCMT ref: 004AD66B
                                                                            • Part of subcall function 004AD63C: _free.LIBCMT ref: 004AD67D
                                                                            • Part of subcall function 004AD63C: _free.LIBCMT ref: 004AD68F
                                                                            • Part of subcall function 004AD63C: _free.LIBCMT ref: 004AD6A1
                                                                            • Part of subcall function 004AD63C: _free.LIBCMT ref: 004AD6B3
                                                                            • Part of subcall function 004AD63C: _free.LIBCMT ref: 004AD6C5
                                                                            • Part of subcall function 004AD63C: _free.LIBCMT ref: 004AD6D7
                                                                            • Part of subcall function 004AD63C: _free.LIBCMT ref: 004AD6E9
                                                                            • Part of subcall function 004AD63C: _free.LIBCMT ref: 004AD6FB
                                                                            • Part of subcall function 004AD63C: _free.LIBCMT ref: 004AD70D
                                                                            • Part of subcall function 004AD63C: _free.LIBCMT ref: 004AD71F
                                                                            • Part of subcall function 004AD63C: _free.LIBCMT ref: 004AD731
                                                                          • _free.LIBCMT ref: 004ADA96
                                                                            • Part of subcall function 004A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,004AD7D1,00000000,00000000,00000000,00000000,?,004AD7F8,00000000,00000007,00000000,?,004ADBF5,00000000), ref: 004A29DE
                                                                            • Part of subcall function 004A29C8: GetLastError.KERNEL32(00000000,?,004AD7D1,00000000,00000000,00000000,00000000,?,004AD7F8,00000000,00000007,00000000,?,004ADBF5,00000000,00000000), ref: 004A29F0
                                                                          • _free.LIBCMT ref: 004ADAB8
                                                                          • _free.LIBCMT ref: 004ADACD
                                                                          • _free.LIBCMT ref: 004ADAD8
                                                                          • _free.LIBCMT ref: 004ADAFA
                                                                          • _free.LIBCMT ref: 004ADB0D
                                                                          • _free.LIBCMT ref: 004ADB1B
                                                                          • _free.LIBCMT ref: 004ADB26
                                                                          • _free.LIBCMT ref: 004ADB5E
                                                                          • _free.LIBCMT ref: 004ADB65
                                                                          • _free.LIBCMT ref: 004ADB82
                                                                          • _free.LIBCMT ref: 004ADB9A
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                          • String ID:
                                                                          • API String ID: 161543041-0
                                                                          • Opcode ID: d99a42ded5728c890b254b7a085583f5d9d0a31f03fc4e88e74877cb7065cc3c
                                                                          • Instruction ID: 8bcc1cf469d3d6678b3ecaf900a805fa72c790d667b98587ffea29cd35a15ac0
                                                                          • Opcode Fuzzy Hash: d99a42ded5728c890b254b7a085583f5d9d0a31f03fc4e88e74877cb7065cc3c
                                                                          • Instruction Fuzzy Hash: 5F317EB1A042049FDB21AA3AE945B5B77E8FF22714F10442FE04AD7691DA78AC40D729
                                                                          Function 004D365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetClassNameW.USER32(?,?,00000100), ref: 004D369C
                                                                          • _wcslen.LIBCMT ref: 004D36A7
                                                                          • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 004D3797
                                                                          • GetClassNameW.USER32(?,?,00000400), ref: 004D380C
                                                                          • GetDlgCtrlID.USER32(?), ref: 004D385D
                                                                          • GetWindowRect.USER32(?,?), ref: 004D3882
                                                                          • GetParent.USER32(?), ref: 004D38A0
                                                                          • ScreenToClient.USER32(00000000), ref: 004D38A7
                                                                          • GetClassNameW.USER32(?,?,00000100), ref: 004D3921
                                                                          • GetWindowTextW.USER32(?,?,00000400), ref: 004D395D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                                                                          • String ID: %s%u
                                                                          • API String ID: 4010501982-679674701
                                                                          • Opcode ID: 0a2b59cd7064732c63f28b4e289ca6ba70a1e68ebb7f87445fb85d2710ac751f
                                                                          • Instruction ID: 79e6f4b7ccfcac6704a45b02b0ee3c576a3e444272897bdcf78867207f9f6dc6
                                                                          • Opcode Fuzzy Hash: 0a2b59cd7064732c63f28b4e289ca6ba70a1e68ebb7f87445fb85d2710ac751f
                                                                          • Instruction Fuzzy Hash: C891E871200606AFD715DF24C8A4BABF7A8FF44345F00862BF999C2390D734EA45CB96
                                                                          Function 004D4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetClassNameW.USER32(?,?,00000400), ref: 004D4994
                                                                          • GetWindowTextW.USER32(?,?,00000400), ref: 004D49DA
                                                                          • _wcslen.LIBCMT ref: 004D49EB
                                                                          • CharUpperBuffW.USER32(?,00000000), ref: 004D49F7
                                                                          • _wcsstr.LIBVCRUNTIME ref: 004D4A2C
                                                                          • GetClassNameW.USER32(00000018,?,00000400), ref: 004D4A64
                                                                          • GetWindowTextW.USER32(?,?,00000400), ref: 004D4A9D
                                                                          • GetClassNameW.USER32(00000018,?,00000400), ref: 004D4AE6
                                                                          • GetClassNameW.USER32(?,?,00000400), ref: 004D4B20
                                                                          • GetWindowRect.USER32(?,?), ref: 004D4B8B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                                                                          • String ID: ThumbnailClass
                                                                          • API String ID: 1311036022-1241985126
                                                                          • Opcode ID: e777cc8c5b2ddefd97219338c15c2f5d5bcc4ea667d9688b508e2c43dadd6351
                                                                          • Instruction ID: c604dc0e25c230f74a34c3413f50fed0335a62283499dad7247dbc86a13babd2
                                                                          • Opcode Fuzzy Hash: e777cc8c5b2ddefd97219338c15c2f5d5bcc4ea667d9688b508e2c43dadd6351
                                                                          • Instruction Fuzzy Hash: C391EC311042059FDB04CF14C9A5BAB7BA8FF94304F04846BFD859A396DB38ED49CBA9
                                                                          Function 00508D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00489BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00489BB2
                                                                          • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00508D5A
                                                                          • GetFocus.USER32 ref: 00508D6A
                                                                          • GetDlgCtrlID.USER32(00000000), ref: 00508D75
                                                                          • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00508E1D
                                                                          • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00508ECF
                                                                          • GetMenuItemCount.USER32(?), ref: 00508EEC
                                                                          • GetMenuItemID.USER32(?,00000000), ref: 00508EFC
                                                                          • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00508F2E
                                                                          • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00508F70
                                                                          • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00508FA1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
                                                                          • String ID: 0
                                                                          • API String ID: 1026556194-4108050209
                                                                          • Opcode ID: 69ce4e79b72b61c032abe7101ccc51ae1389c165908c033ca92a6db4eea4d5ec
                                                                          • Instruction ID: a63ed0915a6097aa2c5cebc52fa3dd468619ddc23813d425b5b0ac7653c54b2e
                                                                          • Opcode Fuzzy Hash: 69ce4e79b72b61c032abe7101ccc51ae1389c165908c033ca92a6db4eea4d5ec
                                                                          • Instruction Fuzzy Hash: 9D817871508302ABDB20DF24C884EBE7FE9BB99314F140A1AF98497291DB70E944DBA1
                                                                          Function 004DDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetFileVersionInfoSizeW.VERSION(?,?), ref: 004DDC20
                                                                          • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 004DDC46
                                                                          • _wcslen.LIBCMT ref: 004DDC50
                                                                          • _wcsstr.LIBVCRUNTIME ref: 004DDCA0
                                                                          • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 004DDCBC
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
                                                                          • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                          • API String ID: 1939486746-1459072770
                                                                          • Opcode ID: 6abfd7fa7f19d499b9af6ac2119872681559b03c7d52f9668e56a481efe24fbe
                                                                          • Instruction ID: 4e3cb188dc96f468f0225b8f21dc06d66ca9bd6230e905c3b09dd300300bed38
                                                                          • Opcode Fuzzy Hash: 6abfd7fa7f19d499b9af6ac2119872681559b03c7d52f9668e56a481efe24fbe
                                                                          • Instruction Fuzzy Hash: 2A4115329402007AEF10A776DC07EBF7BACEF56714F10456FF900A6282EB7C990597A9
                                                                          Function 004FCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 004FCC64
                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 004FCC8D
                                                                          • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 004FCD48
                                                                            • Part of subcall function 004FCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 004FCCAA
                                                                            • Part of subcall function 004FCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 004FCCBD
                                                                            • Part of subcall function 004FCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 004FCCCF
                                                                            • Part of subcall function 004FCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 004FCD05
                                                                            • Part of subcall function 004FCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 004FCD28
                                                                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 004FCCF3
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                                                                          • String ID: RegDeleteKeyExW$advapi32.dll
                                                                          • API String ID: 2734957052-4033151799
                                                                          • Opcode ID: a985b9f087b6cb1eebcbb203204f643569f84dafd1681498efa992f840980b7a
                                                                          • Instruction ID: fb5f38a13a8c7777e62b36b98b3826085446634a4e06c449f2ad1223f8bf5689
                                                                          • Opcode Fuzzy Hash: a985b9f087b6cb1eebcbb203204f643569f84dafd1681498efa992f840980b7a
                                                                          • Instruction Fuzzy Hash: 1831617190112DBBD7208B55DDC8EFFBF7CEF56750F000166BA06E6240D7389A49EAA4
                                                                          Function 004DE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • timeGetTime.WINMM ref: 004DE6B4
                                                                            • Part of subcall function 0048E551: timeGetTime.WINMM(?,?,004DE6D4), ref: 0048E555
                                                                          • Sleep.KERNEL32(0000000A), ref: 004DE6E1
                                                                          • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 004DE705
                                                                          • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 004DE727
                                                                          • SetActiveWindow.USER32 ref: 004DE746
                                                                          • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 004DE754
                                                                          • SendMessageW.USER32(00000010,00000000,00000000), ref: 004DE773
                                                                          • Sleep.KERNEL32(000000FA), ref: 004DE77E
                                                                          • IsWindow.USER32 ref: 004DE78A
                                                                          • EndDialog.USER32(00000000), ref: 004DE79B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                          • String ID: BUTTON
                                                                          • API String ID: 1194449130-3405671355
                                                                          • Opcode ID: ec76b7a9553bca79ae0fb52b81dc13c0def1b53fe0e9e8ea5a794e7d7b7c189a
                                                                          • Instruction ID: 60948170447ccfdb464e93228cefa8712d59fe25894b71265df4fea13365ec46
                                                                          • Opcode Fuzzy Hash: ec76b7a9553bca79ae0fb52b81dc13c0def1b53fe0e9e8ea5a794e7d7b7c189a
                                                                          • Instruction Fuzzy Hash: 93215078200214AFEB106F66EC99A7A3F69E77634DF50052BF405853A1DF65AC08BA29
                                                                          Function 004DE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00479CB3: _wcslen.LIBCMT ref: 00479CBD
                                                                          • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 004DEA5D
                                                                          • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 004DEA73
                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004DEA84
                                                                          • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 004DEA96
                                                                          • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 004DEAA7
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: SendString$_wcslen
                                                                          • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                          • API String ID: 2420728520-1007645807
                                                                          • Opcode ID: e0873f7875139dcedfce8b32c9ff2254ab0f527f8b85517de425f8293d43e7e8
                                                                          • Instruction ID: cb7439f93cd6f87b44cfaa31a6b27f73b5bdbad41f2e6f873726d038582594e9
                                                                          • Opcode Fuzzy Hash: e0873f7875139dcedfce8b32c9ff2254ab0f527f8b85517de425f8293d43e7e8
                                                                          • Instruction Fuzzy Hash: 54114F61A9021A79D720B7A2DC5AEFF6F7CFBD1B04F00442F7815A61D1EA740905C5B4
                                                                          Function 004D5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetDlgItem.USER32(?,00000001), ref: 004D5CE2
                                                                          • GetWindowRect.USER32(00000000,?), ref: 004D5CFB
                                                                          • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 004D5D59
                                                                          • GetDlgItem.USER32(?,00000002), ref: 004D5D69
                                                                          • GetWindowRect.USER32(00000000,?), ref: 004D5D7B
                                                                          • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 004D5DCF
                                                                          • GetDlgItem.USER32(?,000003E9), ref: 004D5DDD
                                                                          • GetWindowRect.USER32(00000000,?), ref: 004D5DEF
                                                                          • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 004D5E31
                                                                          • GetDlgItem.USER32(?,000003EA), ref: 004D5E44
                                                                          • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 004D5E5A
                                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 004D5E67
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ItemMoveRect$Invalidate
                                                                          • String ID:
                                                                          • API String ID: 3096461208-0
                                                                          • Opcode ID: 99cd97dabf8c83074d6b128583c1c59d75fe7ac6a3dd23f1a175947db01912c0
                                                                          • Instruction ID: 37bb28a0bd7869b097510ef5dda56bc15b1ac48c6ca2a2469113bbef59bc4849
                                                                          • Opcode Fuzzy Hash: 99cd97dabf8c83074d6b128583c1c59d75fe7ac6a3dd23f1a175947db01912c0
                                                                          • Instruction Fuzzy Hash: 15511F70A00605AFDF18DF68DD99AAE7BB5EB58300F10822AF515E6390DB749E04CB60
                                                                          Function 00488BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00488F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00488BE8,?,00000000,?,?,?,?,00488BBA,00000000,?), ref: 00488FC5
                                                                          • DestroyWindow.USER32(?), ref: 00488C81
                                                                          • KillTimer.USER32(00000000,?,?,?,?,00488BBA,00000000,?), ref: 00488D1B
                                                                          • DestroyAcceleratorTable.USER32(00000000), ref: 004C6973
                                                                          • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00488BBA,00000000,?), ref: 004C69A1
                                                                          • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00488BBA,00000000,?), ref: 004C69B8
                                                                          • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00488BBA,00000000), ref: 004C69D4
                                                                          • DeleteObject.GDI32(00000000), ref: 004C69E6
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                          • String ID:
                                                                          • API String ID: 641708696-0
                                                                          • Opcode ID: ee275727a17da8cde1744f82b7305aedba534381f8a16148bca4d615c7e26f8a
                                                                          • Instruction ID: e08aa27f77922815744baa3b4873b2c37fe58a537475e71982edde520f98869b
                                                                          • Opcode Fuzzy Hash: ee275727a17da8cde1744f82b7305aedba534381f8a16148bca4d615c7e26f8a
                                                                          • Instruction Fuzzy Hash: 6261AE34101A00DFDB21AF14D948B6E7BF1FB62316F54891EE042966A4CB39A8C5EF59
                                                                          Function 00489838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00489944: GetWindowLongW.USER32(?,000000EB), ref: 00489952
                                                                          • GetSysColor.USER32(0000000F), ref: 00489862
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: ColorLongWindow
                                                                          • String ID:
                                                                          • API String ID: 259745315-0
                                                                          • Opcode ID: a4dafe7f8b0ca14ef168ba95fda90d6d8ba1513eeb199aec4a4939de7aa690bb
                                                                          • Instruction ID: 28271ad5248274286f59a41cdea68bd0b1d2def244555b4844cb04005734441c
                                                                          • Opcode Fuzzy Hash: a4dafe7f8b0ca14ef168ba95fda90d6d8ba1513eeb199aec4a4939de7aa690bb
                                                                          • Instruction Fuzzy Hash: 6241A435104A40AFDB207F389C84BBE3B65AB17334F184A5AF9A2872E1D7359C46DB15
                                                                          Function 004A8D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: .I
                                                                          • API String ID: 0-2795939834
                                                                          • Opcode ID: 94a034404240fac9002b9eb9d90ba1c618891663f9ffb51f85c891f30d741215
                                                                          • Instruction ID: 8d06f49f5e4ec4873b73a43fdf828960e1a017e99eb3d7e506ae9dd7ad819c0e
                                                                          • Opcode Fuzzy Hash: 94a034404240fac9002b9eb9d90ba1c618891663f9ffb51f85c891f30d741215
                                                                          • Instruction Fuzzy Hash: A6C1E574908249AFDF11DFA9C841BAEBFB0AF2B314F1440AAF51497392C7398D45CB69
                                                                          Function 004D96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,004BF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 004D9717
                                                                          • LoadStringW.USER32(00000000,?,004BF7F8,00000001), ref: 004D9720
                                                                            • Part of subcall function 00479CB3: _wcslen.LIBCMT ref: 00479CBD
                                                                          • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,004BF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 004D9742
                                                                          • LoadStringW.USER32(00000000,?,004BF7F8,00000001), ref: 004D9745
                                                                          • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 004D9866
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: HandleLoadModuleString$Message_wcslen
                                                                          • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                          • API String ID: 747408836-2268648507
                                                                          • Opcode ID: edeece5ca9424eb9af394f8907a5d1c158d4d4fa5e55b1eb4a5ca4d03bf772f1
                                                                          • Instruction ID: cb0ba5a198e69b60d01572507ce76875193b322f4555b3d1fee6174a6738527e
                                                                          • Opcode Fuzzy Hash: edeece5ca9424eb9af394f8907a5d1c158d4d4fa5e55b1eb4a5ca4d03bf772f1
                                                                          • Instruction Fuzzy Hash: 74417172800209AACF04FBE1CD92DEE7778AF15744F10442BF609B2192EB396F48DB65
                                                                          Function 004D06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00476B57: _wcslen.LIBCMT ref: 00476B6A
                                                                          • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 004D07A2
                                                                          • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 004D07BE
                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 004D07DA
                                                                          • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 004D0804
                                                                          • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 004D082C
                                                                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 004D0837
                                                                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 004D083C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                                                                          • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                          • API String ID: 323675364-22481851
                                                                          • Opcode ID: 510a04de1a74e6b803f4516f8661ed606c87cf5b000c296cf92b9601cc50d99f
                                                                          • Instruction ID: 89c2308df8b05cf4ba05f9ad9875c7a289df577bdcfccff5d96f9be5c6c0b984
                                                                          • Opcode Fuzzy Hash: 510a04de1a74e6b803f4516f8661ed606c87cf5b000c296cf92b9601cc50d99f
                                                                          • Instruction Fuzzy Hash: 70413B72C10228ABCF11EFA4DC95DEEB778BF54344F05812AF905A32A1EB345E18DB94
                                                                          Function 004F3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VariantInit.OLEAUT32(?), ref: 004F3C5C
                                                                          • CoInitialize.OLE32(00000000), ref: 004F3C8A
                                                                          • CoUninitialize.OLE32 ref: 004F3C94
                                                                          • _wcslen.LIBCMT ref: 004F3D2D
                                                                          • GetRunningObjectTable.OLE32(00000000,?), ref: 004F3DB1
                                                                          • SetErrorMode.KERNEL32(00000001,00000029), ref: 004F3ED5
                                                                          • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 004F3F0E
                                                                          • CoGetObject.OLE32(?,00000000,0050FB98,?), ref: 004F3F2D
                                                                          • SetErrorMode.KERNEL32(00000000), ref: 004F3F40
                                                                          • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 004F3FC4
                                                                          • VariantClear.OLEAUT32(?), ref: 004F3FD8
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                                                                          • String ID:
                                                                          • API String ID: 429561992-0
                                                                          • Opcode ID: 419983e233300a37cb00b114e0b15440d703cb4dc2a8879541e7e8d198e3ac6a
                                                                          • Instruction ID: df70f6bde922c8cebc84f31cb1ab7bb476de2d0223e7705ec339e3770b3dcb2c
                                                                          • Opcode Fuzzy Hash: 419983e233300a37cb00b114e0b15440d703cb4dc2a8879541e7e8d198e3ac6a
                                                                          • Instruction Fuzzy Hash: 49C168716083099FC700DF69C88492BBBE9FF89749F10491EFA8A9B250D734EE05CB56
                                                                          Function 004E7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CoInitialize.OLE32(00000000), ref: 004E7AF3
                                                                          • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 004E7B8F
                                                                          • SHGetDesktopFolder.SHELL32(?), ref: 004E7BA3
                                                                          • CoCreateInstance.OLE32(0050FD08,00000000,00000001,00536E6C,?), ref: 004E7BEF
                                                                          • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 004E7C74
                                                                          • CoTaskMemFree.OLE32(?,?), ref: 004E7CCC
                                                                          • SHBrowseForFolderW.SHELL32(?), ref: 004E7D57
                                                                          • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 004E7D7A
                                                                          • CoTaskMemFree.OLE32(00000000), ref: 004E7D81
                                                                          • CoTaskMemFree.OLE32(00000000), ref: 004E7DD6
                                                                          • CoUninitialize.OLE32 ref: 004E7DDC
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                                                          • String ID:
                                                                          • API String ID: 2762341140-0
                                                                          • Opcode ID: 132261f27c925317b8410e154f500c9fb48f0a22bd552f9fdc0e55ec499a1785
                                                                          • Instruction ID: fd286c78b8914a6557bcdb9de8fbcdd8b4feac15e727443e278fc1465df6b994
                                                                          • Opcode Fuzzy Hash: 132261f27c925317b8410e154f500c9fb48f0a22bd552f9fdc0e55ec499a1785
                                                                          • Instruction Fuzzy Hash: 72C16A74A00109AFCB10DFA5C884DAEBBF9FF48319B148199E80ADB361D734EE45CB94
                                                                          Function 0050541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00505504
                                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00505515
                                                                          • CharNextW.USER32(00000158), ref: 00505544
                                                                          • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00505585
                                                                          • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0050559B
                                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005055AC
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$CharNext
                                                                          • String ID:
                                                                          • API String ID: 1350042424-0
                                                                          • Opcode ID: 6a50fac59d02d4e8ea83fc0d7458e2c3efe39eb82a7538f603bb234a7f44a98d
                                                                          • Instruction ID: 03b8f9cb1ee66a58b7a84a45fda66f58033bac3c44138971370e2fb7d362b5ee
                                                                          • Opcode Fuzzy Hash: 6a50fac59d02d4e8ea83fc0d7458e2c3efe39eb82a7538f603bb234a7f44a98d
                                                                          • Instruction Fuzzy Hash: D1618B34900609ABDF218F54CC84AFF7FB9FB0A324F144945F925AA2D0E7759A85DF60
                                                                          Function 004CFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 004CFAAF
                                                                          • SafeArrayAllocData.OLEAUT32(?), ref: 004CFB08
                                                                          • VariantInit.OLEAUT32(?), ref: 004CFB1A
                                                                          • SafeArrayAccessData.OLEAUT32(?,?), ref: 004CFB3A
                                                                          • VariantCopy.OLEAUT32(?,?), ref: 004CFB8D
                                                                          • SafeArrayUnaccessData.OLEAUT32(?), ref: 004CFBA1
                                                                          • VariantClear.OLEAUT32(?), ref: 004CFBB6
                                                                          • SafeArrayDestroyData.OLEAUT32(?), ref: 004CFBC3
                                                                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 004CFBCC
                                                                          • VariantClear.OLEAUT32(?), ref: 004CFBDE
                                                                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 004CFBE9
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                          • String ID:
                                                                          • API String ID: 2706829360-0
                                                                          • Opcode ID: 03f5f51c4b99e72816de5c461ef1fedf8681e61b92bf4c189a52b935dd80e9f5
                                                                          • Instruction ID: cb68885cb475478dee97ba32925d7913c6c995ab0f95e38c0438e5faa53c9733
                                                                          • Opcode Fuzzy Hash: 03f5f51c4b99e72816de5c461ef1fedf8681e61b92bf4c189a52b935dd80e9f5
                                                                          • Instruction Fuzzy Hash: 5B415035A002199FCF00DF65C854EEEBFB9FF58345F00816AE945A7261D738AD49CB94
                                                                          Function 004D9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetKeyboardState.USER32(?), ref: 004D9CA1
                                                                          • GetAsyncKeyState.USER32(000000A0), ref: 004D9D22
                                                                          • GetKeyState.USER32(000000A0), ref: 004D9D3D
                                                                          • GetAsyncKeyState.USER32(000000A1), ref: 004D9D57
                                                                          • GetKeyState.USER32(000000A1), ref: 004D9D6C
                                                                          • GetAsyncKeyState.USER32(00000011), ref: 004D9D84
                                                                          • GetKeyState.USER32(00000011), ref: 004D9D96
                                                                          • GetAsyncKeyState.USER32(00000012), ref: 004D9DAE
                                                                          • GetKeyState.USER32(00000012), ref: 004D9DC0
                                                                          • GetAsyncKeyState.USER32(0000005B), ref: 004D9DD8
                                                                          • GetKeyState.USER32(0000005B), ref: 004D9DEA
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: State$Async$Keyboard
                                                                          • String ID:
                                                                          • API String ID: 541375521-0
                                                                          • Opcode ID: cac9a6f231c87af8eaa0f4fee609511947da1931188cbb50213896e196e2d8ff
                                                                          • Instruction ID: 5501ee427c5f5b2f2f69379e1eaa7925b227983980f383346f2331add0290760
                                                                          • Opcode Fuzzy Hash: cac9a6f231c87af8eaa0f4fee609511947da1931188cbb50213896e196e2d8ff
                                                                          • Instruction Fuzzy Hash: 6341DA345047C969FF30976488243B7BEA16B22344F08405BD6C6D77C1D7AD5DC8C796
                                                                          Function 004F055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • WSAStartup.WSOCK32(00000101,?), ref: 004F05BC
                                                                          • inet_addr.WSOCK32(?), ref: 004F061C
                                                                          • gethostbyname.WSOCK32(?), ref: 004F0628
                                                                          • IcmpCreateFile.IPHLPAPI ref: 004F0636
                                                                          • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 004F06C6
                                                                          • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 004F06E5
                                                                          • IcmpCloseHandle.IPHLPAPI(?), ref: 004F07B9
                                                                          • WSACleanup.WSOCK32 ref: 004F07BF
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                          • String ID: Ping
                                                                          • API String ID: 1028309954-2246546115
                                                                          • Opcode ID: e67df7233ff1ffc5c66753bb5e331c06e16710631ade18402c73dd66db74e572
                                                                          • Instruction ID: cc07a0585999901c2abfa12761c169b890a47543d52f00de6407118e5dd7f7a1
                                                                          • Opcode Fuzzy Hash: e67df7233ff1ffc5c66753bb5e331c06e16710631ade18402c73dd66db74e572
                                                                          • Instruction Fuzzy Hash: 8A918E75504201AFD720DF15C488F2ABBE0AF84318F1485AAF5698B7A2C778EC45CF95
                                                                          Function 004F8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: _wcslen$BuffCharLower
                                                                          • String ID: cdecl$none$stdcall$winapi
                                                                          • API String ID: 707087890-567219261
                                                                          • Opcode ID: 732c12014d3f5b9eb8073d4acb195d6cf47ed5378f08de8cb319978d4c7ef084
                                                                          • Instruction ID: 7b1a21a229020a6240cf5c9ccbf72605ebddd8247a1a1fac4074b1946b1272cd
                                                                          • Opcode Fuzzy Hash: 732c12014d3f5b9eb8073d4acb195d6cf47ed5378f08de8cb319978d4c7ef084
                                                                          • Instruction Fuzzy Hash: 2151C472A0051A9BCF14DF68C9518BEB7A5BF64314B21422FE615EB3C4DB38DD41C794
                                                                          Function 004F372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CoInitialize.OLE32 ref: 004F3774
                                                                          • CoUninitialize.OLE32 ref: 004F377F
                                                                          • CoCreateInstance.OLE32(?,00000000,00000017,0050FB78,?), ref: 004F37D9
                                                                          • IIDFromString.OLE32(?,?), ref: 004F384C
                                                                          • VariantInit.OLEAUT32(?), ref: 004F38E4
                                                                          • VariantClear.OLEAUT32(?), ref: 004F3936
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                                                          • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                          • API String ID: 636576611-1287834457
                                                                          • Opcode ID: 44c947ac3ce95d78368da83392d14eeab8a1810de6c4f78cfedc79e06ff7ac5e
                                                                          • Instruction ID: e95eb94d7ecfd40c765ad44b4901ed9885efcb0f27dba20a536f0a7cd15c6e81
                                                                          • Opcode Fuzzy Hash: 44c947ac3ce95d78368da83392d14eeab8a1810de6c4f78cfedc79e06ff7ac5e
                                                                          • Instruction Fuzzy Hash: 6B61BEB0608305AFD310EF55C848B6ABBE4EF49745F10490EFA8597391C778EE49CB9A
                                                                          Function 00508B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00489BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00489BB2
                                                                            • Part of subcall function 0048912D: GetCursorPos.USER32(?), ref: 00489141
                                                                            • Part of subcall function 0048912D: ScreenToClient.USER32(00000000,?), ref: 0048915E
                                                                            • Part of subcall function 0048912D: GetAsyncKeyState.USER32(00000001), ref: 00489183
                                                                            • Part of subcall function 0048912D: GetAsyncKeyState.USER32(00000002), ref: 0048919D
                                                                          • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00508B6B
                                                                          • ImageList_EndDrag.COMCTL32 ref: 00508B71
                                                                          • ReleaseCapture.USER32 ref: 00508B77
                                                                          • SetWindowTextW.USER32(?,00000000), ref: 00508C12
                                                                          • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00508C25
                                                                          • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00508CFF
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                                          • String ID: @GUI_DRAGFILE$@GUI_DROPID$p#T
                                                                          • API String ID: 1924731296-276937152
                                                                          • Opcode ID: 07ac44ad4319eb39055a8a09f305e09bf75d196c2b8ec97ffdeb35c44ed4744a
                                                                          • Instruction ID: 21778d21959261873314f3c9d97ec92e172d5343523b6ece1f07ad5ae673b427
                                                                          • Opcode Fuzzy Hash: 07ac44ad4319eb39055a8a09f305e09bf75d196c2b8ec97ffdeb35c44ed4744a
                                                                          • Instruction Fuzzy Hash: F4518B70104204AFE704EF14C85AFAE7BE4FB89718F000A2DF996572E1CB749D48CB66
                                                                          Function 004E3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 004E33CF
                                                                            • Part of subcall function 00479CB3: _wcslen.LIBCMT ref: 00479CBD
                                                                          • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 004E33F0
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: LoadString$_wcslen
                                                                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                          • API String ID: 4099089115-3080491070
                                                                          • Opcode ID: bdeea810c3effddfa6426735ba6cb802d0e65f545d391341cfdde6347d586671
                                                                          • Instruction ID: aec2a1209eb654e5ce440a5778f6be2f731c7a157a2f5b42688efa9b7757028d
                                                                          • Opcode Fuzzy Hash: bdeea810c3effddfa6426735ba6cb802d0e65f545d391341cfdde6347d586671
                                                                          • Instruction Fuzzy Hash: 9851C271800109BADF15EFA1CD46DEEB778AF14349F10846AF40973192EB392F58DB69
                                                                          Function 004DB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: _wcslen$BuffCharUpper
                                                                          • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                          • API String ID: 1256254125-769500911
                                                                          • Opcode ID: 701d63af861a0a6eb9da1570dd7c15d2f90b17adcb80d1381d5b9f546ef99e69
                                                                          • Instruction ID: e61e5be0457cadfd3682b81f3bcbc53e25c58e75c8f22393257bba7bc86b8303
                                                                          • Opcode Fuzzy Hash: 701d63af861a0a6eb9da1570dd7c15d2f90b17adcb80d1381d5b9f546ef99e69
                                                                          • Instruction Fuzzy Hash: FF41C532A00126DBCB105F7DC8A05BF7BA5EBA1758B26412BE461D7384E739CD82C7D5
                                                                          Function 004E5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(00000001), ref: 004E53A0
                                                                          • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 004E5416
                                                                          • GetLastError.KERNEL32 ref: 004E5420
                                                                          • SetErrorMode.KERNEL32(00000000,READY), ref: 004E54A7
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Error$Mode$DiskFreeLastSpace
                                                                          • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                          • API String ID: 4194297153-14809454
                                                                          • Opcode ID: 6677f2660d5592f1e5a3ef83d9471fa76ad605a372d9be1f6977aaf6433ecf51
                                                                          • Instruction ID: 8a8c64694e2559942514c5dce31d26d53635b97fe3da6b8135dc5033fe76a774
                                                                          • Opcode Fuzzy Hash: 6677f2660d5592f1e5a3ef83d9471fa76ad605a372d9be1f6977aaf6433ecf51
                                                                          • Instruction Fuzzy Hash: 5631CE35A00245AFC710DF6AC484BAABBF4FF4530AF14806AE405CB392D778DD86CB91
                                                                          Function 00503C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateMenu.USER32 ref: 00503C79
                                                                          • SetMenu.USER32(?,00000000), ref: 00503C88
                                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00503D10
                                                                          • IsMenu.USER32(?), ref: 00503D24
                                                                          • CreatePopupMenu.USER32 ref: 00503D2E
                                                                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00503D5B
                                                                          • DrawMenuBar.USER32 ref: 00503D63
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                                          • String ID: 0$F
                                                                          • API String ID: 161812096-3044882817
                                                                          • Opcode ID: 965d34b37d5b318577c1866a5cae57fd292ac2af151b9293ccb4b1685462d3a9
                                                                          • Instruction ID: 5ef4004b6c72c2e1d4d3d8e421d8ad4fd6c0132f2491a98324b4c5d1e439554b
                                                                          • Opcode Fuzzy Hash: 965d34b37d5b318577c1866a5cae57fd292ac2af151b9293ccb4b1685462d3a9
                                                                          • Instruction Fuzzy Hash: C6418879A01209AFDB14CF64D984AEE7FB9FF5A340F140129E906A73A0D730AA14DB94
                                                                          Function 00503A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00503A9D
                                                                          • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00503AA0
                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00503AC7
                                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00503AEA
                                                                          • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00503B62
                                                                          • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00503BAC
                                                                          • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00503BC7
                                                                          • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00503BE2
                                                                          • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00503BF6
                                                                          • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00503C13
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$LongWindow
                                                                          • String ID:
                                                                          • API String ID: 312131281-0
                                                                          • Opcode ID: f154fa514eb7c7daf77c1a046106e35d118ae4b2df428747cdbeda2c8337cccf
                                                                          • Instruction ID: e0f42a350b4f5db841a6f98ec1cb4ceccf77ef2f434e76f0767586cf511eb2ad
                                                                          • Opcode Fuzzy Hash: f154fa514eb7c7daf77c1a046106e35d118ae4b2df428747cdbeda2c8337cccf
                                                                          • Instruction Fuzzy Hash: 0A616775900208AFDB10DFA8CC81EEE7BB8FB49304F100199FA05AB2E1D774AE85DB50
                                                                          Function 004DB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCurrentThreadId.KERNEL32 ref: 004DB151
                                                                          • GetForegroundWindow.USER32(00000000,?,?,?,?,?,004DA1E1,?,00000001), ref: 004DB165
                                                                          • GetWindowThreadProcessId.USER32(00000000), ref: 004DB16C
                                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,004DA1E1,?,00000001), ref: 004DB17B
                                                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 004DB18D
                                                                          • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,004DA1E1,?,00000001), ref: 004DB1A6
                                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,004DA1E1,?,00000001), ref: 004DB1B8
                                                                          • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,004DA1E1,?,00000001), ref: 004DB1FD
                                                                          • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,004DA1E1,?,00000001), ref: 004DB212
                                                                          • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,004DA1E1,?,00000001), ref: 004DB21D
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                          • String ID:
                                                                          • API String ID: 2156557900-0
                                                                          • Opcode ID: 0e07859a5d18fb15535f36528d808faff8ede0682c482631e825e782d06c1f10
                                                                          • Instruction ID: 9ddcee4f918bfa09e9111bfe7fdf062c211fbe8b42f8813e8c3d2e78afe76c43
                                                                          • Opcode Fuzzy Hash: 0e07859a5d18fb15535f36528d808faff8ede0682c482631e825e782d06c1f10
                                                                          • Instruction Fuzzy Hash: 6B31A276500204EFDB209F64EC9CBAE7BB9EB62355F114247F904D6360D77899089FA8
                                                                          Function 004A2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _free.LIBCMT ref: 004A2C94
                                                                            • Part of subcall function 004A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,004AD7D1,00000000,00000000,00000000,00000000,?,004AD7F8,00000000,00000007,00000000,?,004ADBF5,00000000), ref: 004A29DE
                                                                            • Part of subcall function 004A29C8: GetLastError.KERNEL32(00000000,?,004AD7D1,00000000,00000000,00000000,00000000,?,004AD7F8,00000000,00000007,00000000,?,004ADBF5,00000000,00000000), ref: 004A29F0
                                                                          • _free.LIBCMT ref: 004A2CA0
                                                                          • _free.LIBCMT ref: 004A2CAB
                                                                          • _free.LIBCMT ref: 004A2CB6
                                                                          • _free.LIBCMT ref: 004A2CC1
                                                                          • _free.LIBCMT ref: 004A2CCC
                                                                          • _free.LIBCMT ref: 004A2CD7
                                                                          • _free.LIBCMT ref: 004A2CE2
                                                                          • _free.LIBCMT ref: 004A2CED
                                                                          • _free.LIBCMT ref: 004A2CFB
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                          • String ID:
                                                                          • API String ID: 776569668-0
                                                                          • Opcode ID: e8477cdc6283ffb0f5b086e9da9b593d16da4714754d45d8eaf8ad1d2ac9c300
                                                                          • Instruction ID: f2af5cc4eeff6a3b95dcd7f02548f5a6ef6b27abca0f116da0f0844d5136ddfe
                                                                          • Opcode Fuzzy Hash: e8477cdc6283ffb0f5b086e9da9b593d16da4714754d45d8eaf8ad1d2ac9c300
                                                                          • Instruction Fuzzy Hash: B2112EB5200008BFCB42EF59DA42CDE3BA9FF16754F40409AFA485F232D675EE50AB55
                                                                          Function 00471410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00471459
                                                                          • OleUninitialize.OLE32(?,00000000), ref: 004714F8
                                                                          • UnregisterHotKey.USER32(?), ref: 004716DD
                                                                          • DestroyWindow.USER32(?), ref: 004B24B9
                                                                          • FreeLibrary.KERNEL32(?), ref: 004B251E
                                                                          • VirtualFree.KERNEL32(?,00000000,00008000), ref: 004B254B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                          • String ID: close all
                                                                          • API String ID: 469580280-3243417748
                                                                          • Opcode ID: 00a565b599ab60c7ac30197dd4d9838c1071e4c63afd30f678a03d539e29eae0
                                                                          • Instruction ID: 41a89fbc42d5556e84abebda765313f4e096d4b46b58066fcd16cb636fe7c44d
                                                                          • Opcode Fuzzy Hash: 00a565b599ab60c7ac30197dd4d9838c1071e4c63afd30f678a03d539e29eae0
                                                                          • Instruction Fuzzy Hash: EDD1BF30701212DFCB29EF19C595AA9F7A0BF05704F14869FE44A6B361CB38AD12CF69
                                                                          Function 00475BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetWindowLongW.USER32(?,000000EB), ref: 00475C7A
                                                                            • Part of subcall function 00475D0A: GetClientRect.USER32(?,?), ref: 00475D30
                                                                            • Part of subcall function 00475D0A: GetWindowRect.USER32(?,?), ref: 00475D71
                                                                            • Part of subcall function 00475D0A: ScreenToClient.USER32(?,?), ref: 00475D99
                                                                          • GetDC.USER32 ref: 004B46F5
                                                                          • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 004B4708
                                                                          • SelectObject.GDI32(00000000,00000000), ref: 004B4716
                                                                          • SelectObject.GDI32(00000000,00000000), ref: 004B472B
                                                                          • ReleaseDC.USER32(?,00000000), ref: 004B4733
                                                                          • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 004B47C4
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                          • String ID: U
                                                                          • API String ID: 4009187628-3372436214
                                                                          • Opcode ID: 03526eab2e89b066b97fc083dddea31494a324349c594c5662c0bc3060e718c5
                                                                          • Instruction ID: 398e921942376f6d5143c7eb7c3ba8ec5bf96d90847e43866be57e49a1a25612
                                                                          • Opcode Fuzzy Hash: 03526eab2e89b066b97fc083dddea31494a324349c594c5662c0bc3060e718c5
                                                                          • Instruction Fuzzy Hash: C371F134400205DFCF218F64C984AFE7BB5FF8A324F14426BE9555A2A7CB398882DF65
                                                                          Function 004E359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 004E35E4
                                                                            • Part of subcall function 00479CB3: _wcslen.LIBCMT ref: 00479CBD
                                                                          • LoadStringW.USER32(00542390,?,00000FFF,?), ref: 004E360A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: LoadString$_wcslen
                                                                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                          • API String ID: 4099089115-2391861430
                                                                          • Opcode ID: e6d777718d7f30cdab1c0165435894fd6ca48ecca511560652bd38ea1cea4d96
                                                                          • Instruction ID: fbd521f8846932d3df148a09b061f13a7e5862a1cee9feaecf5264827b208a07
                                                                          • Opcode Fuzzy Hash: e6d777718d7f30cdab1c0165435894fd6ca48ecca511560652bd38ea1cea4d96
                                                                          • Instruction Fuzzy Hash: 5E51A371C00149BACF15EFA2CC46EEEBB35AF15349F04812AF50972191DB381B98DF69
                                                                          Function 004EC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 004EC272
                                                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004EC29A
                                                                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 004EC2CA
                                                                          • GetLastError.KERNEL32 ref: 004EC322
                                                                          • SetEvent.KERNEL32(?), ref: 004EC336
                                                                          • InternetCloseHandle.WININET(00000000), ref: 004EC341
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                          • String ID:
                                                                          • API String ID: 3113390036-3916222277
                                                                          • Opcode ID: 42443c05585a38f573eea47e1fa4c10ab2fbe6db9f75744dc9338c97cbaef366
                                                                          • Instruction ID: 3687c5bed014abedd19debac016ac5b65a3980429862dd6ce6465375bac2c703
                                                                          • Opcode Fuzzy Hash: 42443c05585a38f573eea47e1fa4c10ab2fbe6db9f75744dc9338c97cbaef366
                                                                          • Instruction Fuzzy Hash: 1431BFB1500244AFD7219F668CC8ABF7BFCEB59745B00861EF84692200DB38DD0A9B69
                                                                          Function 004D989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,004B3AAF,?,?,Bad directive syntax error,0050CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 004D98BC
                                                                          • LoadStringW.USER32(00000000,?,004B3AAF,?), ref: 004D98C3
                                                                            • Part of subcall function 00479CB3: _wcslen.LIBCMT ref: 00479CBD
                                                                          • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 004D9987
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: HandleLoadMessageModuleString_wcslen
                                                                          • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                          • API String ID: 858772685-4153970271
                                                                          • Opcode ID: ce59cdd78f7d8e6e9ae27036532e97ec3d450789c62e3159ec220de90c770035
                                                                          • Instruction ID: 882092ebd6855f25def7e81d014c228f11ef5f9d7e3e61afc46e7bfb466e900e
                                                                          • Opcode Fuzzy Hash: ce59cdd78f7d8e6e9ae27036532e97ec3d450789c62e3159ec220de90c770035
                                                                          • Instruction Fuzzy Hash: 8B216D3180021ABBCF15AF91CC16EEE7B35BF18704F04845FF519661A2EB79AA28DB15
                                                                          Function 004D209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetParent.USER32 ref: 004D20AB
                                                                          • GetClassNameW.USER32(00000000,?,00000100), ref: 004D20C0
                                                                          • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 004D214D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: ClassMessageNameParentSend
                                                                          • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                          • API String ID: 1290815626-3381328864
                                                                          • Opcode ID: 59cc4d1e1f014b39fe86a22ae7703b3e30e100f5d158f4a54edcab6e3b704a7b
                                                                          • Instruction ID: ebed2c1a16d6452d0a73f37870b47274fa859cf1d338f7e8c8cd21dec392b598
                                                                          • Opcode Fuzzy Hash: 59cc4d1e1f014b39fe86a22ae7703b3e30e100f5d158f4a54edcab6e3b704a7b
                                                                          • Instruction Fuzzy Hash: D7117A36284703B9FA012620DC2BCAF7B9CDF25324F20422BF705A42D1FEA95807161C
                                                                          Function 004ACE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                                                          • String ID:
                                                                          • API String ID: 1282221369-0
                                                                          • Opcode ID: 6df3c4c9b85e4eb899e3287b55008a3f3eb4883e2f810c350dc79e017d2f8f5e
                                                                          • Instruction ID: df6480ce5ad06cb5043815f83311af01ecc4dc5183dadea765987f7232426e87
                                                                          • Opcode Fuzzy Hash: 6df3c4c9b85e4eb899e3287b55008a3f3eb4883e2f810c350dc79e017d2f8f5e
                                                                          • Instruction Fuzzy Hash: 196168B2E04200AFCF21AFB998816AB7B95AF33318F14016FFA11973C1D63D9D059799
                                                                          Function 00488B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 004C6890
                                                                          • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 004C68A9
                                                                          • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 004C68B9
                                                                          • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 004C68D1
                                                                          • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 004C68F2
                                                                          • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00488874,00000000,00000000,00000000,000000FF,00000000), ref: 004C6901
                                                                          • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 004C691E
                                                                          • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00488874,00000000,00000000,00000000,000000FF,00000000), ref: 004C692D
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                                          • String ID:
                                                                          • API String ID: 1268354404-0
                                                                          • Opcode ID: 5dccd78c4c7d3e55bf308f62bb111fac5379b717c40598712e4ccaf9bda22c16
                                                                          • Instruction ID: 1c83847b33f0caffe63cccb5bef84752754d5d4e8ea780b0afba964c3699b6ce
                                                                          • Opcode Fuzzy Hash: 5dccd78c4c7d3e55bf308f62bb111fac5379b717c40598712e4ccaf9bda22c16
                                                                          • Instruction Fuzzy Hash: B351AB74600609AFDB20EF25CC91FAE3BB5FB98750F104A1EF902972A0DB74E981DB54
                                                                          Function 004EC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 004EC182
                                                                          • GetLastError.KERNEL32 ref: 004EC195
                                                                          • SetEvent.KERNEL32(?), ref: 004EC1A9
                                                                            • Part of subcall function 004EC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 004EC272
                                                                            • Part of subcall function 004EC253: GetLastError.KERNEL32 ref: 004EC322
                                                                            • Part of subcall function 004EC253: SetEvent.KERNEL32(?), ref: 004EC336
                                                                            • Part of subcall function 004EC253: InternetCloseHandle.WININET(00000000), ref: 004EC341
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                                                          • String ID:
                                                                          • API String ID: 337547030-0
                                                                          • Opcode ID: 2c01f21bc545291399558185642f0dbb067ca3fa6b4c5328b04e72ea666181a7
                                                                          • Instruction ID: d17693b396e7bb9aefbfccf6ae07788bd8763f61057e3deb1fdd7709ebabee18
                                                                          • Opcode Fuzzy Hash: 2c01f21bc545291399558185642f0dbb067ca3fa6b4c5328b04e72ea666181a7
                                                                          • Instruction Fuzzy Hash: DB31A371500681AFDB219FA6DC84A7BBFF8FF15301B00451EFA5682611D734E816AFA5
                                                                          Function 004D25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 004D3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 004D3A57
                                                                            • Part of subcall function 004D3A3D: GetCurrentThreadId.KERNEL32 ref: 004D3A5E
                                                                            • Part of subcall function 004D3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004D25B3), ref: 004D3A65
                                                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 004D25BD
                                                                          • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 004D25DB
                                                                          • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 004D25DF
                                                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 004D25E9
                                                                          • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 004D2601
                                                                          • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 004D2605
                                                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 004D260F
                                                                          • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 004D2623
                                                                          • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 004D2627
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                          • String ID:
                                                                          • API String ID: 2014098862-0
                                                                          • Opcode ID: 670bee7b74cd81af0eed5a59949d44a61d5afd9f5f92b803a5e3e5f4aff264e7
                                                                          • Instruction ID: 0150fef7cce7a4cbff027ec7868004d999f773fad5bd3d5b7654d9849a13f37f
                                                                          • Opcode Fuzzy Hash: 670bee7b74cd81af0eed5a59949d44a61d5afd9f5f92b803a5e3e5f4aff264e7
                                                                          • Instruction Fuzzy Hash: 3901D830390210BBFB2067699C9AF593F59DB5FB12F100107F314AF1D1C9E25444DAAA
                                                                          Function 004D1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,004D1449,?,?,00000000), ref: 004D180C
                                                                          • HeapAlloc.KERNEL32(00000000,?,004D1449,?,?,00000000), ref: 004D1813
                                                                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,004D1449,?,?,00000000), ref: 004D1828
                                                                          • GetCurrentProcess.KERNEL32(?,00000000,?,004D1449,?,?,00000000), ref: 004D1830
                                                                          • DuplicateHandle.KERNEL32(00000000,?,004D1449,?,?,00000000), ref: 004D1833
                                                                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,004D1449,?,?,00000000), ref: 004D1843
                                                                          • GetCurrentProcess.KERNEL32(004D1449,00000000,?,004D1449,?,?,00000000), ref: 004D184B
                                                                          • DuplicateHandle.KERNEL32(00000000,?,004D1449,?,?,00000000), ref: 004D184E
                                                                          • CreateThread.KERNEL32(00000000,00000000,004D1874,00000000,00000000,00000000), ref: 004D1868
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                          • String ID:
                                                                          • API String ID: 1957940570-0
                                                                          • Opcode ID: 9c91e2e07349d9b1d74b96572bfcce885e7586dd254ed266d4a0bb512567a7bd
                                                                          • Instruction ID: 659a0c552f409d27c4c5726e0d458d2224895783a9ba4a7502ad99b76f7932e6
                                                                          • Opcode Fuzzy Hash: 9c91e2e07349d9b1d74b96572bfcce885e7586dd254ed266d4a0bb512567a7bd
                                                                          • Instruction Fuzzy Hash: 4301BF75240304BFE710AB65DC4DF5B3F6CEB9AB11F004511FA05DB1A1C6749804DB20
                                                                          Function 004FA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 004DD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 004DD501
                                                                            • Part of subcall function 004DD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 004DD50F
                                                                            • Part of subcall function 004DD4DC: CloseHandle.KERNEL32(00000000), ref: 004DD5DC
                                                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 004FA16D
                                                                          • GetLastError.KERNEL32 ref: 004FA180
                                                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 004FA1B3
                                                                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 004FA268
                                                                          • GetLastError.KERNEL32(00000000), ref: 004FA273
                                                                          • CloseHandle.KERNEL32(00000000), ref: 004FA2C4
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                          • String ID: SeDebugPrivilege
                                                                          • API String ID: 2533919879-2896544425
                                                                          • Opcode ID: 0554492d6307b164444a01776a7cd8ff669219587005e677df7443bcb07d460f
                                                                          • Instruction ID: cc2b36b1f6140859603dfe2fe81db6f417b915f566857b49bf15ad99c6f9b729
                                                                          • Opcode Fuzzy Hash: 0554492d6307b164444a01776a7cd8ff669219587005e677df7443bcb07d460f
                                                                          • Instruction Fuzzy Hash: D361D170204201AFD320DF19C494F6ABBE1AF45318F15C48EE55A4B7A3C77AEC49CB96
                                                                          Function 00503886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00503925
                                                                          • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0050393A
                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00503954
                                                                          • _wcslen.LIBCMT ref: 00503999
                                                                          • SendMessageW.USER32(?,00001057,00000000,?), ref: 005039C6
                                                                          • SendMessageW.USER32(?,00001061,?,0000000F), ref: 005039F4
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$Window_wcslen
                                                                          • String ID: SysListView32
                                                                          • API String ID: 2147712094-78025650
                                                                          • Opcode ID: dc3d90a1e7141987f4ce4a96fa21830148ca007899c76de711838c83e1bd9c4d
                                                                          • Instruction ID: ea42e443844cc28d19d12ab970a048736e17221b0f5c90d170953ad875e81d0b
                                                                          • Opcode Fuzzy Hash: dc3d90a1e7141987f4ce4a96fa21830148ca007899c76de711838c83e1bd9c4d
                                                                          • Instruction Fuzzy Hash: CE419E71A00219ABEB219F64CC49BEE7FA9FF48354F10052AF958E72C1D7719A84CB94
                                                                          Function 004DBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004DBCFD
                                                                          • IsMenu.USER32(00000000), ref: 004DBD1D
                                                                          • CreatePopupMenu.USER32 ref: 004DBD53
                                                                          • GetMenuItemCount.USER32(00AB77C8), ref: 004DBDA4
                                                                          • InsertMenuItemW.USER32(00AB77C8,?,00000001,00000030), ref: 004DBDCC
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                                          • String ID: 0$2
                                                                          • API String ID: 93392585-3793063076
                                                                          • Opcode ID: 1312d41bdedbe2cd12aec46fcddbbd94e30cf2f482afa89fd9567897117661f7
                                                                          • Instruction ID: 227980f5edd3e015beacd00e72613875d29fd9e18dde880f472333a1ab1385df
                                                                          • Opcode Fuzzy Hash: 1312d41bdedbe2cd12aec46fcddbbd94e30cf2f482afa89fd9567897117661f7
                                                                          • Instruction Fuzzy Hash: D051CF70A00205DBDB21CFA9C8A4BAEBBF6FF49314F15421BE44197390D7789945CBA9
                                                                          Function 004DC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadIconW.USER32(00000000,00007F03), ref: 004DC913
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: IconLoad
                                                                          • String ID: blank$info$question$stop$warning
                                                                          • API String ID: 2457776203-404129466
                                                                          • Opcode ID: 786493fca3ba856b5c91532ec7ab53e7f4d0371536f34525d16d39c8a4b524d6
                                                                          • Instruction ID: ff05dfbbe79d459a0a587d669695bd9404af069312ddf3d468da069034562fac
                                                                          • Opcode Fuzzy Hash: 786493fca3ba856b5c91532ec7ab53e7f4d0371536f34525d16d39c8a4b524d6
                                                                          • Instruction Fuzzy Hash: D8110871789307BAEB016B54DCE2CAB2BDCDF15329B50406FF500A6382D7685D01A26D
                                                                          Function 004DED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: _wcslen$LocalTime
                                                                          • String ID:
                                                                          • API String ID: 952045576-0
                                                                          • Opcode ID: b284c55cdb2630525cbcfe3ddf5753d04338ab58b6c727388ffd9414343cd61b
                                                                          • Instruction ID: a100dcf5e9a6cbb4cf0403e0c59ff049fd8c7f9f321d215486a3f4321508bc07
                                                                          • Opcode Fuzzy Hash: b284c55cdb2630525cbcfe3ddf5753d04338ab58b6c727388ffd9414343cd61b
                                                                          • Instruction Fuzzy Hash: BC418265C1011865CF11FBB6C88A9CFBBA8AF45710F50856BE518E3261EB38D255C3AD
                                                                          Function 0048F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,004C682C,00000004,00000000,00000000), ref: 0048F953
                                                                          • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,004C682C,00000004,00000000,00000000), ref: 004CF3D1
                                                                          • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,004C682C,00000004,00000000,00000000), ref: 004CF454
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: ShowWindow
                                                                          • String ID:
                                                                          • API String ID: 1268545403-0
                                                                          • Opcode ID: 99359f88ad52fe99b82bcb458a0c925e412e0a8119ff304cd48766f9fc2291e7
                                                                          • Instruction ID: 45c539888a26d2e54ed8dbde911cd3e2d57f952689703ca6f4a7f4d0ddcbfa4b
                                                                          • Opcode Fuzzy Hash: 99359f88ad52fe99b82bcb458a0c925e412e0a8119ff304cd48766f9fc2291e7
                                                                          • Instruction Fuzzy Hash: C2415F74104680FAC778AB2DC888B6F7F92AB66314F14493FE44752760C63D988DDB1D
                                                                          Function 00502D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DeleteObject.GDI32(00000000), ref: 00502D1B
                                                                          • GetDC.USER32(00000000), ref: 00502D23
                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00502D2E
                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 00502D3A
                                                                          • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00502D76
                                                                          • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00502D87
                                                                          • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00505A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00502DC2
                                                                          • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00502DE1
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                          • String ID:
                                                                          • API String ID: 3864802216-0
                                                                          • Opcode ID: d2bebcd0db430779b004028655fdf56718050db9d3f1e42826cf56d45dcde7c7
                                                                          • Instruction ID: cb7f994ea3e4899f134314d534d8b25260048539a198045dc1daf6c9de43a5bf
                                                                          • Opcode Fuzzy Hash: d2bebcd0db430779b004028655fdf56718050db9d3f1e42826cf56d45dcde7c7
                                                                          • Instruction Fuzzy Hash: 0F315672201214ABEB218F548C8AFAB3FADFB1A715F044165FE089A2D1C6759C55CBA4
                                                                          Function 004D5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: _memcmp
                                                                          • String ID:
                                                                          • API String ID: 2931989736-0
                                                                          • Opcode ID: ef5e5788db3a192a210bde0bfad269e1b3da109ece6c337a524415206bf88510
                                                                          • Instruction ID: 26ef248973e2d723aa68f66ef03417bb864a61c04054d1d9d65be101da9256c0
                                                                          • Opcode Fuzzy Hash: ef5e5788db3a192a210bde0bfad269e1b3da109ece6c337a524415206bf88510
                                                                          • Instruction Fuzzy Hash: 6A218661644A09B7E62555118EA2FBF376CBF21388F540037FD085AB81FF28ED1186AD
                                                                          Function 004F4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: NULL Pointer assignment$Not an Object type
                                                                          • API String ID: 0-572801152
                                                                          • Opcode ID: 6b662be362bd69f17a7a15465412a2a3fde8b58791fad5bd6205ccc536b2ce82
                                                                          • Instruction ID: d82e0a95df156014b3178a614e2a3e730e68c9b4c837f525c62ea57dde720c05
                                                                          • Opcode Fuzzy Hash: 6b662be362bd69f17a7a15465412a2a3fde8b58791fad5bd6205ccc536b2ce82
                                                                          • Instruction Fuzzy Hash: A2D19F71A0060EAFDF10CF98C880BBEB7B5BF48344F15816AEA15AB281D774ED45CB94
                                                                          Function 004B1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,004B17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 004B15CE
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004B17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 004B1651
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,004B17FB,?,004B17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 004B16E4
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004B17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 004B16FB
                                                                            • Part of subcall function 004A3820: RtlAllocateHeap.NTDLL(00000000,?,00541444,?,0048FDF5,?,?,0047A976,00000010,00541440,004713FC,?,004713C6,?,00471129), ref: 004A3852
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004B17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 004B1777
                                                                          • __freea.LIBCMT ref: 004B17A2
                                                                          • __freea.LIBCMT ref: 004B17AE
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                                                          • String ID:
                                                                          • API String ID: 2829977744-0
                                                                          • Opcode ID: 828f64627f70bee696a95c9e9ce04167eb9f0c3635d5d58237009d712965ceeb
                                                                          • Instruction ID: 5432c3b270816bba75df729e4aeff243c8b64588f502a3c79a4a8f164bcdec01
                                                                          • Opcode Fuzzy Hash: 828f64627f70bee696a95c9e9ce04167eb9f0c3635d5d58237009d712965ceeb
                                                                          • Instruction Fuzzy Hash: 1B91C371E10216AADB208E64C8A1EEF7BB59F59310F98066BE801E7261DB2DDC45C778
                                                                          Function 004F4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Variant$ClearInit
                                                                          • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                          • API String ID: 2610073882-625585964
                                                                          • Opcode ID: e0fa05f6618027c5b796ce2f2ac575504297840c70396e1e01d7aa375b060384
                                                                          • Instruction ID: 6258b40ad36c78b22cd9eeac48cb61264ddfacfba1142dc469625db87128c1c5
                                                                          • Opcode Fuzzy Hash: e0fa05f6618027c5b796ce2f2ac575504297840c70396e1e01d7aa375b060384
                                                                          • Instruction Fuzzy Hash: DB91A571A00219ABDF20DFA5C844FBF7BB8EF85714F10855AF605AB280DB789945CF94
                                                                          Function 004E1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 004E125C
                                                                          • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 004E1284
                                                                          • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 004E12A8
                                                                          • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004E12D8
                                                                          • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004E135F
                                                                          • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004E13C4
                                                                          • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004E1430
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: ArraySafe$Data$Access$UnaccessVartype
                                                                          • String ID:
                                                                          • API String ID: 2550207440-0
                                                                          • Opcode ID: 1e479ea7d76ef084af30c715bf491b72b67568b6fb169312fcbf8e1df354f8f4
                                                                          • Instruction ID: 6c3a4d5d3177262f85efb6bc01ad5855b14e72525960a815275a1e84cf971376
                                                                          • Opcode Fuzzy Hash: 1e479ea7d76ef084af30c715bf491b72b67568b6fb169312fcbf8e1df354f8f4
                                                                          • Instruction Fuzzy Hash: 9991F271A402589FDB00DF96C884BBEB7B5FF4531AF10406BEA40E73A1D778A945CB98
                                                                          Function 0048948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: ObjectSelect$BeginCreatePath
                                                                          • String ID:
                                                                          • API String ID: 3225163088-0
                                                                          • Opcode ID: 615748caf3dc9efefdd5f95f9f450c64a1f52c87567cdc65d403275c4c8a7a1b
                                                                          • Instruction ID: 2a7d43aa9aa0e2082f6d6a2b308cd8dadfa9ee738d6d0cbdbc51e338223960c8
                                                                          • Opcode Fuzzy Hash: 615748caf3dc9efefdd5f95f9f450c64a1f52c87567cdc65d403275c4c8a7a1b
                                                                          • Instruction Fuzzy Hash: EB913771D00219EFCB10DFA9C884AEEBBB8FF49320F18454AE915B7251D378AD42CB64
                                                                          Function 004F3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VariantInit.OLEAUT32(?), ref: 004F396B
                                                                          • CharUpperBuffW.USER32(?,?), ref: 004F3A7A
                                                                          • _wcslen.LIBCMT ref: 004F3A8A
                                                                          • VariantClear.OLEAUT32(?), ref: 004F3C1F
                                                                            • Part of subcall function 004E0CDF: VariantInit.OLEAUT32(00000000), ref: 004E0D1F
                                                                            • Part of subcall function 004E0CDF: VariantCopy.OLEAUT32(?,?), ref: 004E0D28
                                                                            • Part of subcall function 004E0CDF: VariantClear.OLEAUT32(?), ref: 004E0D34
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                                                          • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                          • API String ID: 4137639002-1221869570
                                                                          • Opcode ID: a7457e8fcfa8c966afbf5aae6201243998309b7d46d11e37f560dc7b9842866d
                                                                          • Instruction ID: dcf6b410ccde5df14cf8b0bf1a04d12febe16402853a8b175173935eff742ea4
                                                                          • Opcode Fuzzy Hash: a7457e8fcfa8c966afbf5aae6201243998309b7d46d11e37f560dc7b9842866d
                                                                          • Instruction Fuzzy Hash: 09918A74A083059FC704EF25C49086AB7E4FF89319F14892EF98997351DB38EE05CB96
                                                                          Function 004F4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 004D000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,004CFF41,80070057,?,?,?,004D035E), ref: 004D002B
                                                                            • Part of subcall function 004D000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004CFF41,80070057,?,?), ref: 004D0046
                                                                            • Part of subcall function 004D000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004CFF41,80070057,?,?), ref: 004D0054
                                                                            • Part of subcall function 004D000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004CFF41,80070057,?), ref: 004D0064
                                                                          • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 004F4C51
                                                                          • _wcslen.LIBCMT ref: 004F4D59
                                                                          • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 004F4DCF
                                                                          • CoTaskMemFree.OLE32(?), ref: 004F4DDA
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                                                                          • String ID: NULL Pointer assignment
                                                                          • API String ID: 614568839-2785691316
                                                                          • Opcode ID: a55eb54dcbd39691ca709a683f5cc0c6528c1beebbd34042ebacba63b288693e
                                                                          • Instruction ID: 52cb9716f624641621c040e794fea649b7ffd84bc7d9cb619138e90292c78fac
                                                                          • Opcode Fuzzy Hash: a55eb54dcbd39691ca709a683f5cc0c6528c1beebbd34042ebacba63b288693e
                                                                          • Instruction Fuzzy Hash: BA914871D0021DEFDF10DFA5C891AEEBBB8BF48304F10816AE919A7251DB389A45CF64
                                                                          Function 005020FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetMenu.USER32(?), ref: 00502183
                                                                          • GetMenuItemCount.USER32(00000000), ref: 005021B5
                                                                          • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 005021DD
                                                                          • _wcslen.LIBCMT ref: 00502213
                                                                          • GetMenuItemID.USER32(?,?), ref: 0050224D
                                                                          • GetSubMenu.USER32(?,?), ref: 0050225B
                                                                            • Part of subcall function 004D3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 004D3A57
                                                                            • Part of subcall function 004D3A3D: GetCurrentThreadId.KERNEL32 ref: 004D3A5E
                                                                            • Part of subcall function 004D3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004D25B3), ref: 004D3A65
                                                                          • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 005022E3
                                                                            • Part of subcall function 004DE97B: Sleep.KERNEL32 ref: 004DE9F3
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                                                          • String ID:
                                                                          • API String ID: 4196846111-0
                                                                          • Opcode ID: 9f5a6b111f7e2ca29f019f0d022912f3ac526a4245f497484fab39151572320b
                                                                          • Instruction ID: 506c55af1665b8036c921072835dfd8c6db91df07fced504e18e99c73e1fa9c4
                                                                          • Opcode Fuzzy Hash: 9f5a6b111f7e2ca29f019f0d022912f3ac526a4245f497484fab39151572320b
                                                                          • Instruction Fuzzy Hash: A0717175A00205AFCB10EFA5C889AAEBBF5FF89314F148459E816EB391D734ED41CB90
                                                                          Function 004DAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetParent.USER32(?), ref: 004DAEF9
                                                                          • GetKeyboardState.USER32(?), ref: 004DAF0E
                                                                          • SetKeyboardState.USER32(?), ref: 004DAF6F
                                                                          • PostMessageW.USER32(?,00000101,00000010,?), ref: 004DAF9D
                                                                          • PostMessageW.USER32(?,00000101,00000011,?), ref: 004DAFBC
                                                                          • PostMessageW.USER32(?,00000101,00000012,?), ref: 004DAFFD
                                                                          • PostMessageW.USER32(?,00000101,0000005B,?), ref: 004DB020
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: MessagePost$KeyboardState$Parent
                                                                          • String ID:
                                                                          • API String ID: 87235514-0
                                                                          • Opcode ID: e2d5e061f9d3ead989ad1932b8f62b1045c59598ce45baea030d12d0fb4dd389
                                                                          • Instruction ID: 7880daaeb974e15497b26e3eb7d386624ab7adbc1f694fe100e657cf4f63cb9c
                                                                          • Opcode Fuzzy Hash: e2d5e061f9d3ead989ad1932b8f62b1045c59598ce45baea030d12d0fb4dd389
                                                                          • Instruction Fuzzy Hash: 0551E3A16043D17DFB3783348869BBB7EA99B06304F08858FE1D5456C2C39DACD8D799
                                                                          Function 004DACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetParent.USER32(00000000), ref: 004DAD19
                                                                          • GetKeyboardState.USER32(?), ref: 004DAD2E
                                                                          • SetKeyboardState.USER32(?), ref: 004DAD8F
                                                                          • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 004DADBB
                                                                          • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 004DADD8
                                                                          • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 004DAE17
                                                                          • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 004DAE38
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: MessagePost$KeyboardState$Parent
                                                                          • String ID:
                                                                          • API String ID: 87235514-0
                                                                          • Opcode ID: ee44b9de44148a1e6c3329ec67a99ab99289cd988544e4c5db816e812a594b11
                                                                          • Instruction ID: f44c68ef6953eb8353fe4a44494aa175dfea7545a6bfdc1fc715d05b59aedaa5
                                                                          • Opcode Fuzzy Hash: ee44b9de44148a1e6c3329ec67a99ab99289cd988544e4c5db816e812a594b11
                                                                          • Instruction Fuzzy Hash: 8651E7A15447D53DFB3283348C65B7B7F9A5B46300F08858BE1D546BC2C398ECA8E76A
                                                                          Function 004A542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetConsoleCP.KERNEL32(004B3CD6,?,?,?,?,?,?,?,?,004A5BA3,?,?,004B3CD6,?,?), ref: 004A5470
                                                                          • __fassign.LIBCMT ref: 004A54EB
                                                                          • __fassign.LIBCMT ref: 004A5506
                                                                          • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,004B3CD6,00000005,00000000,00000000), ref: 004A552C
                                                                          • WriteFile.KERNEL32(?,004B3CD6,00000000,004A5BA3,00000000,?,?,?,?,?,?,?,?,?,004A5BA3,?), ref: 004A554B
                                                                          • WriteFile.KERNEL32(?,?,00000001,004A5BA3,00000000,?,?,?,?,?,?,?,?,?,004A5BA3,?), ref: 004A5584
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                          • String ID:
                                                                          • API String ID: 1324828854-0
                                                                          • Opcode ID: 4245e1a785a35809fa8acf34e8f8f47833a00a0814c9a2b075a1aeff2230951f
                                                                          • Instruction ID: f602fabbedeb957efd316bcc7b1f128489ab6cc0c08bbdd428106d6014e3d3c8
                                                                          • Opcode Fuzzy Hash: 4245e1a785a35809fa8acf34e8f8f47833a00a0814c9a2b075a1aeff2230951f
                                                                          • Instruction Fuzzy Hash: 5251E5B0D00608AFDB10CFA8D945AEEBBF9EF2A300F14411BF955E7291D7349A45CB64
                                                                          Function 00492D20 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 117COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _ValidateLocalCookies.LIBCMT ref: 00492D4B
                                                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 00492D53
                                                                          • _ValidateLocalCookies.LIBCMT ref: 00492DE1
                                                                          • _ValidateLocalCookies.LIBCMT ref: 00492E61
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: CookiesLocalValidate$___except_validate_context_record
                                                                          • String ID: &HI$csm
                                                                          • API String ID: 2101322661-1154374745
                                                                          • Opcode ID: 3d0e2dda292a923afaa057d91103b1255a98bc4f91d5381e5c63c66a182b6f35
                                                                          • Instruction ID: eb58f5688712ce9b81635d712a4eee87c4b8779d2927df464cc2f1df262d8542
                                                                          • Opcode Fuzzy Hash: 3d0e2dda292a923afaa057d91103b1255a98bc4f91d5381e5c63c66a182b6f35
                                                                          • Instruction Fuzzy Hash: 6241C434A00209ABCF10DF69C945A9FBFB5BF45318F14816AE8146B392D7B9AA05CBD4
                                                                          Function 004F10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 004F304E: inet_addr.WSOCK32(?), ref: 004F307A
                                                                            • Part of subcall function 004F304E: _wcslen.LIBCMT ref: 004F309B
                                                                          • socket.WSOCK32(00000002,00000001,00000006), ref: 004F1112
                                                                          • WSAGetLastError.WSOCK32 ref: 004F1121
                                                                          • WSAGetLastError.WSOCK32 ref: 004F11C9
                                                                          • closesocket.WSOCK32(00000000), ref: 004F11F9
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                                                                          • String ID:
                                                                          • API String ID: 2675159561-0
                                                                          • Opcode ID: 2e68ae9db8c805654765a147c3db2cc1524910491b31c5d6ffbc97c5e476d532
                                                                          • Instruction ID: 451dfb78897a12a0e672a52fdd143587d5515427880110de0ac9b47b3eaffe2f
                                                                          • Opcode Fuzzy Hash: 2e68ae9db8c805654765a147c3db2cc1524910491b31c5d6ffbc97c5e476d532
                                                                          • Instruction Fuzzy Hash: 1D41D731600108EFDB109F14C984BBEBBE9EF4A368F14815AFA159B391C778AD45CBE5
                                                                          Function 004DCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 004DDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,004DCF22,?), ref: 004DDDFD
                                                                            • Part of subcall function 004DDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,004DCF22,?), ref: 004DDE16
                                                                          • lstrcmpiW.KERNEL32(?,?), ref: 004DCF45
                                                                          • MoveFileW.KERNEL32(?,?), ref: 004DCF7F
                                                                          • _wcslen.LIBCMT ref: 004DD005
                                                                          • _wcslen.LIBCMT ref: 004DD01B
                                                                          • SHFileOperationW.SHELL32(?), ref: 004DD061
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                                                                          • String ID: \*.*
                                                                          • API String ID: 3164238972-1173974218
                                                                          • Opcode ID: de2d54baa6818129f97591a383d65a5a17939bd1fe1ca3a4c4e4812baa547df7
                                                                          • Instruction ID: 0e9fb820391ff40f2279aa40e6bae53bf169b7cf14af6b0f2efcbdf3f92bf97a
                                                                          • Opcode Fuzzy Hash: de2d54baa6818129f97591a383d65a5a17939bd1fe1ca3a4c4e4812baa547df7
                                                                          • Instruction Fuzzy Hash: DA417871D452195FDF12EBA4CD91EDEB7B9AF08384F1000EBE505EB241EB38A648CB54
                                                                          Function 00502DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00502E1C
                                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 00502E4F
                                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 00502E84
                                                                          • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00502EB6
                                                                          • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00502EE0
                                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 00502EF1
                                                                          • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00502F0B
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: LongWindow$MessageSend
                                                                          • String ID:
                                                                          • API String ID: 2178440468-0
                                                                          • Opcode ID: ef51adc4027aca1223648895f0c82c8481ed6a0e744578e3c8b2c74d723e6833
                                                                          • Instruction ID: 4d1ad0f1b1f1069c0e6e82cd605e253440b5d2f0691e58d24d65978256027445
                                                                          • Opcode Fuzzy Hash: ef51adc4027aca1223648895f0c82c8481ed6a0e744578e3c8b2c74d723e6833
                                                                          • Instruction Fuzzy Hash: E23108346841519FDB21CF58DC88FA93BE9FBAA754F150164FA048F2F1CB71A844EB41
                                                                          Function 004D7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004D7769
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004D778F
                                                                          • SysAllocString.OLEAUT32(00000000), ref: 004D7792
                                                                          • SysAllocString.OLEAUT32(?), ref: 004D77B0
                                                                          • SysFreeString.OLEAUT32(?), ref: 004D77B9
                                                                          • StringFromGUID2.OLE32(?,?,00000028), ref: 004D77DE
                                                                          • SysAllocString.OLEAUT32(?), ref: 004D77EC
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                          • String ID:
                                                                          • API String ID: 3761583154-0
                                                                          • Opcode ID: b8747653ee699e145d1c74d75852d0cd2428796407dc6f49ca241c16bb7a7667
                                                                          • Instruction ID: e8968d20571e2939df70ca6e18a1f736a793231d3329761685254590113e43f6
                                                                          • Opcode Fuzzy Hash: b8747653ee699e145d1c74d75852d0cd2428796407dc6f49ca241c16bb7a7667
                                                                          • Instruction Fuzzy Hash: 6921A376604219AFDF10EFA8CC84CBF77ACEB093647008527B904DB290E674EC458768
                                                                          Function 004D77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004D7842
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004D7868
                                                                          • SysAllocString.OLEAUT32(00000000), ref: 004D786B
                                                                          • SysAllocString.OLEAUT32 ref: 004D788C
                                                                          • SysFreeString.OLEAUT32 ref: 004D7895
                                                                          • StringFromGUID2.OLE32(?,?,00000028), ref: 004D78AF
                                                                          • SysAllocString.OLEAUT32(?), ref: 004D78BD
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                          • String ID:
                                                                          • API String ID: 3761583154-0
                                                                          • Opcode ID: 0da0a10be2548294f81d994ec1a6cd2d6fa5ab3a9589c93d9311fbd764a3b9cd
                                                                          • Instruction ID: 385445983ea5ae202c924abd92ffb869d32c7cae61a029f0b2761c3b95ee3e1b
                                                                          • Opcode Fuzzy Hash: 0da0a10be2548294f81d994ec1a6cd2d6fa5ab3a9589c93d9311fbd764a3b9cd
                                                                          • Instruction Fuzzy Hash: 6F216231604104AFDF10AFA8DC99DAB7BECFB097607108126F915CB3A1E674DC45DB68
                                                                          Function 004E04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetStdHandle.KERNEL32(0000000C), ref: 004E04F2
                                                                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 004E052E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: CreateHandlePipe
                                                                          • String ID: nul
                                                                          • API String ID: 1424370930-2873401336
                                                                          • Opcode ID: 8892fb3c3b0c10154a6af03c096feb684001543615b5531c9903e1e077360540
                                                                          • Instruction ID: 27a19c9d943fbe3603260371cf7bd7806e4200ae63d606e8a33ed467167c4df0
                                                                          • Opcode Fuzzy Hash: 8892fb3c3b0c10154a6af03c096feb684001543615b5531c9903e1e077360540
                                                                          • Instruction Fuzzy Hash: D521AB74500346ABCB208F2ADC04A9A7BB4AF55725F604A1AF8F1E22E0D7B4D980DF24
                                                                          Function 004E05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetStdHandle.KERNEL32(000000F6), ref: 004E05C6
                                                                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 004E0601
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: CreateHandlePipe
                                                                          • String ID: nul
                                                                          • API String ID: 1424370930-2873401336
                                                                          • Opcode ID: 51119714ae048d0a2056dc2a4f347bf4065221479dcf9cc9d882e7d5aa9e52d7
                                                                          • Instruction ID: a87de91250baef5706e2ccb969fc745a554682ff99bcfe28f5e5218b0b09d681
                                                                          • Opcode Fuzzy Hash: 51119714ae048d0a2056dc2a4f347bf4065221479dcf9cc9d882e7d5aa9e52d7
                                                                          • Instruction Fuzzy Hash: 1F219135500345ABDB208F7A9C04B9B77A4BF95721F200B1AE8B1E32E0D7B498A1CB14
                                                                          Function 005040AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0047600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0047604C
                                                                            • Part of subcall function 0047600E: GetStockObject.GDI32(00000011), ref: 00476060
                                                                            • Part of subcall function 0047600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0047606A
                                                                          • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00504112
                                                                          • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0050411F
                                                                          • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0050412A
                                                                          • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00504139
                                                                          • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00504145
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$CreateObjectStockWindow
                                                                          • String ID: Msctls_Progress32
                                                                          • API String ID: 1025951953-3636473452
                                                                          • Opcode ID: b6e951ae936234ea2a76af7b7211b7fffd772f4305fb303bd544a2298d9ae9a1
                                                                          • Instruction ID: e33c0cf0310460c18207bb54ef0bb4f122bc719faf607bd2944ec1d806967254
                                                                          • Opcode Fuzzy Hash: b6e951ae936234ea2a76af7b7211b7fffd772f4305fb303bd544a2298d9ae9a1
                                                                          • Instruction Fuzzy Hash: 2711B6B214011DBEEF118F64CC85EEB7F5DFF19798F014111B718A6090CA729C61DBA4
                                                                          Function 004AD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 004AD7A3: _free.LIBCMT ref: 004AD7CC
                                                                          • _free.LIBCMT ref: 004AD82D
                                                                            • Part of subcall function 004A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,004AD7D1,00000000,00000000,00000000,00000000,?,004AD7F8,00000000,00000007,00000000,?,004ADBF5,00000000), ref: 004A29DE
                                                                            • Part of subcall function 004A29C8: GetLastError.KERNEL32(00000000,?,004AD7D1,00000000,00000000,00000000,00000000,?,004AD7F8,00000000,00000007,00000000,?,004ADBF5,00000000,00000000), ref: 004A29F0
                                                                          • _free.LIBCMT ref: 004AD838
                                                                          • _free.LIBCMT ref: 004AD843
                                                                          • _free.LIBCMT ref: 004AD897
                                                                          • _free.LIBCMT ref: 004AD8A2
                                                                          • _free.LIBCMT ref: 004AD8AD
                                                                          • _free.LIBCMT ref: 004AD8B8
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                          • String ID:
                                                                          • API String ID: 776569668-0
                                                                          • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                                          • Instruction ID: 17320ef0dfe0ed9b04e8456dd258ae1dc20fb0dcba9759c6fac5441d0a273d1b
                                                                          • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                                          • Instruction Fuzzy Hash: 761184B5940704AAD521BFB2CC07FCB7BDC6F22704F80081EB29AA68A2DA6CB5055655
                                                                          Function 004DDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 004DDA74
                                                                          • LoadStringW.USER32(00000000), ref: 004DDA7B
                                                                          • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 004DDA91
                                                                          • LoadStringW.USER32(00000000), ref: 004DDA98
                                                                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004DDADC
                                                                          Strings
                                                                          • %s (%d) : ==> %s: %s %s, xrefs: 004DDAB9
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: HandleLoadModuleString$Message
                                                                          • String ID: %s (%d) : ==> %s: %s %s
                                                                          • API String ID: 4072794657-3128320259
                                                                          • Opcode ID: 9dddcea289c7abf10ea7f79866bbb97dae1a45811d283538e01c129ff608da9b
                                                                          • Instruction ID: 8950f47fd3cc6ea84b68e400d764e9917b09f13cac88550a21ba14fe81579750
                                                                          • Opcode Fuzzy Hash: 9dddcea289c7abf10ea7f79866bbb97dae1a45811d283538e01c129ff608da9b
                                                                          • Instruction Fuzzy Hash: 030186F69002087FEB119BA4DD89EEF3B6CE709301F444597B706E2181E6749E888F74
                                                                          Function 004E096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InterlockedExchange.KERNEL32(00AAD2E8,00AAD2E8), ref: 004E097B
                                                                          • EnterCriticalSection.KERNEL32(00AAD2C8,00000000), ref: 004E098D
                                                                          • TerminateThread.KERNEL32(00AAD2E0,000001F6), ref: 004E099B
                                                                          • WaitForSingleObject.KERNEL32(00AAD2E0,000003E8), ref: 004E09A9
                                                                          • CloseHandle.KERNEL32(00AAD2E0), ref: 004E09B8
                                                                          • InterlockedExchange.KERNEL32(00AAD2E8,000001F6), ref: 004E09C8
                                                                          • LeaveCriticalSection.KERNEL32(00AAD2C8), ref: 004E09CF
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                          • String ID:
                                                                          • API String ID: 3495660284-0
                                                                          • Opcode ID: 4589879bdc8d01a82125ca6030aabb5045e01ece215280f7d5df969d91ec82e2
                                                                          • Instruction ID: 55485d6cb24d0bed0cf6dd171396515a6c59bfd239a711c01a9a3f75a9a3cab6
                                                                          • Opcode Fuzzy Hash: 4589879bdc8d01a82125ca6030aabb5045e01ece215280f7d5df969d91ec82e2
                                                                          • Instruction Fuzzy Hash: 40F01972442A02ABD7415FA4EE88ADABA29BF12702F402226F24290CA1C7749469DF94
                                                                          Function 004F1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __WSAFDIsSet.WSOCK32(00000000,?), ref: 004F1DC0
                                                                          • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 004F1DE1
                                                                          • WSAGetLastError.WSOCK32 ref: 004F1DF2
                                                                          • htons.WSOCK32(?), ref: 004F1EDB
                                                                          • inet_ntoa.WSOCK32(?), ref: 004F1E8C
                                                                            • Part of subcall function 004D39E8: _strlen.LIBCMT ref: 004D39F2
                                                                            • Part of subcall function 004F3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,004EEC0C), ref: 004F3240
                                                                          • _strlen.LIBCMT ref: 004F1F35
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
                                                                          • String ID:
                                                                          • API String ID: 3203458085-0
                                                                          • Opcode ID: c9d34c2327945100e53ea6e62641bf6e68a638b21c09e421d691e003f9aedd7f
                                                                          • Instruction ID: 1f50b1c007bfe17f4317bae178d99fac0bbdde85760653ae8104008b88d262a5
                                                                          • Opcode Fuzzy Hash: c9d34c2327945100e53ea6e62641bf6e68a638b21c09e421d691e003f9aedd7f
                                                                          • Instruction Fuzzy Hash: A9B1E330104340AFC324EF25C881E7A7BA5AF85318F54894EF55A5B3E2CB39ED46CB96
                                                                          Function 004A01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __allrem.LIBCMT ref: 004A00BA
                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004A00D6
                                                                          • __allrem.LIBCMT ref: 004A00ED
                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004A010B
                                                                          • __allrem.LIBCMT ref: 004A0122
                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004A0140
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                          • String ID:
                                                                          • API String ID: 1992179935-0
                                                                          • Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                                                          • Instruction ID: 8b82e56d3e0492eef9f3f844e08428289fb67a8b9a53717ad956e76b73fab952
                                                                          • Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                                                          • Instruction Fuzzy Hash: 5C810672A007069BEB209E29CC41BAB77E8EF62328F24413FF451D7381E779D9048798
                                                                          Function 004A61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,004982D9,004982D9,?,?,?,004A644F,00000001,00000001,8BE85006), ref: 004A6258
                                                                          • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,004A644F,00000001,00000001,8BE85006,?,?,?), ref: 004A62DE
                                                                          • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 004A63D8
                                                                          • __freea.LIBCMT ref: 004A63E5
                                                                            • Part of subcall function 004A3820: RtlAllocateHeap.NTDLL(00000000,?,00541444,?,0048FDF5,?,?,0047A976,00000010,00541440,004713FC,?,004713C6,?,00471129), ref: 004A3852
                                                                          • __freea.LIBCMT ref: 004A63EE
                                                                          • __freea.LIBCMT ref: 004A6413
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                          • String ID:
                                                                          • API String ID: 1414292761-0
                                                                          • Opcode ID: 12adf4ec90e8e7f129f0a20d0bd80843e6e154d170364c1b625a22ad49616f2a
                                                                          • Instruction ID: 003dd8dcb040ffc6f696e0fab4576e3848d00b987705d886bc8cb9e59e2146b2
                                                                          • Opcode Fuzzy Hash: 12adf4ec90e8e7f129f0a20d0bd80843e6e154d170364c1b625a22ad49616f2a
                                                                          • Instruction Fuzzy Hash: 90510572600216AFDF259F64CC81EAF77A9EF66710F1A462AFC05D6240EB38DC41C768
                                                                          Function 004FBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00479CB3: _wcslen.LIBCMT ref: 00479CBD
                                                                            • Part of subcall function 004FC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,004FB6AE,?,?), ref: 004FC9B5
                                                                            • Part of subcall function 004FC998: _wcslen.LIBCMT ref: 004FC9F1
                                                                            • Part of subcall function 004FC998: _wcslen.LIBCMT ref: 004FCA68
                                                                            • Part of subcall function 004FC998: _wcslen.LIBCMT ref: 004FCA9E
                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004FBCCA
                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004FBD25
                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 004FBD6A
                                                                          • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 004FBD99
                                                                          • RegCloseKey.ADVAPI32(?,?,00000000), ref: 004FBDF3
                                                                          • RegCloseKey.ADVAPI32(?), ref: 004FBDFF
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                                          • String ID:
                                                                          • API String ID: 1120388591-0
                                                                          • Opcode ID: 6c52993b9f5a6b4a917fd9666e83d66f46eda659697e7b0fd197b896980c862d
                                                                          • Instruction ID: d036abd0cf9d39ff00ee56d6aed36161b5363c21efcc2191756e45cd57b4d931
                                                                          • Opcode Fuzzy Hash: 6c52993b9f5a6b4a917fd9666e83d66f46eda659697e7b0fd197b896980c862d
                                                                          • Instruction Fuzzy Hash: 5781BB70208245AFC714DF24C885E6BBBE5FF85308F14895EF6594B2A2CB35ED05CB96
                                                                          Function 004CF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VariantInit.OLEAUT32(00000035), ref: 004CF7B9
                                                                          • SysAllocString.OLEAUT32(00000001), ref: 004CF860
                                                                          • VariantCopy.OLEAUT32(004CFA64,00000000), ref: 004CF889
                                                                          • VariantClear.OLEAUT32(004CFA64), ref: 004CF8AD
                                                                          • VariantCopy.OLEAUT32(004CFA64,00000000), ref: 004CF8B1
                                                                          • VariantClear.OLEAUT32(?), ref: 004CF8BB
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Variant$ClearCopy$AllocInitString
                                                                          • String ID:
                                                                          • API String ID: 3859894641-0
                                                                          • Opcode ID: 84ed1589c5fb458a84ffb81ccb26daa61d6a5943fd2f8cfb91eb7e589a29fa05
                                                                          • Instruction ID: 5ef3e40d4c51efadcd0db8dda57327b5e2fd7f7dab7d2ad83df073968baa8327
                                                                          • Opcode Fuzzy Hash: 84ed1589c5fb458a84ffb81ccb26daa61d6a5943fd2f8cfb91eb7e589a29fa05
                                                                          • Instruction Fuzzy Hash: 6551B379600300ABCF54AB66D895F29B3A6AF45314B20846FE906DF291D77C8C4887AF
                                                                          Function 004E910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00477620: _wcslen.LIBCMT ref: 00477625
                                                                            • Part of subcall function 00476B57: _wcslen.LIBCMT ref: 00476B6A
                                                                          • GetOpenFileNameW.COMDLG32(00000058), ref: 004E94E5
                                                                          • _wcslen.LIBCMT ref: 004E9506
                                                                          • _wcslen.LIBCMT ref: 004E952D
                                                                          • GetSaveFileNameW.COMDLG32(00000058), ref: 004E9585
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: _wcslen$FileName$OpenSave
                                                                          • String ID: X
                                                                          • API String ID: 83654149-3081909835
                                                                          • Opcode ID: fd4b2c4a0f1b486abf0a65702251beb71a90f66843ee5cc991941a63a8ad2654
                                                                          • Instruction ID: 74add43ebe0341e765884bd2ee5d6719e2c3e5e942a964f97931bb0bf7e229ac
                                                                          • Opcode Fuzzy Hash: fd4b2c4a0f1b486abf0a65702251beb71a90f66843ee5cc991941a63a8ad2654
                                                                          • Instruction Fuzzy Hash: 24E1B3315043409FD724EF26C481AAEB7E0BF85318F14896EF8899B3A2DB35DD05CB96
                                                                          Function 0048920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00489BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00489BB2
                                                                          • BeginPaint.USER32(?,?,?), ref: 00489241
                                                                          • GetWindowRect.USER32(?,?), ref: 004892A5
                                                                          • ScreenToClient.USER32(?,?), ref: 004892C2
                                                                          • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 004892D3
                                                                          • EndPaint.USER32(?,?,?,?,?), ref: 00489321
                                                                          • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 004C71EA
                                                                            • Part of subcall function 00489339: BeginPath.GDI32(00000000), ref: 00489357
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                                                                          • String ID:
                                                                          • API String ID: 3050599898-0
                                                                          • Opcode ID: 0388768fe3cf4e3882f9548913b468a49b214948586a64f8fbdea9056e90b0dd
                                                                          • Instruction ID: b7ee9f5898c1bddcb4f0f07450873b55020c2d66eef6db7405beae52605ae80c
                                                                          • Opcode Fuzzy Hash: 0388768fe3cf4e3882f9548913b468a49b214948586a64f8fbdea9056e90b0dd
                                                                          • Instruction Fuzzy Hash: 7541A234104600AFD721EF14CC84FBA7BA8EB5A324F180A6EF954872E1C7759C49EB66
                                                                          Function 004E07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InterlockedExchange.KERNEL32(?,000001F5), ref: 004E080C
                                                                          • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 004E0847
                                                                          • EnterCriticalSection.KERNEL32(?), ref: 004E0863
                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 004E08DC
                                                                          • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 004E08F3
                                                                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 004E0921
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                                                          • String ID:
                                                                          • API String ID: 3368777196-0
                                                                          • Opcode ID: 2de391bd6afdf48bf0de87d38f4f63b7adaddaf6e2a1aac0b30922d2be744fb1
                                                                          • Instruction ID: cd9bd1d245ca51e3219f884599048cd0fbdab6c62b54b1d625949cee1c68a544
                                                                          • Opcode Fuzzy Hash: 2de391bd6afdf48bf0de87d38f4f63b7adaddaf6e2a1aac0b30922d2be744fb1
                                                                          • Instruction Fuzzy Hash: BF419C71900205EFDF14AF55DC85A6E7B78FF45304F1040AAED009A297D774DE68DBA8
                                                                          Function 005081DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,004CF3AB,00000000,?,?,00000000,?,004C682C,00000004,00000000,00000000), ref: 0050824C
                                                                          • EnableWindow.USER32(00000000,00000000), ref: 00508272
                                                                          • ShowWindow.USER32(FFFFFFFF,00000000), ref: 005082D1
                                                                          • ShowWindow.USER32(00000000,00000004), ref: 005082E5
                                                                          • EnableWindow.USER32(00000000,00000001), ref: 0050830B
                                                                          • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0050832F
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Show$Enable$MessageSend
                                                                          • String ID:
                                                                          • API String ID: 642888154-0
                                                                          • Opcode ID: e85bca55d1b3f8390ddfe20bed7b9d8f3b73823dd9e9205bdedf11c63766f88e
                                                                          • Instruction ID: 4439e3227464c1a77c81436f87ae33857f422677f7e894f862cddb77742dae30
                                                                          • Opcode Fuzzy Hash: e85bca55d1b3f8390ddfe20bed7b9d8f3b73823dd9e9205bdedf11c63766f88e
                                                                          • Instruction Fuzzy Hash: CB41A138601A45AFDB25CF14CD99FF87FE0BB5A714F180268E6484F2E2CB31A845DB40
                                                                          Function 004D4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • IsWindowVisible.USER32(?), ref: 004D4C95
                                                                          • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 004D4CB2
                                                                          • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 004D4CEA
                                                                          • _wcslen.LIBCMT ref: 004D4D08
                                                                          • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 004D4D10
                                                                          • _wcsstr.LIBVCRUNTIME ref: 004D4D1A
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                                                                          • String ID:
                                                                          • API String ID: 72514467-0
                                                                          • Opcode ID: e46f090cf791de156305293c00d1e34672743f8ced986b640ab5937b0b6bbc77
                                                                          • Instruction ID: a9b66951d0a20ae821eb9334ed90f8e72352b2f3d1b4e5f0cc1cd84a61ad679e
                                                                          • Opcode Fuzzy Hash: e46f090cf791de156305293c00d1e34672743f8ced986b640ab5937b0b6bbc77
                                                                          • Instruction Fuzzy Hash: CE21F531204200BBEB255B2AAC59E7F7F9DDF85750F10402FF805CA291DA79CC4196A4
                                                                          Function 004E581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00473AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00473A97,?,?,00472E7F,?,?,?,00000000), ref: 00473AC2
                                                                          • _wcslen.LIBCMT ref: 004E587B
                                                                          • CoInitialize.OLE32(00000000), ref: 004E5995
                                                                          • CoCreateInstance.OLE32(0050FCF8,00000000,00000001,0050FB68,?), ref: 004E59AE
                                                                          • CoUninitialize.OLE32 ref: 004E59CC
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                                                          • String ID: .lnk
                                                                          • API String ID: 3172280962-24824748
                                                                          • Opcode ID: 0375fc0aeebcc0ab9cc19965143c9c195e30ae071b34cd3c9b33b825b0ea2178
                                                                          • Instruction ID: 71fa0b6166dae9016bab21b4318dbfd0cc8a960345bf2d2af8a4bb36ac405983
                                                                          • Opcode Fuzzy Hash: 0375fc0aeebcc0ab9cc19965143c9c195e30ae071b34cd3c9b33b825b0ea2178
                                                                          • Instruction Fuzzy Hash: F5D164706046019FC714DF26C480A6EBBE1FF89719F14895EF8899B362DB39EC05CB96
                                                                          Function 004D175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 004D0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004D0FCA
                                                                            • Part of subcall function 004D0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004D0FD6
                                                                            • Part of subcall function 004D0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004D0FE5
                                                                            • Part of subcall function 004D0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004D0FEC
                                                                            • Part of subcall function 004D0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004D1002
                                                                          • GetLengthSid.ADVAPI32(?,00000000,004D1335), ref: 004D17AE
                                                                          • GetProcessHeap.KERNEL32(00000008,00000000), ref: 004D17BA
                                                                          • HeapAlloc.KERNEL32(00000000), ref: 004D17C1
                                                                          • CopySid.ADVAPI32(00000000,00000000,?), ref: 004D17DA
                                                                          • GetProcessHeap.KERNEL32(00000000,00000000,004D1335), ref: 004D17EE
                                                                          • HeapFree.KERNEL32(00000000), ref: 004D17F5
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                          • String ID:
                                                                          • API String ID: 3008561057-0
                                                                          • Opcode ID: cfba17f7863c3895235188d3471c3d13bfd4d4b2c716eeb3eb516ac1e867cace
                                                                          • Instruction ID: 3cfd2fbdc38e1f0b9e6f7fe3dc648fde6d4247182edac1d18c84dc15a15dba5a
                                                                          • Opcode Fuzzy Hash: cfba17f7863c3895235188d3471c3d13bfd4d4b2c716eeb3eb516ac1e867cace
                                                                          • Instruction Fuzzy Hash: FF11BE31600205FFDB109FA4CDA9BAFBBB9FB46355F10421AF84197320C739A944DB64
                                                                          Function 004D14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 004D14FF
                                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 004D1506
                                                                          • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 004D1515
                                                                          • CloseHandle.KERNEL32(00000004), ref: 004D1520
                                                                          • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 004D154F
                                                                          • DestroyEnvironmentBlock.USERENV(00000000), ref: 004D1563
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                          • String ID:
                                                                          • API String ID: 1413079979-0
                                                                          • Opcode ID: 130a855d03566cbc7a59f786e11c3b26dbcf096a8e246c4b3047e154280e9a93
                                                                          • Instruction ID: 30f5146f64885bdc2ceeef8be686f2a60d2eaaf6461990ea2582fef9d509aeba
                                                                          • Opcode Fuzzy Hash: 130a855d03566cbc7a59f786e11c3b26dbcf096a8e246c4b3047e154280e9a93
                                                                          • Instruction Fuzzy Hash: DC115C72500209BBDF118F94ED59BDE7BA9EF49744F048116FE05A22A0C3798E64EB60
                                                                          Function 00493382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetLastError.KERNEL32(?,?,00493379,00492FE5), ref: 00493390
                                                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0049339E
                                                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004933B7
                                                                          • SetLastError.KERNEL32(00000000,?,00493379,00492FE5), ref: 00493409
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLastValue___vcrt_
                                                                          • String ID:
                                                                          • API String ID: 3852720340-0
                                                                          • Opcode ID: e7a4066fc1295e50209a9e6050c75dc550942e5f680832291544a21d7947797a
                                                                          • Instruction ID: 9b4ca16028430672122a5e3228c233c1cfd05994153b040ce19ca36e3f0b5055
                                                                          • Opcode Fuzzy Hash: e7a4066fc1295e50209a9e6050c75dc550942e5f680832291544a21d7947797a
                                                                          • Instruction Fuzzy Hash: 3501D232249311AEEE382B756D8955B2E54DB2777A320023FF811903F1EE195D06624C
                                                                          Function 004A2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetLastError.KERNEL32(?,?,004A5686,004B3CD6,?,00000000,?,004A5B6A,?,?,?,?,?,0049E6D1,?,00538A48), ref: 004A2D78
                                                                          • _free.LIBCMT ref: 004A2DAB
                                                                          • _free.LIBCMT ref: 004A2DD3
                                                                          • SetLastError.KERNEL32(00000000,?,?,?,?,0049E6D1,?,00538A48,00000010,00474F4A,?,?,00000000,004B3CD6), ref: 004A2DE0
                                                                          • SetLastError.KERNEL32(00000000,?,?,?,?,0049E6D1,?,00538A48,00000010,00474F4A,?,?,00000000,004B3CD6), ref: 004A2DEC
                                                                          • _abort.LIBCMT ref: 004A2DF2
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast$_free$_abort
                                                                          • String ID:
                                                                          • API String ID: 3160817290-0
                                                                          • Opcode ID: 364be2ce43f060eab5c17c53a9ee27cfbe6f8d15cbfaa8c035545098e6734fab
                                                                          • Instruction ID: 6f94aa446f636d4c6f2989b4c7347d8ca4b50378fe901a09147c58c170afdf42
                                                                          • Opcode Fuzzy Hash: 364be2ce43f060eab5c17c53a9ee27cfbe6f8d15cbfaa8c035545098e6734fab
                                                                          • Instruction Fuzzy Hash: 87F0A97250550027C262273E7E06B5F1A59AFF3765B25051FF424922D3EEAC88057169
                                                                          Function 00508A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00489639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00489693
                                                                            • Part of subcall function 00489639: SelectObject.GDI32(?,00000000), ref: 004896A2
                                                                            • Part of subcall function 00489639: BeginPath.GDI32(?), ref: 004896B9
                                                                            • Part of subcall function 00489639: SelectObject.GDI32(?,00000000), ref: 004896E2
                                                                          • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00508A4E
                                                                          • LineTo.GDI32(?,00000003,00000000), ref: 00508A62
                                                                          • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00508A70
                                                                          • LineTo.GDI32(?,00000000,00000003), ref: 00508A80
                                                                          • EndPath.GDI32(?), ref: 00508A90
                                                                          • StrokePath.GDI32(?), ref: 00508AA0
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                          • String ID:
                                                                          • API String ID: 43455801-0
                                                                          • Opcode ID: 985cfa9aa6fe69cf1a7d944fdf7fd8f60edee7d54e027e72f20425290a12f555
                                                                          • Instruction ID: c10d4c80dace8880d9fef4dad334ad00cadcdb5926e9e1a5c4578974965c5d75
                                                                          • Opcode Fuzzy Hash: 985cfa9aa6fe69cf1a7d944fdf7fd8f60edee7d54e027e72f20425290a12f555
                                                                          • Instruction Fuzzy Hash: 74110976000108FFEB129F94DC88EAE7F6CEB19354F048152FA199A1A1C7719D59EBA0
                                                                          Function 004D51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetDC.USER32(00000000), ref: 004D5218
                                                                          • GetDeviceCaps.GDI32(00000000,00000058), ref: 004D5229
                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004D5230
                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 004D5238
                                                                          • MulDiv.KERNEL32(000009EC,?,00000000), ref: 004D524F
                                                                          • MulDiv.KERNEL32(000009EC,00000001,?), ref: 004D5261
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: CapsDevice$Release
                                                                          • String ID:
                                                                          • API String ID: 1035833867-0
                                                                          • Opcode ID: 811206679fe1b481b8377d165fcc27cfb1fda1439f522868ae8a985ba73ef257
                                                                          • Instruction ID: 77fe69cb8226d5274baad05ca73746bc16e0a430f4809586b7c32d635073648b
                                                                          • Opcode Fuzzy Hash: 811206679fe1b481b8377d165fcc27cfb1fda1439f522868ae8a985ba73ef257
                                                                          • Instruction Fuzzy Hash: 2501A275E00708BBEB109BA69C49F4EBFB8EF59351F044166FA04A7380DA709C08DFA0
                                                                          Function 00471BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00471BF4
                                                                          • MapVirtualKeyW.USER32(00000010,00000000), ref: 00471BFC
                                                                          • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00471C07
                                                                          • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00471C12
                                                                          • MapVirtualKeyW.USER32(00000011,00000000), ref: 00471C1A
                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00471C22
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Virtual
                                                                          • String ID:
                                                                          • API String ID: 4278518827-0
                                                                          • Opcode ID: 728699eba49e3739c8e71dc37fecfe79b959dde978b67908aea446b52365670a
                                                                          • Instruction ID: 61f296492e8e21cfcb14095fde25465bc365e838ed88c60f09ee2db47b93d792
                                                                          • Opcode Fuzzy Hash: 728699eba49e3739c8e71dc37fecfe79b959dde978b67908aea446b52365670a
                                                                          • Instruction Fuzzy Hash: 07016CB09027597DE3008F5A8C85B56FFA8FF19354F00411B915C4B941C7F5A864CBE5
                                                                          Function 004DEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 004DEB30
                                                                          • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 004DEB46
                                                                          • GetWindowThreadProcessId.USER32(?,?), ref: 004DEB55
                                                                          • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004DEB64
                                                                          • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004DEB6E
                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004DEB75
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                          • String ID:
                                                                          • API String ID: 839392675-0
                                                                          • Opcode ID: 0cd65e5fef912c698358ceb20732a93bc7895207f9b96d87d48f64f09e19af18
                                                                          • Instruction ID: d6e5519617db0b89ebebda69bd8e85ef7765e2feb33f1241e1941f3d867ec3c9
                                                                          • Opcode Fuzzy Hash: 0cd65e5fef912c698358ceb20732a93bc7895207f9b96d87d48f64f09e19af18
                                                                          • Instruction Fuzzy Hash: EAF0BE72200118BBE7305B629C0EEEF3E7CEFDBB11F000259F601D5190D7A12A05EAB4
                                                                          Function 004C7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetClientRect.USER32(?), ref: 004C7452
                                                                          • SendMessageW.USER32(?,00001328,00000000,?), ref: 004C7469
                                                                          • GetWindowDC.USER32(?), ref: 004C7475
                                                                          • GetPixel.GDI32(00000000,?,?), ref: 004C7484
                                                                          • ReleaseDC.USER32(?,00000000), ref: 004C7496
                                                                          • GetSysColor.USER32(00000005), ref: 004C74B0
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                                                          • String ID:
                                                                          • API String ID: 272304278-0
                                                                          • Opcode ID: 82f2398eed25bc6a39ca0d8e6afe8be7aca47cac387c3e01d92dfb7f3924942c
                                                                          • Instruction ID: 5256edea1021f6d9ec1e814ee01a2699db187b7e87457063b1bf0eea009bb7d6
                                                                          • Opcode Fuzzy Hash: 82f2398eed25bc6a39ca0d8e6afe8be7aca47cac387c3e01d92dfb7f3924942c
                                                                          • Instruction Fuzzy Hash: BC017835400605EFDB605F64DC08BAE7FB5FB15321F1402A5FE16A21A0CB311E46AF15
                                                                          Function 004D1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004D187F
                                                                          • UnloadUserProfile.USERENV(?,?), ref: 004D188B
                                                                          • CloseHandle.KERNEL32(?), ref: 004D1894
                                                                          • CloseHandle.KERNEL32(?), ref: 004D189C
                                                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 004D18A5
                                                                          • HeapFree.KERNEL32(00000000), ref: 004D18AC
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                          • String ID:
                                                                          • API String ID: 146765662-0
                                                                          • Opcode ID: 71b2cffc95a48f9f4a736686c1042c0e4408e01cd24c32d996f9ce5318c7286b
                                                                          • Instruction ID: 14cd693b83a27fea38efc73494369ec303978abff00d8baabcebb57b297610b6
                                                                          • Opcode Fuzzy Hash: 71b2cffc95a48f9f4a736686c1042c0e4408e01cd24c32d996f9ce5318c7286b
                                                                          • Instruction Fuzzy Hash: 61E0E536004101BBDB015FA1ED0C94EBF39FF6AB22B108724F225810B0CB329424EF90
                                                                          Function 0047BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __Init_thread_footer.LIBCMT ref: 0047BEB3
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Init_thread_footer
                                                                          • String ID: D%T$D%T$D%T$D%TD%T
                                                                          • API String ID: 1385522511-1926685697
                                                                          • Opcode ID: b39c18a8048a1771e6bb87a4e4a421ca0e89cfba2b177fc431fb49f570f7ef09
                                                                          • Instruction ID: 519f808629e8fe8e42f35872c075c3001e71d951d085359f6fcb9ba44844caad
                                                                          • Opcode Fuzzy Hash: b39c18a8048a1771e6bb87a4e4a421ca0e89cfba2b177fc431fb49f570f7ef09
                                                                          • Instruction Fuzzy Hash: 0E912775A0021A8FCB24CF58C0906EABBF1FF59314F24C16EE949AB350D739A981DBD4
                                                                          Function 004F7B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00490242: EnterCriticalSection.KERNEL32(0054070C,00541884,?,?,0048198B,00542518,?,?,?,004712F9,00000000), ref: 0049024D
                                                                            • Part of subcall function 00490242: LeaveCriticalSection.KERNEL32(0054070C,?,0048198B,00542518,?,?,?,004712F9,00000000), ref: 0049028A
                                                                            • Part of subcall function 00479CB3: _wcslen.LIBCMT ref: 00479CBD
                                                                            • Part of subcall function 004900A3: __onexit.LIBCMT ref: 004900A9
                                                                          • __Init_thread_footer.LIBCMT ref: 004F7BFB
                                                                            • Part of subcall function 004901F8: EnterCriticalSection.KERNEL32(0054070C,?,?,00488747,00542514), ref: 00490202
                                                                            • Part of subcall function 004901F8: LeaveCriticalSection.KERNEL32(0054070C,?,00488747,00542514), ref: 00490235
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                                                                          • String ID: +TL$5$G$Variable must be of type 'Object'.
                                                                          • API String ID: 535116098-9785603
                                                                          • Opcode ID: c89724351ee24f6691c12cd967accc031ed8acc01a8f6f3083526abb0733ffdd
                                                                          • Instruction ID: 27a901c3ed27d7875b422bca43df5309c0a3cdeb7a533991ad1c954877a872a7
                                                                          • Opcode Fuzzy Hash: c89724351ee24f6691c12cd967accc031ed8acc01a8f6f3083526abb0733ffdd
                                                                          • Instruction Fuzzy Hash: BC919D70604208AFCB04EF55D8819FEBBB1BF45304F50805EFA059B392DB79AE41CB59
                                                                          Function 004DC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00477620: _wcslen.LIBCMT ref: 00477625
                                                                          • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004DC6EE
                                                                          • _wcslen.LIBCMT ref: 004DC735
                                                                          • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004DC79C
                                                                          • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 004DC7CA
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: ItemMenu$Info_wcslen$Default
                                                                          • String ID: 0
                                                                          • API String ID: 1227352736-4108050209
                                                                          • Opcode ID: 32d2b80843229669f5f0b823cdf25ad768207ebd99b91ccf98bca45ecdbe4ce3
                                                                          • Instruction ID: 4e4c43d3a8c6d73f17df28d4e7be623025b75f4068b53a80939a8a08871b5426
                                                                          • Opcode Fuzzy Hash: 32d2b80843229669f5f0b823cdf25ad768207ebd99b91ccf98bca45ecdbe4ce3
                                                                          • Instruction Fuzzy Hash: C651D0716043039BD714AF28C8E5BAB7BE4AF85314F040A2FF995D2390DB78D844DB5A
                                                                          Function 004FAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ShellExecuteExW.SHELL32(0000003C), ref: 004FAEA3
                                                                            • Part of subcall function 00477620: _wcslen.LIBCMT ref: 00477625
                                                                          • GetProcessId.KERNEL32(00000000), ref: 004FAF38
                                                                          • CloseHandle.KERNEL32(00000000), ref: 004FAF67
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: CloseExecuteHandleProcessShell_wcslen
                                                                          • String ID: <$@
                                                                          • API String ID: 146682121-1426351568
                                                                          • Opcode ID: 7da0dff254c9402a24e76ead251c8bc79d76c516ca78e57dbab1419945dacc42
                                                                          • Instruction ID: 2d2617cb15ab739a7f3debd2190aefab0296a79b0f94b762a6db96af37a5f429
                                                                          • Opcode Fuzzy Hash: 7da0dff254c9402a24e76ead251c8bc79d76c516ca78e57dbab1419945dacc42
                                                                          • Instruction Fuzzy Hash: 91716BB0A00619DFCB14DF55C484AAEBBF0BF08318F14849EE91AAB352C778ED55CB95
                                                                          Function 004D719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 004D7206
                                                                          • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 004D723C
                                                                          • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 004D724D
                                                                          • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 004D72CF
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorMode$AddressCreateInstanceProc
                                                                          • String ID: DllGetClassObject
                                                                          • API String ID: 753597075-1075368562
                                                                          • Opcode ID: fb1ca64bb245375c0b35eb317d382584a6435e169cdb6e50a3e6a19ed4731c73
                                                                          • Instruction ID: 68489fa47aac75062c0609fb084bbf555b17c608df2c9ed79a696824c5a8a4c1
                                                                          • Opcode Fuzzy Hash: fb1ca64bb245375c0b35eb317d382584a6435e169cdb6e50a3e6a19ed4731c73
                                                                          • Instruction Fuzzy Hash: CE416A71A04204AFDB15CF54C894A9A7FA9EF44314F1480AFBD059F34AE7B8D945CBA4
                                                                          Function 00502F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00502F8D
                                                                          • LoadLibraryW.KERNEL32(?), ref: 00502F94
                                                                          • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00502FA9
                                                                          • DestroyWindow.USER32(?), ref: 00502FB1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$DestroyLibraryLoadWindow
                                                                          • String ID: SysAnimate32
                                                                          • API String ID: 3529120543-1011021900
                                                                          • Opcode ID: 5b7018e160121dc9aaa20ea0b21c699f28c6fa8bb1a42f5eb39655cbc5fb8822
                                                                          • Instruction ID: a4c771555160ebf863c7668e022f4ff185646d3a408f14b1053ba299f2390e35
                                                                          • Opcode Fuzzy Hash: 5b7018e160121dc9aaa20ea0b21c699f28c6fa8bb1a42f5eb39655cbc5fb8822
                                                                          • Instruction Fuzzy Hash: 1121F07120020AABEB214F64DC8AEBF7BBDFB993A8F100618F950D60D0C771DC41A760
                                                                          Function 00494D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00494D1E,004A28E9,?,00494CBE,004A28E9,005388B8,0000000C,00494E15,004A28E9,00000002), ref: 00494D8D
                                                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00494DA0
                                                                          • FreeLibrary.KERNEL32(00000000,?,?,?,00494D1E,004A28E9,?,00494CBE,004A28E9,005388B8,0000000C,00494E15,004A28E9,00000002,00000000), ref: 00494DC3
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                          • API String ID: 4061214504-1276376045
                                                                          • Opcode ID: 3d8823c3e7006af049ee89f629eb15da861eb24d9774d4fc8b570344885919bd
                                                                          • Instruction ID: e05207196b6cd8aadf1cf4df2dec71e9c4d60fe18bce765c803d4d2ac1f065d2
                                                                          • Opcode Fuzzy Hash: 3d8823c3e7006af049ee89f629eb15da861eb24d9774d4fc8b570344885919bd
                                                                          • Instruction Fuzzy Hash: 64F0A434500208BFDB115F90DC09BEEBFB4EF55711F000265F805A6290DB745985DB94
                                                                          Function 00474E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00474EDD,?,00541418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00474E9C
                                                                          • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00474EAE
                                                                          • FreeLibrary.KERNEL32(00000000,?,?,00474EDD,?,00541418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00474EC0
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Library$AddressFreeLoadProc
                                                                          • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                          • API String ID: 145871493-3689287502
                                                                          • Opcode ID: 1e2db8c9f434fe8b616dc5a563daef0f07add2caee4125b5f5842d60c243be98
                                                                          • Instruction ID: e46d4f7bae8685aaaab408ce3a4797e656fec52c84a09da756a337fd3f03cac5
                                                                          • Opcode Fuzzy Hash: 1e2db8c9f434fe8b616dc5a563daef0f07add2caee4125b5f5842d60c243be98
                                                                          • Instruction Fuzzy Hash: B3E08636A016225BD2211B256C18ABF6E54AFD3B73B054216FC04D2340DB68CD09D0A4
                                                                          Function 00474E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,?,004B3CDE,?,00541418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00474E62
                                                                          • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00474E74
                                                                          • FreeLibrary.KERNEL32(00000000,?,?,004B3CDE,?,00541418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00474E87
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Library$AddressFreeLoadProc
                                                                          • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                          • API String ID: 145871493-1355242751
                                                                          • Opcode ID: 59965c24a3e7f3a919bdd6b14716caec76e6bfacadebda6644c3befeb15ebd3e
                                                                          • Instruction ID: bdacd5181801e73501069bda63b76ed88244ef15677f76908532147d231f6bfa
                                                                          • Opcode Fuzzy Hash: 59965c24a3e7f3a919bdd6b14716caec76e6bfacadebda6644c3befeb15ebd3e
                                                                          • Instruction Fuzzy Hash: A9D0C23250262157C6221B246C08DDF2E1CFFC7B313054312B808E6250CF68CD01D6D4
                                                                          Function 004E2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 004E2C05
                                                                          • DeleteFileW.KERNEL32(?), ref: 004E2C87
                                                                          • CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 004E2C9D
                                                                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 004E2CAE
                                                                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 004E2CC0
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: File$Delete$Copy
                                                                          • String ID:
                                                                          • API String ID: 3226157194-0
                                                                          • Opcode ID: 4029c2449fbdb6ebdf2254bf3d2b0aec5e186583aa3adbafbf6a4e8c53fc546c
                                                                          • Instruction ID: 9c8f8e28f22e149293d176e0114c09de8fdbdb814514415928aa45303b2a4e40
                                                                          • Opcode Fuzzy Hash: 4029c2449fbdb6ebdf2254bf3d2b0aec5e186583aa3adbafbf6a4e8c53fc546c
                                                                          • Instruction Fuzzy Hash: B6B18F71D00119ABDF11EFA6CD85EDEBBBCEF08314F1040ABF609E6141EA789A448F65
                                                                          Function 004FA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCurrentProcessId.KERNEL32 ref: 004FA427
                                                                          • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 004FA435
                                                                          • GetProcessIoCounters.KERNEL32(00000000,?), ref: 004FA468
                                                                          • CloseHandle.KERNEL32(?), ref: 004FA63D
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Process$CloseCountersCurrentHandleOpen
                                                                          • String ID:
                                                                          • API String ID: 3488606520-0
                                                                          • Opcode ID: 5f818fed447a18f89fdc9d6b527ac9b75ad8ef6fae3866c2d77cfd8d9ad8dd4f
                                                                          • Instruction ID: 9cc0744ee7e381940758b825c55cb4ce67bbe87c288cc37e593025662a4d505e
                                                                          • Opcode Fuzzy Hash: 5f818fed447a18f89fdc9d6b527ac9b75ad8ef6fae3866c2d77cfd8d9ad8dd4f
                                                                          • Instruction Fuzzy Hash: EAA192B1604300AFD720DF25C886F2AB7E5AF44718F14881EF99A9B3D2D774EC458B96
                                                                          Function 004ABB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00513700), ref: 004ABB91
                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,0054121C,000000FF,00000000,0000003F,00000000,?,?), ref: 004ABC09
                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00541270,000000FF,?,0000003F,00000000,?), ref: 004ABC36
                                                                          • _free.LIBCMT ref: 004ABB7F
                                                                            • Part of subcall function 004A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,004AD7D1,00000000,00000000,00000000,00000000,?,004AD7F8,00000000,00000007,00000000,?,004ADBF5,00000000), ref: 004A29DE
                                                                            • Part of subcall function 004A29C8: GetLastError.KERNEL32(00000000,?,004AD7D1,00000000,00000000,00000000,00000000,?,004AD7F8,00000000,00000007,00000000,?,004ADBF5,00000000,00000000), ref: 004A29F0
                                                                          • _free.LIBCMT ref: 004ABD4B
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                                          • String ID:
                                                                          • API String ID: 1286116820-0
                                                                          • Opcode ID: 83f1072ed60fbde81051952cb1baaadfef9a1c334a380f25cd1cf82c47dc9ca2
                                                                          • Instruction ID: 06f7dc4c966e2a83a2391edf1e57cbc11ac39f0afea57db232769206faceb46d
                                                                          • Opcode Fuzzy Hash: 83f1072ed60fbde81051952cb1baaadfef9a1c334a380f25cd1cf82c47dc9ca2
                                                                          • Instruction Fuzzy Hash: 6A5129759042089FCB10DF669C419AEBBBCEF67324B10426FE410D7292EB749E8497D8
                                                                          Function 004DE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 004DDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,004DCF22,?), ref: 004DDDFD
                                                                            • Part of subcall function 004DDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,004DCF22,?), ref: 004DDE16
                                                                            • Part of subcall function 004DE199: GetFileAttributesW.KERNEL32(?,004DCF95), ref: 004DE19A
                                                                          • lstrcmpiW.KERNEL32(?,?), ref: 004DE473
                                                                          • MoveFileW.KERNEL32(?,?), ref: 004DE4AC
                                                                          • _wcslen.LIBCMT ref: 004DE5EB
                                                                          • _wcslen.LIBCMT ref: 004DE603
                                                                          • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 004DE650
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                                                          • String ID:
                                                                          • API String ID: 3183298772-0
                                                                          • Opcode ID: 080dc658722132b9240c95ce2b669a0ddc0f15f31c4e69cbe064fc478d196d12
                                                                          • Instruction ID: 458319a642e2a727b2392329b45a98cdd4e95e6cd59ae8f20dd5544aee236bc5
                                                                          • Opcode Fuzzy Hash: 080dc658722132b9240c95ce2b669a0ddc0f15f31c4e69cbe064fc478d196d12
                                                                          • Instruction Fuzzy Hash: 0751A2B24083445BCB24EB91DC919DF77DCAF95344F00492FF689C7291EF38A588876A
                                                                          Function 004FB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00479CB3: _wcslen.LIBCMT ref: 00479CBD
                                                                            • Part of subcall function 004FC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,004FB6AE,?,?), ref: 004FC9B5
                                                                            • Part of subcall function 004FC998: _wcslen.LIBCMT ref: 004FC9F1
                                                                            • Part of subcall function 004FC998: _wcslen.LIBCMT ref: 004FCA68
                                                                            • Part of subcall function 004FC998: _wcslen.LIBCMT ref: 004FCA9E
                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004FBAA5
                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004FBB00
                                                                          • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 004FBB63
                                                                          • RegCloseKey.ADVAPI32(?,?), ref: 004FBBA6
                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 004FBBB3
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                                                          • String ID:
                                                                          • API String ID: 826366716-0
                                                                          • Opcode ID: 490030088f0f5d01e5436485ba9f81d19cfed7df669e1f259a3a0d73ddf050ca
                                                                          • Instruction ID: 7d2e985733aaed45a7e43b6c42005051a2995354e747a9d05d097ae461e728b5
                                                                          • Opcode Fuzzy Hash: 490030088f0f5d01e5436485ba9f81d19cfed7df669e1f259a3a0d73ddf050ca
                                                                          • Instruction Fuzzy Hash: E161DF70208205AFC714DF14C890E7ABBE4FF85308F14899EF5998B2A2CB35ED45CB92
                                                                          Function 004D8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VariantInit.OLEAUT32(?), ref: 004D8BCD
                                                                          • VariantClear.OLEAUT32 ref: 004D8C3E
                                                                          • VariantClear.OLEAUT32 ref: 004D8C9D
                                                                          • VariantClear.OLEAUT32(?), ref: 004D8D10
                                                                          • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 004D8D3B
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Variant$Clear$ChangeInitType
                                                                          • String ID:
                                                                          • API String ID: 4136290138-0
                                                                          • Opcode ID: 6499051204d0955b6d9f70830075451dba36ae8fabac53441341a9465fc07906
                                                                          • Instruction ID: b5442662d777033db70cfcaafbb9ebe0ac937cfc97bcd65c660ce9e603c26e10
                                                                          • Opcode Fuzzy Hash: 6499051204d0955b6d9f70830075451dba36ae8fabac53441341a9465fc07906
                                                                          • Instruction Fuzzy Hash: 2B5189B1A00219EFCB10CF28C894AAABBF9FF89310B15855AE905DB350E734E911CF94
                                                                          Function 004E8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 004E8BAE
                                                                          • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 004E8BDA
                                                                          • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 004E8C32
                                                                          • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 004E8C57
                                                                          • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 004E8C5F
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: PrivateProfile$SectionWrite$String
                                                                          • String ID:
                                                                          • API String ID: 2832842796-0
                                                                          • Opcode ID: 5dd0b31af0e27333034cbba0de0f43454b5a16140983dc16313b17a09c080b27
                                                                          • Instruction ID: 61ccfc47a336055bebc94beef18ea323495d22f8a81a65aaec3c82bbfb7952cf
                                                                          • Opcode Fuzzy Hash: 5dd0b31af0e27333034cbba0de0f43454b5a16140983dc16313b17a09c080b27
                                                                          • Instruction Fuzzy Hash: F0515C35A00215AFCB10DF65C881AAEBBF1FF49318F18C459E849AB362CB35ED41CB94
                                                                          Function 004F8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryW.KERNEL32(?,00000000,?), ref: 004F8F40
                                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 004F8FD0
                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 004F8FEC
                                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 004F9032
                                                                          • FreeLibrary.KERNEL32(00000000), ref: 004F9052
                                                                            • Part of subcall function 0048F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,004E1043,?,7529E610), ref: 0048F6E6
                                                                            • Part of subcall function 0048F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,004CFA64,00000000,00000000,?,?,004E1043,?,7529E610,?,004CFA64), ref: 0048F70D
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                                                          • String ID:
                                                                          • API String ID: 666041331-0
                                                                          • Opcode ID: 18b0d9552a48985f5f9bc6b146149b19c3ebbdd0c926850fc7002dd73f66d8e6
                                                                          • Instruction ID: c93f429406153f5eea1b7ddaf3887ec06da364c7f303b304cefed3bd4149c35b
                                                                          • Opcode Fuzzy Hash: 18b0d9552a48985f5f9bc6b146149b19c3ebbdd0c926850fc7002dd73f66d8e6
                                                                          • Instruction Fuzzy Hash: D5514C34600209DFC711DF58C4849AEBBF1FF49318B08819AE90A9B362DB35ED86CB95
                                                                          Function 00506B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetWindowLongW.USER32(00000002,000000F0,?), ref: 00506C33
                                                                          • SetWindowLongW.USER32(?,000000EC,?), ref: 00506C4A
                                                                          • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00506C73
                                                                          • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,004EAB79,00000000,00000000), ref: 00506C98
                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00506CC7
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Long$MessageSendShow
                                                                          • String ID:
                                                                          • API String ID: 3688381893-0
                                                                          • Opcode ID: feb2cca8dcb97ec61244c09e59c011976651cf4c72fe162cd10f89f455445b37
                                                                          • Instruction ID: 4859609eeea5f1968a9ac13ff30a5b1627ebae76646489050ad8cdadd89f075e
                                                                          • Opcode Fuzzy Hash: feb2cca8dcb97ec61244c09e59c011976651cf4c72fe162cd10f89f455445b37
                                                                          • Instruction Fuzzy Hash: D241E635A04104AFE724CF28CD59FAD7FA5FB0A350F140628F995AB2E0C771ED61DA40
                                                                          Function 004A2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: _free
                                                                          • String ID:
                                                                          • API String ID: 269201875-0
                                                                          • Opcode ID: 1c5452acec4fa182b32f67e8f8d44531032d27cfd49536322dcf8fdbfeb3df5d
                                                                          • Instruction ID: 41795f860000566b30a29f0e7400385a83c123d017100794ecb99cef87152d8b
                                                                          • Opcode Fuzzy Hash: 1c5452acec4fa182b32f67e8f8d44531032d27cfd49536322dcf8fdbfeb3df5d
                                                                          • Instruction Fuzzy Hash: E2413272A002009FCB24DF7CCA80A5EB7E1EF9A314F15456EE605EB391D674AD01EB84
                                                                          Function 0048912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCursorPos.USER32(?), ref: 00489141
                                                                          • ScreenToClient.USER32(00000000,?), ref: 0048915E
                                                                          • GetAsyncKeyState.USER32(00000001), ref: 00489183
                                                                          • GetAsyncKeyState.USER32(00000002), ref: 0048919D
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: AsyncState$ClientCursorScreen
                                                                          • String ID:
                                                                          • API String ID: 4210589936-0
                                                                          • Opcode ID: 13c1a8a85b4245312963bd6f07b0f44129699e791202c6af89c158678ad4d90d
                                                                          • Instruction ID: 43b5d5ea49438cb3b4ba33618fcc1486fdf597e590a0af8242b192e727bd9c34
                                                                          • Opcode Fuzzy Hash: 13c1a8a85b4245312963bd6f07b0f44129699e791202c6af89c158678ad4d90d
                                                                          • Instruction Fuzzy Hash: 59416E35A0850ABBDF15AF64C848BFEB774FB05324F24861AE425A23D0CB385D54DF95
                                                                          Function 004E3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetInputState.USER32 ref: 004E38CB
                                                                          • TranslateAcceleratorW.USER32(?,00000000,?), ref: 004E3922
                                                                          • TranslateMessage.USER32(?), ref: 004E394B
                                                                          • DispatchMessageW.USER32(?), ref: 004E3955
                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004E3966
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                                                          • String ID:
                                                                          • API String ID: 2256411358-0
                                                                          • Opcode ID: 0f0ab5631812da542048f188102f3a4211c5a6f110d7ff284a4e4d26032cb204
                                                                          • Instruction ID: 6c3c1741adf1c395fbacbac79ca7008fef68d4854a5882c9269828b0fbce78b7
                                                                          • Opcode Fuzzy Hash: 0f0ab5631812da542048f188102f3a4211c5a6f110d7ff284a4e4d26032cb204
                                                                          • Instruction Fuzzy Hash: 0B3198B45047C19EEB36CF36984DBB73BE8AB16307F04055FE452832A1D3B89689DB19
                                                                          Function 004ECF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,004EC21E,00000000), ref: 004ECF38
                                                                          • InternetReadFile.WININET(?,00000000,?,?), ref: 004ECF6F
                                                                          • GetLastError.KERNEL32(?,00000000,?,?,?,004EC21E,00000000), ref: 004ECFB4
                                                                          • SetEvent.KERNEL32(?,?,00000000,?,?,?,004EC21E,00000000), ref: 004ECFC8
                                                                          • SetEvent.KERNEL32(?,?,00000000,?,?,?,004EC21E,00000000), ref: 004ECFF2
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                                                                          • String ID:
                                                                          • API String ID: 3191363074-0
                                                                          • Opcode ID: 3577bcc396cb6fc36a70813eed0f19bd201581c54e14aa15ae2337451a570109
                                                                          • Instruction ID: 5b42da427ec8a6c3e33e3eb1023ad8024dcff7704cec9affddc9699fd7f0b92f
                                                                          • Opcode Fuzzy Hash: 3577bcc396cb6fc36a70813eed0f19bd201581c54e14aa15ae2337451a570109
                                                                          • Instruction Fuzzy Hash: 4C317F71500245EFDB20DFA6C8C4AAFBBF9EF14316B10442FF506D2280D738AD469B64
                                                                          Function 004D1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetWindowRect.USER32(?,?), ref: 004D1915
                                                                          • PostMessageW.USER32(00000001,00000201,00000001), ref: 004D19C1
                                                                          • Sleep.KERNEL32(00000000,?,?,?), ref: 004D19C9
                                                                          • PostMessageW.USER32(00000001,00000202,00000000), ref: 004D19DA
                                                                          • Sleep.KERNEL32(00000000,?,?,?,?), ref: 004D19E2
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: MessagePostSleep$RectWindow
                                                                          • String ID:
                                                                          • API String ID: 3382505437-0
                                                                          • Opcode ID: 62dbf7f99d6ee4aa79e6448907127da22d58891bafe3bce8c47619f3fc022646
                                                                          • Instruction ID: dd9138468bb814445548a9bce2f1319406399c8a1db07fed053131f6f48e66c2
                                                                          • Opcode Fuzzy Hash: 62dbf7f99d6ee4aa79e6448907127da22d58891bafe3bce8c47619f3fc022646
                                                                          • Instruction Fuzzy Hash: 1B31AFB1900219EFCB10CFA8C9A9ADE3BB5EB15315F10436AFD21AB3E1C7749944DB91
                                                                          Function 00505706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00505745
                                                                          • SendMessageW.USER32(?,00001074,?,00000001), ref: 0050579D
                                                                          • _wcslen.LIBCMT ref: 005057AF
                                                                          • _wcslen.LIBCMT ref: 005057BA
                                                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00505816
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$_wcslen
                                                                          • String ID:
                                                                          • API String ID: 763830540-0
                                                                          • Opcode ID: f5c4fc71c0e0c7573911fb43bea7fe6f2ab8d7a614aa7dc84f3e85e64c28eeee
                                                                          • Instruction ID: 46aacaf1c158dd90706c48c03a27bd7099a3e2af4249ee8d65ffb70dd75690ed
                                                                          • Opcode Fuzzy Hash: f5c4fc71c0e0c7573911fb43bea7fe6f2ab8d7a614aa7dc84f3e85e64c28eeee
                                                                          • Instruction Fuzzy Hash: 5B21A075904618AADF208FA4CC84AEE7FBCFF54324F108626E929EA1C0E7708985CF50
                                                                          Function 004F0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • IsWindow.USER32(00000000), ref: 004F0951
                                                                          • GetForegroundWindow.USER32 ref: 004F0968
                                                                          • GetDC.USER32(00000000), ref: 004F09A4
                                                                          • GetPixel.GDI32(00000000,?,00000003), ref: 004F09B0
                                                                          • ReleaseDC.USER32(00000000,00000003), ref: 004F09E8
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ForegroundPixelRelease
                                                                          • String ID:
                                                                          • API String ID: 4156661090-0
                                                                          • Opcode ID: 817e79b89e707917be08eed7fca3fab65c7bc1006c48fd567b5ccfc1ae25f3b0
                                                                          • Instruction ID: 687eac22d8ce95226eef56bb4c31e34fda5d4b609a0bf0c7fc5481c3cebe41fa
                                                                          • Opcode Fuzzy Hash: 817e79b89e707917be08eed7fca3fab65c7bc1006c48fd567b5ccfc1ae25f3b0
                                                                          • Instruction Fuzzy Hash: C921A175600204AFD714EF6AC885EAEBBE5EF49704F00816DF94A97362DB74AC04DB90
                                                                          Function 004ACDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetEnvironmentStringsW.KERNEL32 ref: 004ACDC6
                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004ACDE9
                                                                            • Part of subcall function 004A3820: RtlAllocateHeap.NTDLL(00000000,?,00541444,?,0048FDF5,?,?,0047A976,00000010,00541440,004713FC,?,004713C6,?,00471129), ref: 004A3852
                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 004ACE0F
                                                                          • _free.LIBCMT ref: 004ACE22
                                                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004ACE31
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                          • String ID:
                                                                          • API String ID: 336800556-0
                                                                          • Opcode ID: ada0d713c7822f17188498602083b954147793e7e5191899de2194e52e55d57c
                                                                          • Instruction ID: ddbbfefa0f4a46a301ea5a79ffa865b32cac17fbd58c780637b549513557401e
                                                                          • Opcode Fuzzy Hash: ada0d713c7822f17188498602083b954147793e7e5191899de2194e52e55d57c
                                                                          • Instruction Fuzzy Hash: AE01D4726022157F67611BBA6CC8C7F6D6DDEE7BA1315022FF905DB301EA688D0291F8
                                                                          Function 00489639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00489693
                                                                          • SelectObject.GDI32(?,00000000), ref: 004896A2
                                                                          • BeginPath.GDI32(?), ref: 004896B9
                                                                          • SelectObject.GDI32(?,00000000), ref: 004896E2
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: ObjectSelect$BeginCreatePath
                                                                          • String ID:
                                                                          • API String ID: 3225163088-0
                                                                          • Opcode ID: f289bff782ffc9c7b9d59efdc9c9f82b092638b72cbde145400c6f76214ee757
                                                                          • Instruction ID: 40bf225ffa719813e1cb5169a81341fe3740b3385ef3c89b20de064383e714a7
                                                                          • Opcode Fuzzy Hash: f289bff782ffc9c7b9d59efdc9c9f82b092638b72cbde145400c6f76214ee757
                                                                          • Instruction Fuzzy Hash: 08213034801A05EBDB11AF64DC187FE3BA4BB62359F144616F411A71B0E3785C99EB9C
                                                                          Function 004D5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: _memcmp
                                                                          • String ID:
                                                                          • API String ID: 2931989736-0
                                                                          • Opcode ID: a643f2b92e09c985ad331bab19414312881bc57016e5969837065d9c7bd42f92
                                                                          • Instruction ID: 5690b27b5a9e74c20027b838497f7fb58112fb5818bf7ee5e89efb8bdccaaaf5
                                                                          • Opcode Fuzzy Hash: a643f2b92e09c985ad331bab19414312881bc57016e5969837065d9c7bd42f92
                                                                          • Instruction Fuzzy Hash: F001D26124560AFBFA2851119D92EBB775CAB21398F200037FD049AB81FA28ED1186A9
                                                                          Function 004A2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetLastError.KERNEL32(?,?,?,0049F2DE,004A3863,00541444,?,0048FDF5,?,?,0047A976,00000010,00541440,004713FC,?,004713C6), ref: 004A2DFD
                                                                          • _free.LIBCMT ref: 004A2E32
                                                                          • _free.LIBCMT ref: 004A2E59
                                                                          • SetLastError.KERNEL32(00000000,00471129), ref: 004A2E66
                                                                          • SetLastError.KERNEL32(00000000,00471129), ref: 004A2E6F
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast$_free
                                                                          • String ID:
                                                                          • API String ID: 3170660625-0
                                                                          • Opcode ID: 7eacd06f08b8e24b4d3300000dc7abc37dce8ece1a4064ac623196b26d036c14
                                                                          • Instruction ID: 02311bbe23abbaf4df23c9704e11a2fbd7263cbdeeac15b6799472c9e6f835b8
                                                                          • Opcode Fuzzy Hash: 7eacd06f08b8e24b4d3300000dc7abc37dce8ece1a4064ac623196b26d036c14
                                                                          • Instruction Fuzzy Hash: F901D6722056006BC612273E6E45D6F2A5DABF3779721052BF425A2292EAEC8C457129
                                                                          Function 004D000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,004CFF41,80070057,?,?,?,004D035E), ref: 004D002B
                                                                          • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004CFF41,80070057,?,?), ref: 004D0046
                                                                          • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004CFF41,80070057,?,?), ref: 004D0054
                                                                          • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004CFF41,80070057,?), ref: 004D0064
                                                                          • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004CFF41,80070057,?,?), ref: 004D0070
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                          • String ID:
                                                                          • API String ID: 3897988419-0
                                                                          • Opcode ID: dd260a22c4ca0d04fa006d4bd14e4e8b0bb4dfd29e68f535f32d876f8d3c5168
                                                                          • Instruction ID: 6a14c1d08597b404750e0be330ad522109187c4d1e7db6fe54d09fbe7f79a2da
                                                                          • Opcode Fuzzy Hash: dd260a22c4ca0d04fa006d4bd14e4e8b0bb4dfd29e68f535f32d876f8d3c5168
                                                                          • Instruction Fuzzy Hash: 2C017C72600204BBDB124F68EC04BAE7EADEF84752F148226F905E3310D779DD449BA4
                                                                          Function 004DE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • QueryPerformanceCounter.KERNEL32(?), ref: 004DE997
                                                                          • QueryPerformanceFrequency.KERNEL32(?), ref: 004DE9A5
                                                                          • Sleep.KERNEL32(00000000), ref: 004DE9AD
                                                                          • QueryPerformanceCounter.KERNEL32(?), ref: 004DE9B7
                                                                          • Sleep.KERNEL32 ref: 004DE9F3
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                          • String ID:
                                                                          • API String ID: 2833360925-0
                                                                          • Opcode ID: 66f576f98f95479b81f0fe0b3c64bdc8b9a29ea8c5003ce86478e07dd1438992
                                                                          • Instruction ID: e3d96850ae5e8c399d301723cacbcf2664d51d30d8623930f1c7c2bf87731a49
                                                                          • Opcode Fuzzy Hash: 66f576f98f95479b81f0fe0b3c64bdc8b9a29ea8c5003ce86478e07dd1438992
                                                                          • Instruction Fuzzy Hash: 0A016D71C02529DBCF00AFE6DD696DEBB78FF1A300F000697E502B6240CB389555DBA9
                                                                          Function 004D10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 004D1114
                                                                          • GetLastError.KERNEL32(?,00000000,00000000,?,?,004D0B9B,?,?,?), ref: 004D1120
                                                                          • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,004D0B9B,?,?,?), ref: 004D112F
                                                                          • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,004D0B9B,?,?,?), ref: 004D1136
                                                                          • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 004D114D
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                          • String ID:
                                                                          • API String ID: 842720411-0
                                                                          • Opcode ID: b6d3f254e8bce8d9f7c53e50197e14d094bc3fd884f90972806e5b6f22522e03
                                                                          • Instruction ID: e8da5e65db1080d1a22bc2ed15481432b2ee1a8064233dab3b87009593aa3a7d
                                                                          • Opcode Fuzzy Hash: b6d3f254e8bce8d9f7c53e50197e14d094bc3fd884f90972806e5b6f22522e03
                                                                          • Instruction Fuzzy Hash: D001F675200205BFEB114BA5DC5DA6F3F7EEF8A2A0B20451AFA45D6360DA31DC04AA60
                                                                          Function 004D0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004D0FCA
                                                                          • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004D0FD6
                                                                          • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004D0FE5
                                                                          • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004D0FEC
                                                                          • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004D1002
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                          • String ID:
                                                                          • API String ID: 44706859-0
                                                                          • Opcode ID: c0054e8701cabe017b0be2cf2ae5903d40b598ac4a6d185130099032fa2682f1
                                                                          • Instruction ID: e60403515e0195099d80dbef31091a6ff7a3537e9b79d1096d2aa55d69ea3aaa
                                                                          • Opcode Fuzzy Hash: c0054e8701cabe017b0be2cf2ae5903d40b598ac4a6d185130099032fa2682f1
                                                                          • Instruction Fuzzy Hash: F1F0A935200301BBDB221FA5AC5DF5B3FADEF9A762F100516FA05C63A0CA30DC40DA60
                                                                          Function 004D1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 004D102A
                                                                          • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 004D1036
                                                                          • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 004D1045
                                                                          • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 004D104C
                                                                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 004D1062
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                          • String ID:
                                                                          • API String ID: 44706859-0
                                                                          • Opcode ID: ff6666752a3ecf6c8cd95dda319ed205d1f91f975653c6379a3c1a04168f12d5
                                                                          • Instruction ID: 4a9b5baecc1695c2feb33c408b3d84692b12a7dfc6cd14892d8bc147b4325382
                                                                          • Opcode Fuzzy Hash: ff6666752a3ecf6c8cd95dda319ed205d1f91f975653c6379a3c1a04168f12d5
                                                                          • Instruction Fuzzy Hash: 77F04935200301BBDB226FA5EC59F5B3FADEF9A761F100516FA45D6360CA74D844DA60
                                                                          Function 004E030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CloseHandle.KERNEL32(?,?,?,?,004E017D,?,004E32FC,?,00000001,004B2592,?), ref: 004E0324
                                                                          • CloseHandle.KERNEL32(?,?,?,?,004E017D,?,004E32FC,?,00000001,004B2592,?), ref: 004E0331
                                                                          • CloseHandle.KERNEL32(?,?,?,?,004E017D,?,004E32FC,?,00000001,004B2592,?), ref: 004E033E
                                                                          • CloseHandle.KERNEL32(?,?,?,?,004E017D,?,004E32FC,?,00000001,004B2592,?), ref: 004E034B
                                                                          • CloseHandle.KERNEL32(?,?,?,?,004E017D,?,004E32FC,?,00000001,004B2592,?), ref: 004E0358
                                                                          • CloseHandle.KERNEL32(?,?,?,?,004E017D,?,004E32FC,?,00000001,004B2592,?), ref: 004E0365
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: CloseHandle
                                                                          • String ID:
                                                                          • API String ID: 2962429428-0
                                                                          • Opcode ID: 8c1c4d1f7231fbdc50a20cd6ed3051e975576280fa726dad0591fdc3a409bbb3
                                                                          • Instruction ID: 6186346147452242680ac070357cc7477384b08cdc94db2fd7d1e86a79dba7bb
                                                                          • Opcode Fuzzy Hash: 8c1c4d1f7231fbdc50a20cd6ed3051e975576280fa726dad0591fdc3a409bbb3
                                                                          • Instruction Fuzzy Hash: 7601A272800B559FC7309F66D880417FBF5BF603163158A3FD1A652A31C3B5A998DF84
                                                                          Function 004AD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _free.LIBCMT ref: 004AD752
                                                                            • Part of subcall function 004A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,004AD7D1,00000000,00000000,00000000,00000000,?,004AD7F8,00000000,00000007,00000000,?,004ADBF5,00000000), ref: 004A29DE
                                                                            • Part of subcall function 004A29C8: GetLastError.KERNEL32(00000000,?,004AD7D1,00000000,00000000,00000000,00000000,?,004AD7F8,00000000,00000007,00000000,?,004ADBF5,00000000,00000000), ref: 004A29F0
                                                                          • _free.LIBCMT ref: 004AD764
                                                                          • _free.LIBCMT ref: 004AD776
                                                                          • _free.LIBCMT ref: 004AD788
                                                                          • _free.LIBCMT ref: 004AD79A
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                          • String ID:
                                                                          • API String ID: 776569668-0
                                                                          • Opcode ID: 7351c552f7f4425a21a4b22cd93171cde48436d7f9d19390c48bb03a3e71ea50
                                                                          • Instruction ID: 45f082cf26692971310dfb941a584a04cc3e9d52c6c44435300ceb444453a397
                                                                          • Opcode Fuzzy Hash: 7351c552f7f4425a21a4b22cd93171cde48436d7f9d19390c48bb03a3e71ea50
                                                                          • Instruction Fuzzy Hash: 78F044B6A04204AF8655EB59F9C1C177BDDBB26710B95080BF046E7A12C728FC805779
                                                                          Function 004D5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetDlgItem.USER32(?,000003E9), ref: 004D5C58
                                                                          • GetWindowTextW.USER32(00000000,?,00000100), ref: 004D5C6F
                                                                          • MessageBeep.USER32(00000000), ref: 004D5C87
                                                                          • KillTimer.USER32(?,0000040A), ref: 004D5CA3
                                                                          • EndDialog.USER32(?,00000001), ref: 004D5CBD
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                          • String ID:
                                                                          • API String ID: 3741023627-0
                                                                          • Opcode ID: 875ce5532a31d880114fca4343f8a56cb0c8f9b61f7f64b1d8578894cb2398ec
                                                                          • Instruction ID: e453f80578fb40d16f8327d4fd74a7d1330dce085df31d7f4b03140126557596
                                                                          • Opcode Fuzzy Hash: 875ce5532a31d880114fca4343f8a56cb0c8f9b61f7f64b1d8578894cb2398ec
                                                                          • Instruction Fuzzy Hash: F001D630500B04ABFB305B14DD5EFAA7BB8BB11B05F04025BA583A11E1DFF5A9889A95
                                                                          Function 004A22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _free.LIBCMT ref: 004A22BE
                                                                            • Part of subcall function 004A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,004AD7D1,00000000,00000000,00000000,00000000,?,004AD7F8,00000000,00000007,00000000,?,004ADBF5,00000000), ref: 004A29DE
                                                                            • Part of subcall function 004A29C8: GetLastError.KERNEL32(00000000,?,004AD7D1,00000000,00000000,00000000,00000000,?,004AD7F8,00000000,00000007,00000000,?,004ADBF5,00000000,00000000), ref: 004A29F0
                                                                          • _free.LIBCMT ref: 004A22D0
                                                                          • _free.LIBCMT ref: 004A22E3
                                                                          • _free.LIBCMT ref: 004A22F4
                                                                          • _free.LIBCMT ref: 004A2305
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                          • String ID:
                                                                          • API String ID: 776569668-0
                                                                          • Opcode ID: c7f1ae82346077882c8f40a0783e507d79e5a1f908ac2e47c9fcb3d24a0fd9ad
                                                                          • Instruction ID: 8431428cf0243d2b27b5b7b469e549bec02be338dbf49260656d38caff8bf745
                                                                          • Opcode Fuzzy Hash: c7f1ae82346077882c8f40a0783e507d79e5a1f908ac2e47c9fcb3d24a0fd9ad
                                                                          • Instruction Fuzzy Hash: B9F06DFD5006109B8712AF69AD0188A3F68B73BB59700111BF400D23B1C7B80549BBED
                                                                          Function 004895C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • EndPath.GDI32(?), ref: 004895D4
                                                                          • StrokeAndFillPath.GDI32(?,?,004C71F7,00000000,?,?,?), ref: 004895F0
                                                                          • SelectObject.GDI32(?,00000000), ref: 00489603
                                                                          • DeleteObject.GDI32 ref: 00489616
                                                                          • StrokePath.GDI32(?), ref: 00489631
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                          • String ID:
                                                                          • API String ID: 2625713937-0
                                                                          • Opcode ID: b0330e2ecd84c19551d52568763cc24b379b46be28042d0d2b63836c2edeeec9
                                                                          • Instruction ID: 7bb9b29cb07f2153c2f5873253872b3b34ec52e59247fda4a58091797522b086
                                                                          • Opcode Fuzzy Hash: b0330e2ecd84c19551d52568763cc24b379b46be28042d0d2b63836c2edeeec9
                                                                          • Instruction Fuzzy Hash: E1F03139005A04EBD7165F55ED1C7BD3F61A722326F048315F425561F0D7344999EF28
                                                                          Function 004A0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: __freea$_free
                                                                          • String ID: a/p$am/pm
                                                                          • API String ID: 3432400110-3206640213
                                                                          • Opcode ID: 020c262733737ee0ad7fbd721fbf1c117e7630181721d0320e373b75d4919210
                                                                          • Instruction ID: 64ab8e32415603d7377fca77d27a1fe9ddaa612669bb4ce838d4fb492a215112
                                                                          • Opcode Fuzzy Hash: 020c262733737ee0ad7fbd721fbf1c117e7630181721d0320e373b75d4919210
                                                                          • Instruction Fuzzy Hash: CAD1F2719042069AEF249F68C855BFBB7B0EF27300F18415BE901ABB60D37D9D81CB59
                                                                          Function 004F61D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00490242: EnterCriticalSection.KERNEL32(0054070C,00541884,?,?,0048198B,00542518,?,?,?,004712F9,00000000), ref: 0049024D
                                                                            • Part of subcall function 00490242: LeaveCriticalSection.KERNEL32(0054070C,?,0048198B,00542518,?,?,?,004712F9,00000000), ref: 0049028A
                                                                            • Part of subcall function 004900A3: __onexit.LIBCMT ref: 004900A9
                                                                          • __Init_thread_footer.LIBCMT ref: 004F6238
                                                                            • Part of subcall function 004901F8: EnterCriticalSection.KERNEL32(0054070C,?,?,00488747,00542514), ref: 00490202
                                                                            • Part of subcall function 004901F8: LeaveCriticalSection.KERNEL32(0054070C,?,00488747,00542514), ref: 00490235
                                                                            • Part of subcall function 004E359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 004E35E4
                                                                            • Part of subcall function 004E359C: LoadStringW.USER32(00542390,?,00000FFF,?), ref: 004E360A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
                                                                          • String ID: x#T$x#T$x#T
                                                                          • API String ID: 1072379062-3988759949
                                                                          • Opcode ID: 031c947f9b4aae24e8679b7c4e412e0edba7eac4a9f831e4d81bb400ade11248
                                                                          • Instruction ID: d64b40fdb27df88cd3bdd494bc915b0f3f4f254b10da49439bd6017dc602c8ed
                                                                          • Opcode Fuzzy Hash: 031c947f9b4aae24e8679b7c4e412e0edba7eac4a9f831e4d81bb400ade11248
                                                                          • Instruction Fuzzy Hash: 56C17E71A00109AFCB14EF59D891DBEB7B9EF48304F11806AFA05AB291D778ED45CB98
                                                                          Function 004A5AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: JOG
                                                                          • API String ID: 0-487937789
                                                                          • Opcode ID: b7cb7da39412467606a9ba40a5c64b7f7da4ecd9c092248bde95ef4c7bebe875
                                                                          • Instruction ID: 1701465e041147f83cc2ca95d82a64ef418b63b7a6db58a814767c6aea88e546
                                                                          • Opcode Fuzzy Hash: b7cb7da39412467606a9ba40a5c64b7f7da4ecd9c092248bde95ef4c7bebe875
                                                                          • Instruction Fuzzy Hash: 2D51D175D00609ABCF109FA5CA45BEF7FB4AF26324F14006BF404A7291D6399901DB69
                                                                          Function 004A8A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 004A8B6E
                                                                          • GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 004A8B7A
                                                                          • __dosmaperr.LIBCMT ref: 004A8B81
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: ByteCharErrorLastMultiWide__dosmaperr
                                                                          • String ID: .I
                                                                          • API String ID: 2434981716-2795939834
                                                                          • Opcode ID: fdb4f624d5e06220232f89c346b14a27467a56e615b51d2bfd03c56c56728553
                                                                          • Instruction ID: 81c0ffc85691e8090dd0720e71aa1c30d2db17f8bf22cee2f90f06aeefdd47ec
                                                                          • Opcode Fuzzy Hash: fdb4f624d5e06220232f89c346b14a27467a56e615b51d2bfd03c56c56728553
                                                                          • Instruction Fuzzy Hash: 72416074604045AFDB249F54CC80A7E7FA5DBA7304B2841AFF88587252DD39DC06D7A8
                                                                          Function 004D2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 004DB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004D21D0,?,?,00000034,00000800,?,00000034), ref: 004DB42D
                                                                          • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 004D2760
                                                                            • Part of subcall function 004DB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004D21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 004DB3F8
                                                                            • Part of subcall function 004DB32A: GetWindowThreadProcessId.USER32(?,?), ref: 004DB355
                                                                            • Part of subcall function 004DB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,004D2194,00000034,?,?,00001004,00000000,00000000), ref: 004DB365
                                                                            • Part of subcall function 004DB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,004D2194,00000034,?,?,00001004,00000000,00000000), ref: 004DB37B
                                                                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004D27CD
                                                                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004D281A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                          • String ID: @
                                                                          • API String ID: 4150878124-2766056989
                                                                          • Opcode ID: 63723874eaab16a6640030e83e55d4ee7e1a3cbb0493cd123ce884006df78940
                                                                          • Instruction ID: cd10c01e6e929f416c6b492051cca183274c7be94ff1c8e073f2f03b1c2bb277
                                                                          • Opcode Fuzzy Hash: 63723874eaab16a6640030e83e55d4ee7e1a3cbb0493cd123ce884006df78940
                                                                          • Instruction Fuzzy Hash: 4C416C72900218BFDB20DBA4CD55AEEBBB8EF19304F00405AFA45B7281DB746E45DBA0
                                                                          Function 004A172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exe,00000104), ref: 004A1769
                                                                          • _free.LIBCMT ref: 004A1834
                                                                          • _free.LIBCMT ref: 004A183E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: _free$FileModuleName
                                                                          • String ID: C:\Users\user\Desktop\Payment_Advice_USD_48,054.40_.exe
                                                                          • API String ID: 2506810119-1844042063
                                                                          • Opcode ID: eb46f08aff76f9ffccee85667a121d551d5bde21ea66acf92d0fc97990274b34
                                                                          • Instruction ID: be91c4eb769777cd22dbb5a93d910aa5ed7ad4be0cf93fa2259b1a2fd9f71b9b
                                                                          • Opcode Fuzzy Hash: eb46f08aff76f9ffccee85667a121d551d5bde21ea66acf92d0fc97990274b34
                                                                          • Instruction Fuzzy Hash: 38318679A04218AFDB11DB9A9881D9FBBFCEBA6314F10416BF404D7321D6B84E44D798
                                                                          Function 004DC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 004DC306
                                                                          • DeleteMenu.USER32(?,00000007,00000000), ref: 004DC34C
                                                                          • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00541990,00AB77C8), ref: 004DC395
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$Delete$InfoItem
                                                                          • String ID: 0
                                                                          • API String ID: 135850232-4108050209
                                                                          • Opcode ID: 6c7789ba1444a7484b1ae03ecf51b11ad83bbe60dbfe6fee4afb3c290635befc
                                                                          • Instruction ID: 775ccba8c1a9d5a70457f6a95f88896421371fc3c576212b30daf6117758d57d
                                                                          • Opcode Fuzzy Hash: 6c7789ba1444a7484b1ae03ecf51b11ad83bbe60dbfe6fee4afb3c290635befc
                                                                          • Instruction Fuzzy Hash: 0241AE31204342AFDB20DF29D894B5ABBA4AF85314F00861FFDA5973D1C738A804CB6A
                                                                          Function 00504416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0050CC08,00000000,?,?,?,?), ref: 005044AA
                                                                          • GetWindowLongW.USER32 ref: 005044C7
                                                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 005044D7
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Long
                                                                          • String ID: SysTreeView32
                                                                          • API String ID: 847901565-1698111956
                                                                          • Opcode ID: 8d4850319fcee3b2223847a1e123e4319a77642416338a8be517aa4a437bbfd4
                                                                          • Instruction ID: d8f71bc8a42931c6a7b7ab72ba49f4e6a089150a77eae38f32f53f5dd8888767
                                                                          • Opcode Fuzzy Hash: 8d4850319fcee3b2223847a1e123e4319a77642416338a8be517aa4a437bbfd4
                                                                          • Instruction Fuzzy Hash: BD319A72200605ABDF209F38DC45BEE7BA9FB09328F244719FA79921E0D774AC509B50
                                                                          Function 004D6E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SysReAllocString.OLEAUT32(?,?), ref: 004D6EED
                                                                          • VariantCopyInd.OLEAUT32(?,?), ref: 004D6F08
                                                                          • VariantClear.OLEAUT32(?), ref: 004D6F12
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Variant$AllocClearCopyString
                                                                          • String ID: *jM
                                                                          • API String ID: 2173805711-1575265316
                                                                          • Opcode ID: b2785b37c4b25d42e6092e293467558548b495ef6ba9b6bfa9661bd41e7d4803
                                                                          • Instruction ID: 5f3bcbc5f8271fbbe1e4398ba79f70c4e7269b6f92728bb9813d8b586b0d07c1
                                                                          • Opcode Fuzzy Hash: b2785b37c4b25d42e6092e293467558548b495ef6ba9b6bfa9661bd41e7d4803
                                                                          • Instruction Fuzzy Hash: 083190B1704605DBCB05AF65E8609BE3775FF45308B11449FF90A4B3A1C7389912DBD9
                                                                          Function 004F304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 004F335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,004F3077,?,?), ref: 004F3378
                                                                          • inet_addr.WSOCK32(?), ref: 004F307A
                                                                          • _wcslen.LIBCMT ref: 004F309B
                                                                          • htons.WSOCK32(00000000), ref: 004F3106
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                                                                          • String ID: 255.255.255.255
                                                                          • API String ID: 946324512-2422070025
                                                                          • Opcode ID: 4cb3a7f860af9bcd0b0ef62b8636358559a9afa08226dc8fc4854aee66f389cc
                                                                          • Instruction ID: 4b751864d5b50c2ff6ea904acb3d1117d6d1ca8e25e5faa1e31657389827dfba
                                                                          • Opcode Fuzzy Hash: 4cb3a7f860af9bcd0b0ef62b8636358559a9afa08226dc8fc4854aee66f389cc
                                                                          • Instruction Fuzzy Hash: A83104352002099FCB10CF28C585EBA7BE0EF15319F24C05BEA158B392CB7AEE45C765
                                                                          Function 00504653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00504705
                                                                          • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00504713
                                                                          • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0050471A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$DestroyWindow
                                                                          • String ID: msctls_updown32
                                                                          • API String ID: 4014797782-2298589950
                                                                          • Opcode ID: 262f0c9154bb53f35a8b02093d9790c32a58c9314cf455aa7e6b2134958b6f0c
                                                                          • Instruction ID: 44cb7657617ee5db81135f43143dcfdaefeb19f9415d4056b0fca0f79fbcecee
                                                                          • Opcode Fuzzy Hash: 262f0c9154bb53f35a8b02093d9790c32a58c9314cf455aa7e6b2134958b6f0c
                                                                          • Instruction Fuzzy Hash: 252151F5600209AFDB10DF68DCD1DAB3BADFB5A358B040459FA019B2A1DB71EC52DA60
                                                                          Function 004D95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: _wcslen
                                                                          • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                          • API String ID: 176396367-2734436370
                                                                          • Opcode ID: ae305fa38072f755b2906421ef94daf5750f59692c47dfe1ef2dab8f6d0fee84
                                                                          • Instruction ID: 1f29fc3ba48ed8ed475f64f955ac87579b22112476754f369d75f51bd63a18aa
                                                                          • Opcode Fuzzy Hash: ae305fa38072f755b2906421ef94daf5750f59692c47dfe1ef2dab8f6d0fee84
                                                                          • Instruction Fuzzy Hash: D021433220421066C731BA29A826FBB77D8AFA1314F44403BF949D7781EB5CED92C39D
                                                                          Function 005037B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00503840
                                                                          • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00503850
                                                                          • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00503876
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$MoveWindow
                                                                          • String ID: Listbox
                                                                          • API String ID: 3315199576-2633736733
                                                                          • Opcode ID: 31446ffc7484e0171b7c37c3808b066d8fe58ecd74c259e7d997634e39c70ad4
                                                                          • Instruction ID: b09bfc6a260f5d00bc04a0c584dd4a77108c7ae5a7a0ffa7af1be560b524626b
                                                                          • Opcode Fuzzy Hash: 31446ffc7484e0171b7c37c3808b066d8fe58ecd74c259e7d997634e39c70ad4
                                                                          • Instruction Fuzzy Hash: 9D218E72610218BBEB218F64CC85EBF3B6EFF99754F118124F9449B1D0CA71DD5297A0
                                                                          Function 004E49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(00000001), ref: 004E4A08
                                                                          • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 004E4A5C
                                                                          • SetErrorMode.KERNEL32(00000000,?,?,0050CC08), ref: 004E4AD0
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorMode$InformationVolume
                                                                          • String ID: %lu
                                                                          • API String ID: 2507767853-685833217
                                                                          • Opcode ID: b04e01612c6860dcf06df013ab21efae91e011555cd00cf162f645034acd3221
                                                                          • Instruction ID: f6214ae89fba2c2afe655d08d72a6bf898fc018f8d5c2c356105e725da0b54d3
                                                                          • Opcode Fuzzy Hash: b04e01612c6860dcf06df013ab21efae91e011555cd00cf162f645034acd3221
                                                                          • Instruction Fuzzy Hash: 05318E70A00208AFDB10DF55C885EAE7BF8EF49318F1480AAE809DB352D775ED45CB65
                                                                          Function 005041EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0050424F
                                                                          • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00504264
                                                                          • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00504271
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend
                                                                          • String ID: msctls_trackbar32
                                                                          • API String ID: 3850602802-1010561917
                                                                          • Opcode ID: b27952d80a9e151d1e5ae551029c2fe09a5be49c415fa539b752c6059ad8a9cd
                                                                          • Instruction ID: 2affbce65e3407dda7aa77ee6c36dce6e25387e83907934615592cbbdfd3fcd6
                                                                          • Opcode Fuzzy Hash: b27952d80a9e151d1e5ae551029c2fe09a5be49c415fa539b752c6059ad8a9cd
                                                                          • Instruction Fuzzy Hash: 1011A371340249BEEF209F69CC06FAB3BACFF95B54F110518FA55E60D0D671D8619B14
                                                                          Function 004D2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00476B57: _wcslen.LIBCMT ref: 00476B6A
                                                                            • Part of subcall function 004D2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 004D2DC5
                                                                            • Part of subcall function 004D2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 004D2DD6
                                                                            • Part of subcall function 004D2DA7: GetCurrentThreadId.KERNEL32 ref: 004D2DDD
                                                                            • Part of subcall function 004D2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 004D2DE4
                                                                          • GetFocus.USER32 ref: 004D2F78
                                                                            • Part of subcall function 004D2DEE: GetParent.USER32(00000000), ref: 004D2DF9
                                                                          • GetClassNameW.USER32(?,?,00000100), ref: 004D2FC3
                                                                          • EnumChildWindows.USER32(?,004D303B), ref: 004D2FEB
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                                                                          • String ID: %s%d
                                                                          • API String ID: 1272988791-1110647743
                                                                          • Opcode ID: da5615dc3558bde4bf55bf41ac0b702f93d764b37609ebef3beaa00890638beb
                                                                          • Instruction ID: b4adbed485c505f4cf3cc0b6195454cde30ee5cd6218fce434b4e103c1905724
                                                                          • Opcode Fuzzy Hash: da5615dc3558bde4bf55bf41ac0b702f93d764b37609ebef3beaa00890638beb
                                                                          • Instruction Fuzzy Hash: 671127712002046BCF11BF758C95EEE376BAFA5308F00807BF9099B382DE785A098B24
                                                                          Function 00505882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 005058C1
                                                                          • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 005058EE
                                                                          • DrawMenuBar.USER32(?), ref: 005058FD
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$InfoItem$Draw
                                                                          • String ID: 0
                                                                          • API String ID: 3227129158-4108050209
                                                                          • Opcode ID: a50b1470cedddf7c3f9d7d4b6457a4aebebafc917b76d9a071f457ab92757324
                                                                          • Instruction ID: 900b8ee44736b99c62a70bf83e39961b100d1f962140ae0dc7c06e3344534fd2
                                                                          • Opcode Fuzzy Hash: a50b1470cedddf7c3f9d7d4b6457a4aebebafc917b76d9a071f457ab92757324
                                                                          • Instruction Fuzzy Hash: C2016D35500218EFDB219F11DC44BAFBFB4FB45361F10889AF849D6191EB308A98EF21
                                                                          Function 004CD3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 004CD3BF
                                                                          • FreeLibrary.KERNEL32 ref: 004CD3E5
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: AddressFreeLibraryProc
                                                                          • String ID: GetSystemWow64DirectoryW$X64
                                                                          • API String ID: 3013587201-2590602151
                                                                          • Opcode ID: ff99738964af57e2d1e822f7498dfeaa145781428f04fd00bf4898e915bb1973
                                                                          • Instruction ID: d0008751c9b63ec100f44674fd4e1a000bafb712af4ce8a4d6a4df68b2109350
                                                                          • Opcode Fuzzy Hash: ff99738964af57e2d1e822f7498dfeaa145781428f04fd00bf4898e915bb1973
                                                                          • Instruction Fuzzy Hash: EFF02079C02A219AC7B117104C24FAF7B54AF22701F648ABFA802E5298D72CCC85829E
                                                                          Function 004D007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3e55e69a4f8726d487a881da4799a8c4983774d6c93a304a9ba5dc6ad1bbfe85
                                                                          • Instruction ID: 03f445afe631f117731ccbca92b69726a6b3bcdcdcabf63962776b61f6525694
                                                                          • Opcode Fuzzy Hash: 3e55e69a4f8726d487a881da4799a8c4983774d6c93a304a9ba5dc6ad1bbfe85
                                                                          • Instruction Fuzzy Hash: 53C12975A00206AFDB14CFA4C8A4BAEB7B5FF48704F10859AE905EB351D735EE41CB94
                                                                          Function 004F342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Variant$ClearInitInitializeUninitialize
                                                                          • String ID:
                                                                          • API String ID: 1998397398-0
                                                                          • Opcode ID: eca57d8d114c8d129d55e4068764795e30fa0a3b20f7fdb8d3c748e84c7a8157
                                                                          • Instruction ID: fb79299a3a52d85b7c3b64299be5e8cbf418126f05c66c82df3e4042ca4ee832
                                                                          • Opcode Fuzzy Hash: eca57d8d114c8d129d55e4068764795e30fa0a3b20f7fdb8d3c748e84c7a8157
                                                                          • Instruction Fuzzy Hash: 0CA17E75204204AFC710EF25C485A6EB7E4FF88719F14885EF9499B362DB38ED05CB5A
                                                                          Function 004D0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0050FC08,?), ref: 004D05F0
                                                                          • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0050FC08,?), ref: 004D0608
                                                                          • CLSIDFromProgID.OLE32(?,?,00000000,0050CC40,000000FF,?,00000000,00000800,00000000,?,0050FC08,?), ref: 004D062D
                                                                          • _memcmp.LIBVCRUNTIME ref: 004D064E
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: FromProg$FreeTask_memcmp
                                                                          • String ID:
                                                                          • API String ID: 314563124-0
                                                                          • Opcode ID: 635f509f612a10eb543da4ef18c023384c66613cf0d5821e4c40b5bd2345e910
                                                                          • Instruction ID: 77e866ea1e5379f0d123eb9cd2fabbf0350c9241fcd851604200877a6b66424a
                                                                          • Opcode Fuzzy Hash: 635f509f612a10eb543da4ef18c023384c66613cf0d5821e4c40b5bd2345e910
                                                                          • Instruction Fuzzy Hash: 3F813B71A00109EFCF04DF94C994EEEB7B9FF89315F20419AE506AB250DB75AE06CB64
                                                                          Function 004B1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: _free
                                                                          • String ID:
                                                                          • API String ID: 269201875-0
                                                                          • Opcode ID: 3c4640a461ee5d7e5a07bf374245cc2e5066937163e2446feaadc0a6feec3f9b
                                                                          • Instruction ID: 2a90bfae54953f1d30fa8e5a0ac5150eb9d402d5173a4e1816daf3cdff17ba07
                                                                          • Opcode Fuzzy Hash: 3c4640a461ee5d7e5a07bf374245cc2e5066937163e2446feaadc0a6feec3f9b
                                                                          • Instruction Fuzzy Hash: 0B415E31600100ABDF256BBE8C55BEF3EA4EF56378F64027BF418D62A1E63C4945527A
                                                                          Function 00506278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetWindowRect.USER32(00AC06C0,?), ref: 005062E2
                                                                          • ScreenToClient.USER32(?,?), ref: 00506315
                                                                          • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00506382
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ClientMoveRectScreen
                                                                          • String ID:
                                                                          • API String ID: 3880355969-0
                                                                          • Opcode ID: 6f3e42622ba83541d15b03fa29767099522cf7d7c0129b5dbc8e99bf1b19204e
                                                                          • Instruction ID: 8ea59a75c03635bee24c5b6c7ae4beef3b66ff81efef404ea9acf8e1c07a260b
                                                                          • Opcode Fuzzy Hash: 6f3e42622ba83541d15b03fa29767099522cf7d7c0129b5dbc8e99bf1b19204e
                                                                          • Instruction Fuzzy Hash: B3513874A00209EFDB20DF68D881AEE7BB5FB55364F108669F8159B2E0D730ED91DB90
                                                                          Function 004F1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • socket.WSOCK32(00000002,00000002,00000011), ref: 004F1AFD
                                                                          • WSAGetLastError.WSOCK32 ref: 004F1B0B
                                                                          • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 004F1B8A
                                                                          • WSAGetLastError.WSOCK32 ref: 004F1B94
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast$socket
                                                                          • String ID:
                                                                          • API String ID: 1881357543-0
                                                                          • Opcode ID: 0c736370e8ed892a242133648d71e294b382a5ca36d44d9a5207121ad64bf6d1
                                                                          • Instruction ID: 3df1f1292e88970b41686f18c36b68910dc160822e7cc46294ecb95465836e87
                                                                          • Opcode Fuzzy Hash: 0c736370e8ed892a242133648d71e294b382a5ca36d44d9a5207121ad64bf6d1
                                                                          • Instruction Fuzzy Hash: F341C034640200AFE720AF21C886F6A77E5AB45718F54C44DFA1A9F3D3D67AED418B94
                                                                          Function 004AB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e7b45d9dea67b73018a17135f883f39a0148e8c05b0aa73ca5cab37082b35beb
                                                                          • Instruction ID: 34aabb176c873a165a9ed804e19cd48ac25ae709b72bd854e61436e4cfd376e8
                                                                          • Opcode Fuzzy Hash: e7b45d9dea67b73018a17135f883f39a0148e8c05b0aa73ca5cab37082b35beb
                                                                          • Instruction Fuzzy Hash: F9412475A00304BFE7249F39CC42BAABBE9EB99714F10452FF541DB292D379A90187D4
                                                                          Function 004E56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 004E5783
                                                                          • GetLastError.KERNEL32(?,00000000), ref: 004E57A9
                                                                          • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 004E57CE
                                                                          • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 004E57FA
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: CreateHardLink$DeleteErrorFileLast
                                                                          • String ID:
                                                                          • API String ID: 3321077145-0
                                                                          • Opcode ID: a82d5807396fd1f1be2b604f90ccf3a79b9f5d78ee1c558402e16e4520f59b60
                                                                          • Instruction ID: c509fd81218aebaba62c5cbd23f5c2bf9c989d4649466e4b74c21f19f14d5266
                                                                          • Opcode Fuzzy Hash: a82d5807396fd1f1be2b604f90ccf3a79b9f5d78ee1c558402e16e4520f59b60
                                                                          • Instruction Fuzzy Hash: 8F414139600610DFCB11EF16C544A5EBBE2EF49719B18C48EE84A5B761CB38FD00CB95
                                                                          Function 004AD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • MultiByteToWideChar.KERNEL32(?,00000000,?,00496D71,00000000,00000000,004982D9,?,004982D9,?,00000001,00496D71,?,00000001,004982D9,004982D9), ref: 004AD910
                                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 004AD999
                                                                          • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 004AD9AB
                                                                          • __freea.LIBCMT ref: 004AD9B4
                                                                            • Part of subcall function 004A3820: RtlAllocateHeap.NTDLL(00000000,?,00541444,?,0048FDF5,?,?,0047A976,00000010,00541440,004713FC,?,004713C6,?,00471129), ref: 004A3852
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                          • String ID:
                                                                          • API String ID: 2652629310-0
                                                                          • Opcode ID: e5366394bf6fafa7ef6423015708a3b695ca1a95b6130d24d0406cfa103db8c2
                                                                          • Instruction ID: 953213983228603dd4bf28f1fda4a1d6d9fc76f568d566304e88d23474a9bf70
                                                                          • Opcode Fuzzy Hash: e5366394bf6fafa7ef6423015708a3b695ca1a95b6130d24d0406cfa103db8c2
                                                                          • Instruction Fuzzy Hash: 0E31A0B2A0020AABDF24DF65DC45EAF7BA9EF62310F05416AFC05D6250E739CD54CB94
                                                                          Function 005052C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(?,00001024,00000000,?), ref: 00505352
                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00505375
                                                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00505382
                                                                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 005053A8
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: LongWindow$InvalidateMessageRectSend
                                                                          • String ID:
                                                                          • API String ID: 3340791633-0
                                                                          • Opcode ID: 313e94c9a66a4216d0339a7db4843d4fccc4488bb7a188418f115d27e9bb2083
                                                                          • Instruction ID: 7a0011a421f2fa5b0775e50761efffdfccf1ca75a135187af7be8c1404850382
                                                                          • Opcode Fuzzy Hash: 313e94c9a66a4216d0339a7db4843d4fccc4488bb7a188418f115d27e9bb2083
                                                                          • Instruction Fuzzy Hash: 5931B234A55A08AFEB309F14CC06BEE7F65BB05390F984D01FA11961E1E7B1A980AF41
                                                                          Function 004DAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 004DABF1
                                                                          • SetKeyboardState.USER32(00000080,?,00008000), ref: 004DAC0D
                                                                          • PostMessageW.USER32(00000000,00000101,00000000), ref: 004DAC74
                                                                          • SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 004DACC6
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: KeyboardState$InputMessagePostSend
                                                                          • String ID:
                                                                          • API String ID: 432972143-0
                                                                          • Opcode ID: b899cec484ea9094afe6a0a23a35bb001fdf7f9ed69853c9367ed2825289f9bf
                                                                          • Instruction ID: bf7bf7fe069a3e0f3d1d1792298fee92757aaaa371b6ea57a09815793c426e2e
                                                                          • Opcode Fuzzy Hash: b899cec484ea9094afe6a0a23a35bb001fdf7f9ed69853c9367ed2825289f9bf
                                                                          • Instruction Fuzzy Hash: FA311A30A206186FEF34CB658C287FF7BA5AB85720F08431BE481963D0C37D8965975B
                                                                          Function 00507674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ClientToScreen.USER32(?,?), ref: 0050769A
                                                                          • GetWindowRect.USER32(?,?), ref: 00507710
                                                                          • PtInRect.USER32(?,?,00508B89), ref: 00507720
                                                                          • MessageBeep.USER32(00000000), ref: 0050778C
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Rect$BeepClientMessageScreenWindow
                                                                          • String ID:
                                                                          • API String ID: 1352109105-0
                                                                          • Opcode ID: 2617e359da0d29943580d7cc7f9b21b2c5ac51a7872ce849667bad1b47f8c29c
                                                                          • Instruction ID: 2baa06451a904051c23e8aa93887301f84513126231c8aaa54f171ac46a1224e
                                                                          • Opcode Fuzzy Hash: 2617e359da0d29943580d7cc7f9b21b2c5ac51a7872ce849667bad1b47f8c29c
                                                                          • Instruction Fuzzy Hash: E0419C38A05619DFCB11CF58C894EAD7BF4FB5D384F1881A8E8149B2A1C371B985DF90
                                                                          Function 005016DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetForegroundWindow.USER32 ref: 005016EB
                                                                            • Part of subcall function 004D3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 004D3A57
                                                                            • Part of subcall function 004D3A3D: GetCurrentThreadId.KERNEL32 ref: 004D3A5E
                                                                            • Part of subcall function 004D3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004D25B3), ref: 004D3A65
                                                                          • GetCaretPos.USER32(?), ref: 005016FF
                                                                          • ClientToScreen.USER32(00000000,?), ref: 0050174C
                                                                          • GetForegroundWindow.USER32 ref: 00501752
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                          • String ID:
                                                                          • API String ID: 2759813231-0
                                                                          • Opcode ID: 95f71bed94d4886bb827ff2c474d4a2c9652990e1eab9198deb612034cb2615d
                                                                          • Instruction ID: ced6180510560784db49be80c0bfe3db0a71fc7fddce29c75e429033eca84eeb
                                                                          • Opcode Fuzzy Hash: 95f71bed94d4886bb827ff2c474d4a2c9652990e1eab9198deb612034cb2615d
                                                                          • Instruction Fuzzy Hash: C8312D75D00149AFCB10DFAAC881CEEBBF9EF49308B5080AEE415A7251D7359E45CBA5
                                                                          Function 004DD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateToolhelp32Snapshot.KERNEL32 ref: 004DD501
                                                                          • Process32FirstW.KERNEL32(00000000,?), ref: 004DD50F
                                                                          • Process32NextW.KERNEL32(00000000,?), ref: 004DD52F
                                                                          • CloseHandle.KERNEL32(00000000), ref: 004DD5DC
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                          • String ID:
                                                                          • API String ID: 420147892-0
                                                                          • Opcode ID: af4cb72f390c2b83e3ec3314df801c35c57bc4431601da46b98389f7815d8c54
                                                                          • Instruction ID: 4985c6153fd8692edfe321a8642b2891cbc369fb4aafb6690c6a4a6df0d6a77f
                                                                          • Opcode Fuzzy Hash: af4cb72f390c2b83e3ec3314df801c35c57bc4431601da46b98389f7815d8c54
                                                                          • Instruction Fuzzy Hash: 3D31C471008300AFD300EF54D891EAFBBF8EF99358F14492EF585862A1EB759949CB97
                                                                          Function 00508FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00489BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00489BB2
                                                                          • GetCursorPos.USER32(?), ref: 00509001
                                                                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,004C7711,?,?,?,?,?), ref: 00509016
                                                                          • GetCursorPos.USER32(?), ref: 0050905E
                                                                          • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,004C7711,?,?,?), ref: 00509094
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                          • String ID:
                                                                          • API String ID: 2864067406-0
                                                                          • Opcode ID: bd970cac9742a44ae9e94a3d139c97e73bee75e4a7c1367730f23b3b0c5381df
                                                                          • Instruction ID: 9eb4e958fdb2a2eefc595a940a93eb86746471564c164ae2a7bf9c49a9c5cd6c
                                                                          • Opcode Fuzzy Hash: bd970cac9742a44ae9e94a3d139c97e73bee75e4a7c1367730f23b3b0c5381df
                                                                          • Instruction Fuzzy Hash: 91218D35600018AFDB258F94CCA8EFE7FB9FB4A350F044559F9454B2A2C3319994EB60
                                                                          Function 004DD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetFileAttributesW.KERNEL32(?,0050CB68), ref: 004DD2FB
                                                                          • GetLastError.KERNEL32 ref: 004DD30A
                                                                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 004DD319
                                                                          • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0050CB68), ref: 004DD376
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: CreateDirectory$AttributesErrorFileLast
                                                                          • String ID:
                                                                          • API String ID: 2267087916-0
                                                                          • Opcode ID: 6f7bff1b3dadaef4c9f2cf00b6e3f4b5c681c35294d50cbba98a2bf9f767d685
                                                                          • Instruction ID: 27b24a28b4f05b3c4c709a11080aa1b655c9868a06941c6b24a0d563d92e7fcd
                                                                          • Opcode Fuzzy Hash: 6f7bff1b3dadaef4c9f2cf00b6e3f4b5c681c35294d50cbba98a2bf9f767d685
                                                                          • Instruction Fuzzy Hash: 802180749042019FC310DF28C8918AF7BE4AF56368F504A1FF899C33A1D734994ACB97
                                                                          Function 004D1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 004D1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 004D102A
                                                                            • Part of subcall function 004D1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 004D1036
                                                                            • Part of subcall function 004D1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 004D1045
                                                                            • Part of subcall function 004D1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 004D104C
                                                                            • Part of subcall function 004D1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 004D1062
                                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 004D15BE
                                                                          • _memcmp.LIBVCRUNTIME ref: 004D15E1
                                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004D1617
                                                                          • HeapFree.KERNEL32(00000000), ref: 004D161E
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                          • String ID:
                                                                          • API String ID: 1592001646-0
                                                                          • Opcode ID: e82502b35e64b1e438c84ca26e14e0e275b8806c5beb2c780c0445ae6aeabcdb
                                                                          • Instruction ID: 9474767b917c96a3c0f54332ca0b4f163dbd3a3136632fbb70c8becb89e81a70
                                                                          • Opcode Fuzzy Hash: e82502b35e64b1e438c84ca26e14e0e275b8806c5beb2c780c0445ae6aeabcdb
                                                                          • Instruction Fuzzy Hash: 9D217A31E00108BBDB10DFA4C964BEEB7B8EF41344F08445AE801A7351D738AA44DB54
                                                                          Function 00502782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetWindowLongW.USER32(?,000000EC), ref: 0050280A
                                                                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00502824
                                                                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00502832
                                                                          • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00502840
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Long$AttributesLayered
                                                                          • String ID:
                                                                          • API String ID: 2169480361-0
                                                                          • Opcode ID: 4715fc35f619fab12cc9d9f68e8d722a5b490e5cadc768b849f385df69d2efcc
                                                                          • Instruction ID: 7bd126078a3cefca93c90deef36fcb885d3c259b2344b098f57d6112ff2c4149
                                                                          • Opcode Fuzzy Hash: 4715fc35f619fab12cc9d9f68e8d722a5b490e5cadc768b849f385df69d2efcc
                                                                          • Instruction Fuzzy Hash: 48219235204511AFD7149B24CC49FAE7F95FF86328F148259F4168B6D2CB75EC42CB90
                                                                          Function 004D78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 004D8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,004D790A,?,000000FF,?,004D8754,00000000,?,0000001C,?,?), ref: 004D8D8C
                                                                            • Part of subcall function 004D8D7D: lstrcpyW.KERNEL32(00000000,?,?,004D790A,?,000000FF,?,004D8754,00000000,?,0000001C,?,?,00000000), ref: 004D8DB2
                                                                            • Part of subcall function 004D8D7D: lstrcmpiW.KERNEL32(00000000,?,004D790A,?,000000FF,?,004D8754,00000000,?,0000001C,?,?), ref: 004D8DE3
                                                                          • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,004D8754,00000000,?,0000001C,?,?,00000000), ref: 004D7923
                                                                          • lstrcpyW.KERNEL32(00000000,?,?,004D8754,00000000,?,0000001C,?,?,00000000), ref: 004D7949
                                                                          • lstrcmpiW.KERNEL32(00000002,cdecl,?,004D8754,00000000,?,0000001C,?,?,00000000), ref: 004D7984
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: lstrcmpilstrcpylstrlen
                                                                          • String ID: cdecl
                                                                          • API String ID: 4031866154-3896280584
                                                                          • Opcode ID: 0a65d09a16d0cdcabc27177e1aa97100a985fc88b33b00d05e97cf1e68616cbb
                                                                          • Instruction ID: 5333883b56efdce0d84d8489e49410c7bbecbccee287ae619aa650377a2f3903
                                                                          • Opcode Fuzzy Hash: 0a65d09a16d0cdcabc27177e1aa97100a985fc88b33b00d05e97cf1e68616cbb
                                                                          • Instruction Fuzzy Hash: 7711E17A200202ABDB15AF35C865D7B77A9FF95350B00402FE802C73A4FB359811D7A5
                                                                          Function 00507CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00507D0B
                                                                          • SetWindowLongW.USER32(00000000,000000F0,?), ref: 00507D2A
                                                                          • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00507D42
                                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,004EB7AD,00000000), ref: 00507D6B
                                                                            • Part of subcall function 00489BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00489BB2
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Long
                                                                          • String ID:
                                                                          • API String ID: 847901565-0
                                                                          • Opcode ID: c9470bd8b05d178747355ead316c9d1fac6697384d1a8ec4d089cefea80b7a09
                                                                          • Instruction ID: f1e4c5e980581f1afd89b1f2ffea2d373306eba48a223c0db991d310be7c9f9c
                                                                          • Opcode Fuzzy Hash: c9470bd8b05d178747355ead316c9d1fac6697384d1a8ec4d089cefea80b7a09
                                                                          • Instruction Fuzzy Hash: 57119036A05A19AFDB109F28CC04AAE3FA5BF4A364B154724F835C72F0E731AD55DB90
                                                                          Function 00505660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(?,00001060,?,00000004), ref: 005056BB
                                                                          • _wcslen.LIBCMT ref: 005056CD
                                                                          • _wcslen.LIBCMT ref: 005056D8
                                                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00505816
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend_wcslen
                                                                          • String ID:
                                                                          • API String ID: 455545452-0
                                                                          • Opcode ID: 751906479a1ef02511351bea3f46b4239fa61e9e11ae0a15e083a4708dabc226
                                                                          • Instruction ID: 489712bd4dd4086509403b2f4d8498c6c998ad378e6b48a002eaaaef68b9f4e3
                                                                          • Opcode Fuzzy Hash: 751906479a1ef02511351bea3f46b4239fa61e9e11ae0a15e083a4708dabc226
                                                                          • Instruction Fuzzy Hash: A311B175A00608A6DF209F65CC85AEF7FACFF11764B10492AF915D60C1FBB08A85CF64
                                                                          Function 004D1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 004D1A47
                                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004D1A59
                                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004D1A6F
                                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004D1A8A
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend
                                                                          • String ID:
                                                                          • API String ID: 3850602802-0
                                                                          • Opcode ID: ef7b579605f6fc50fcac04b51c7b9c49b61497b16a837d473784dc065b06b717
                                                                          • Instruction ID: d2b2efb1bc23fd7477027cba018b5f064448d397c187d62e61fbf3b5b80eb812
                                                                          • Opcode Fuzzy Hash: ef7b579605f6fc50fcac04b51c7b9c49b61497b16a837d473784dc065b06b717
                                                                          • Instruction Fuzzy Hash: A0113C3AD01219FFEB10DBA5CD85FADBB78EB04750F200092EA00B7390D6716E51DB94
                                                                          Function 004DE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCurrentThreadId.KERNEL32 ref: 004DE1FD
                                                                          • MessageBoxW.USER32(?,?,?,?), ref: 004DE230
                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 004DE246
                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004DE24D
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                          • String ID:
                                                                          • API String ID: 2880819207-0
                                                                          • Opcode ID: fa8f685b5c6c6b9a83f37e4794b73fe8742353191f437fa267da49a9f15e7536
                                                                          • Instruction ID: 306dd5f3d252184b89116ff48e473c38c1f5cf7e67ef5e31ddcff319bf2d97e6
                                                                          • Opcode Fuzzy Hash: fa8f685b5c6c6b9a83f37e4794b73fe8742353191f437fa267da49a9f15e7536
                                                                          • Instruction Fuzzy Hash: FB114876904204BBC701AFA89C09ADF3FAC9B56314F00475BF815D3380C274C90887A4
                                                                          Function 0049D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateThread.KERNEL32(00000000,?,0049CFF9,00000000,00000004,00000000), ref: 0049D218
                                                                          • GetLastError.KERNEL32 ref: 0049D224
                                                                          • __dosmaperr.LIBCMT ref: 0049D22B
                                                                          • ResumeThread.KERNEL32(00000000), ref: 0049D249
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Thread$CreateErrorLastResume__dosmaperr
                                                                          • String ID:
                                                                          • API String ID: 173952441-0
                                                                          • Opcode ID: 52403ba76b26b500478f9e1b5c662ae5b1faa6f90211a25cab2c34815f282dc4
                                                                          • Instruction ID: fa93a1a7eddb8fabc711698b31017abfb24713a5bfae00b9b3f266529ed2f115
                                                                          • Opcode Fuzzy Hash: 52403ba76b26b500478f9e1b5c662ae5b1faa6f90211a25cab2c34815f282dc4
                                                                          • Instruction Fuzzy Hash: AC012636C041047BCF105BA6DC09BAF7E68DF92734F20037AF924921D0CB75C905D6A5
                                                                          Function 0047600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0047604C
                                                                          • GetStockObject.GDI32(00000011), ref: 00476060
                                                                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 0047606A
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: CreateMessageObjectSendStockWindow
                                                                          • String ID:
                                                                          • API String ID: 3970641297-0
                                                                          • Opcode ID: 38960b4781829320b88dd0ee7892d076d5ede30cda47fecaa084ba8345261fa5
                                                                          • Instruction ID: c46a218b3cbb44fd310671bfa8e50f29648eafbc8147e3b24ed94f81f54e23f5
                                                                          • Opcode Fuzzy Hash: 38960b4781829320b88dd0ee7892d076d5ede30cda47fecaa084ba8345261fa5
                                                                          • Instruction Fuzzy Hash: DF118E72501948BFEF128FA48C44AEB7F6EEF19364F014206FA0952110C7369C60EBA4
                                                                          Function 00493B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ___BuildCatchObject.LIBVCRUNTIME ref: 00493B56
                                                                            • Part of subcall function 00493AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00493AD2
                                                                            • Part of subcall function 00493AA3: ___AdjustPointer.LIBCMT ref: 00493AED
                                                                          • _UnwindNestedFrames.LIBCMT ref: 00493B6B
                                                                          • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00493B7C
                                                                          • CallCatchBlock.LIBVCRUNTIME ref: 00493BA4
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                          • String ID:
                                                                          • API String ID: 737400349-0
                                                                          • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                                          • Instruction ID: 209a29e206ecbf9a4780cbb33f4e4ea74cb1ea8878f9a4d5130c0b32391a810b
                                                                          • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                                          • Instruction Fuzzy Hash: F3012D32100148BBDF116E96CC42DEB3F69EF89759F04402AFE4856121C73AE961DBA4
                                                                          Function 004A3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,004713C6,00000000,00000000,?,004A301A,004713C6,00000000,00000000,00000000,?,004A328B,00000006,FlsSetValue), ref: 004A30A5
                                                                          • GetLastError.KERNEL32(?,004A301A,004713C6,00000000,00000000,00000000,?,004A328B,00000006,FlsSetValue,00512290,FlsSetValue,00000000,00000364,?,004A2E46), ref: 004A30B1
                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004A301A,004713C6,00000000,00000000,00000000,?,004A328B,00000006,FlsSetValue,00512290,FlsSetValue,00000000), ref: 004A30BF
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad$ErrorLast
                                                                          • String ID:
                                                                          • API String ID: 3177248105-0
                                                                          • Opcode ID: 488b4e5841da04aba90f70302abb48f5e2c190e79aa25287ebe038bd39f084eb
                                                                          • Instruction ID: 3e8cd8b31910d7c1b0a1f884b656025b5cd7aecbe891e01ac904d9abf37b88cf
                                                                          • Opcode Fuzzy Hash: 488b4e5841da04aba90f70302abb48f5e2c190e79aa25287ebe038bd39f084eb
                                                                          • Instruction Fuzzy Hash: B1012036309223ABC7314F799C449577F989F27BA2B200721F945D7284E725DD05C6D4
                                                                          Function 004D7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 004D747F
                                                                          • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 004D7497
                                                                          • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 004D74AC
                                                                          • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 004D74CA
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Type$Register$FileLoadModuleNameUser
                                                                          • String ID:
                                                                          • API String ID: 1352324309-0
                                                                          • Opcode ID: be371e2fb92e95eb15eec9da0a1c078c4efe5be1517a9ee19591639a6a320c61
                                                                          • Instruction ID: f44b2dc983695c52e95fe467599e08c40306c76571b24690b39706d59e2c81c1
                                                                          • Opcode Fuzzy Hash: be371e2fb92e95eb15eec9da0a1c078c4efe5be1517a9ee19591639a6a320c61
                                                                          • Instruction Fuzzy Hash: 4711ADB1205310ABE7218F14DD18B96BFFCEB00B00F10856BE616D6291E7B4E908DB65
                                                                          Function 004DB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,004DACD3,?,00008000), ref: 004DB0C4
                                                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,004DACD3,?,00008000), ref: 004DB0E9
                                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,004DACD3,?,00008000), ref: 004DB0F3
                                                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,004DACD3,?,00008000), ref: 004DB126
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: CounterPerformanceQuerySleep
                                                                          • String ID:
                                                                          • API String ID: 2875609808-0
                                                                          • Opcode ID: a915cb531952a710d8e6f7436c3f9145f2638595941223e6d61583912073e66f
                                                                          • Instruction ID: 4f9b6c24cbd0051c340ba3ad96af41164ff47be82c7365c20d6efa2a74eb7caf
                                                                          • Opcode Fuzzy Hash: a915cb531952a710d8e6f7436c3f9145f2638595941223e6d61583912073e66f
                                                                          • Instruction Fuzzy Hash: 24117930C00628E7CF00AFA4E9696EEBF78FF5A310F024187D941B2281CB388650DB99
                                                                          Function 004D2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 004D2DC5
                                                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 004D2DD6
                                                                          • GetCurrentThreadId.KERNEL32 ref: 004D2DDD
                                                                          • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 004D2DE4
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                          • String ID:
                                                                          • API String ID: 2710830443-0
                                                                          • Opcode ID: de14a43c23b3650d14057cbe9ec353f43483e1cd781910492b10c6c478f162ae
                                                                          • Instruction ID: 86a02e78602ea6a00fe86a1d750f12f8936d0576c0bfee0c075739c6a9bb0115
                                                                          • Opcode Fuzzy Hash: de14a43c23b3650d14057cbe9ec353f43483e1cd781910492b10c6c478f162ae
                                                                          • Instruction Fuzzy Hash: 86E092711012247BD7301B769D0DFEF3E6DEF67BA1F000216F105D11809AE5C849D6B0
                                                                          Function 00508863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00489639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00489693
                                                                            • Part of subcall function 00489639: SelectObject.GDI32(?,00000000), ref: 004896A2
                                                                            • Part of subcall function 00489639: BeginPath.GDI32(?), ref: 004896B9
                                                                            • Part of subcall function 00489639: SelectObject.GDI32(?,00000000), ref: 004896E2
                                                                          • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00508887
                                                                          • LineTo.GDI32(?,?,?), ref: 00508894
                                                                          • EndPath.GDI32(?), ref: 005088A4
                                                                          • StrokePath.GDI32(?), ref: 005088B2
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                          • String ID:
                                                                          • API String ID: 1539411459-0
                                                                          • Opcode ID: f9d1f536832700cbac5cc545374c5cbba6771126aa8b5119a869fb19f81808da
                                                                          • Instruction ID: 2802116e433819ab0bed7912e66560cc05b406dc924aea3ea700e9aa2c72ca28
                                                                          • Opcode Fuzzy Hash: f9d1f536832700cbac5cc545374c5cbba6771126aa8b5119a869fb19f81808da
                                                                          • Instruction Fuzzy Hash: B7F0BE36001618FAEB122F94AC1DFDE3F59AF27310F048100FA01610E1C7740555EFE9
                                                                          Function 004898B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetSysColor.USER32(00000008), ref: 004898CC
                                                                          • SetTextColor.GDI32(?,?), ref: 004898D6
                                                                          • SetBkMode.GDI32(?,00000001), ref: 004898E9
                                                                          • GetStockObject.GDI32(00000005), ref: 004898F1
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Color$ModeObjectStockText
                                                                          • String ID:
                                                                          • API String ID: 4037423528-0
                                                                          • Opcode ID: 84472086304ab89452feb30f22fcb888483769fa3f0649adc1672d7404b4ffd1
                                                                          • Instruction ID: bfe2c02c4be4de752a5dda343fdf27c3716dac92283d021dd98d1e5c90e7efce
                                                                          • Opcode Fuzzy Hash: 84472086304ab89452feb30f22fcb888483769fa3f0649adc1672d7404b4ffd1
                                                                          • Instruction Fuzzy Hash: 44E06D31244680AFDB215B74AC09BED3F20AB22336F08831AFAFA581E1C3754654EF10
                                                                          Function 004D162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCurrentThread.KERNEL32 ref: 004D1634
                                                                          • OpenThreadToken.ADVAPI32(00000000,?,?,?,004D11D9), ref: 004D163B
                                                                          • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,004D11D9), ref: 004D1648
                                                                          • OpenProcessToken.ADVAPI32(00000000,?,?,?,004D11D9), ref: 004D164F
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentOpenProcessThreadToken
                                                                          • String ID:
                                                                          • API String ID: 3974789173-0
                                                                          • Opcode ID: 13bf4db5ee36f1e80f2c08d55ca3a5f1d70d43eff77e42e5b49e3313ecc5de43
                                                                          • Instruction ID: f7a5bba521d1b659608fcec85f697eca37bac840cc7ecd7e212868b0784a73fd
                                                                          • Opcode Fuzzy Hash: 13bf4db5ee36f1e80f2c08d55ca3a5f1d70d43eff77e42e5b49e3313ecc5de43
                                                                          • Instruction Fuzzy Hash: 30E08631601211EBE7301FA09D1DB8F3F7CAF66791F148909F646C9090D6388448D754
                                                                          Function 004CD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetDesktopWindow.USER32 ref: 004CD858
                                                                          • GetDC.USER32(00000000), ref: 004CD862
                                                                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 004CD882
                                                                          • ReleaseDC.USER32(?), ref: 004CD8A3
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: CapsDesktopDeviceReleaseWindow
                                                                          • String ID:
                                                                          • API String ID: 2889604237-0
                                                                          • Opcode ID: b0a13932bcdce57bd96c0c82f8f089c48baa832933d35ed41528f95206eb2e65
                                                                          • Instruction ID: 9bae0f5cf81407eb134939abc61ec75d57c7dc1d1f8662ce068ed6802a744a38
                                                                          • Opcode Fuzzy Hash: b0a13932bcdce57bd96c0c82f8f089c48baa832933d35ed41528f95206eb2e65
                                                                          • Instruction Fuzzy Hash: B8E01AB4C00204DFCF61AFA5D80CA6DBFB1FB19310F10851AF846E7290CB398906AF55
                                                                          Function 004CD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetDesktopWindow.USER32 ref: 004CD86C
                                                                          • GetDC.USER32(00000000), ref: 004CD876
                                                                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 004CD882
                                                                          • ReleaseDC.USER32(?), ref: 004CD8A3
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: CapsDesktopDeviceReleaseWindow
                                                                          • String ID:
                                                                          • API String ID: 2889604237-0
                                                                          • Opcode ID: 3e610eed4fbdbc3807d3cf90a128c65bddb16b83de66a034ef9b9b5efbec575e
                                                                          • Instruction ID: c60f1c6a137446ca75f4ac10d159212825d18f9be583e9b841ce69d8e9d84068
                                                                          • Opcode Fuzzy Hash: 3e610eed4fbdbc3807d3cf90a128c65bddb16b83de66a034ef9b9b5efbec575e
                                                                          • Instruction Fuzzy Hash: 72E012B4C00200EFCF60AFA4D80C66DBFB1BB19310F108509E84AE7290CB39590AAF40
                                                                          Function 004E4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00477620: _wcslen.LIBCMT ref: 00477625
                                                                          • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 004E4ED4
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Connection_wcslen
                                                                          • String ID: *$LPT
                                                                          • API String ID: 1725874428-3443410124
                                                                          • Opcode ID: 6c5a40ef4ff35e29ddf7f61b46197c767941ad17c1369ee0e7f42ae22e3a2a9e
                                                                          • Instruction ID: 13c73ab7a1ea665b7f8cbc9fb43bc977004f5b69845414813721dcd48a53189a
                                                                          • Opcode Fuzzy Hash: 6c5a40ef4ff35e29ddf7f61b46197c767941ad17c1369ee0e7f42ae22e3a2a9e
                                                                          • Instruction Fuzzy Hash: C8919475A002449FCB14DF59C484EAABBF1BF84709F14809EE40A9F352C739ED85CB95
                                                                          Function 0049E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __startOneArgErrorHandling.LIBCMT ref: 0049E30D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorHandling__start
                                                                          • String ID: pow
                                                                          • API String ID: 3213639722-2276729525
                                                                          • Opcode ID: 2c6f95510709d1b03b662b52307b002e93c3f7934cd2674a80a41911dcebf324
                                                                          • Instruction ID: b2d0cb85e34183b3612ef79f120f5c8ba378ca4e2c9eaba780ac035b96fb61c1
                                                                          • Opcode Fuzzy Hash: 2c6f95510709d1b03b662b52307b002e93c3f7934cd2674a80a41911dcebf324
                                                                          • Instruction Fuzzy Hash: C3513B61A0C20196CF35B715CD413BB3F94AB61740F248DBBE495423E9EB3D8C969A4E
                                                                          Function 004F7771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CharUpperBuffW.USER32(004C569E,00000000,?,0050CC08,?,00000000,00000000), ref: 004F78DD
                                                                            • Part of subcall function 00476B57: _wcslen.LIBCMT ref: 00476B6A
                                                                          • CharUpperBuffW.USER32(004C569E,00000000,?,0050CC08,00000000,?,00000000,00000000), ref: 004F783B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: BuffCharUpper$_wcslen
                                                                          • String ID: <sS
                                                                          • API String ID: 3544283678-608235421
                                                                          • Opcode ID: 2849ffe8eaf0cebe8c1136b970c9cac42007050397b9ee8e8ca8b7a7a359e296
                                                                          • Instruction ID: 15e5b1b36efa89a931336402253270f0b6eb42ad542f0ff6c01f1566950013ac
                                                                          • Opcode Fuzzy Hash: 2849ffe8eaf0cebe8c1136b970c9cac42007050397b9ee8e8ca8b7a7a359e296
                                                                          • Instruction Fuzzy Hash: B1617FB2914118AACF04FBA5CC91DFEB374BF14304B44852BE646B7191EF7C5A09CBA9
                                                                          Function 0048E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: #
                                                                          • API String ID: 0-1885708031
                                                                          • Opcode ID: 379e9f1f6bdab4ede9698cd27791bac77dec0fdefc526ef32139134aad9b1d88
                                                                          • Instruction ID: 9afcac31837af34bee05f41cee5d269aaa621952fc66658333eece2983072619
                                                                          • Opcode Fuzzy Hash: 379e9f1f6bdab4ede9698cd27791bac77dec0fdefc526ef32139134aad9b1d88
                                                                          • Instruction Fuzzy Hash: 245101395012469FDB15EF2AC081ABF7BA4EF25310F24849BE8519B280D7389D43DBA9
                                                                          Function 0048F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • Sleep.KERNEL32(00000000), ref: 0048F2A2
                                                                          • GlobalMemoryStatusEx.KERNEL32(?), ref: 0048F2BB
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: GlobalMemorySleepStatus
                                                                          • String ID: @
                                                                          • API String ID: 2783356886-2766056989
                                                                          • Opcode ID: f023a8431b82efb26751bd710754f659b63cddf6f7dbcd0e01b68a77542c864f
                                                                          • Instruction ID: 65d2deaec5a193f4811e42b92a8c2e194c7f5e9e37c3aeb838f2015bbd054ea7
                                                                          • Opcode Fuzzy Hash: f023a8431b82efb26751bd710754f659b63cddf6f7dbcd0e01b68a77542c864f
                                                                          • Instruction Fuzzy Hash: 395147714087449BD320AF21DC86BAFBBF8FF95304F81885EF1D9411A5EB348529CB6A
                                                                          Function 004F5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 004F57E0
                                                                          • _wcslen.LIBCMT ref: 004F57EC
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: BuffCharUpper_wcslen
                                                                          • String ID: CALLARGARRAY
                                                                          • API String ID: 157775604-1150593374
                                                                          • Opcode ID: 8beaf1a6ccf5d1fe4913c86db718aa0d849b2249b74f12f9da63fd2cffa326de
                                                                          • Instruction ID: 69aea94d1a4c638770bdcd78180282c064fe72e92f66ca7b5e9b74f3bc4ae27b
                                                                          • Opcode Fuzzy Hash: 8beaf1a6ccf5d1fe4913c86db718aa0d849b2249b74f12f9da63fd2cffa326de
                                                                          • Instruction Fuzzy Hash: 02419071A001099FCB14EFAAC8818BEBBF5FF59354F10416EE605A7391E7389D91CB94
                                                                          Function 004ED0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _wcslen.LIBCMT ref: 004ED130
                                                                          • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 004ED13A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: CrackInternet_wcslen
                                                                          • String ID: |
                                                                          • API String ID: 596671847-2343686810
                                                                          • Opcode ID: 042f4baad2f423c78d3ce96988ca1269f0b10041e513ab2ef6682b26fa45d346
                                                                          • Instruction ID: d6183997417122ba1cafdfe91e4302d21e42cbc8bad5e2fda55d4893de3da591
                                                                          • Opcode Fuzzy Hash: 042f4baad2f423c78d3ce96988ca1269f0b10041e513ab2ef6682b26fa45d346
                                                                          • Instruction Fuzzy Hash: 3B312D71D00209ABCF15EFA6CC85AEEBFBAFF04344F00405AF819A6261D735A916DB65
                                                                          Function 0050356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DestroyWindow.USER32(?,?,?,?), ref: 00503621
                                                                          • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0050365C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Window$DestroyMove
                                                                          • String ID: static
                                                                          • API String ID: 2139405536-2160076837
                                                                          • Opcode ID: a1ffe7ba94ff1e4674c840b2735416142d45f0825a5ec57cc80e6ab516f9a778
                                                                          • Instruction ID: c12ed96ac37baf872556bd1227cbb851e6c2240abb9bd1c7bbd59bd9a295890e
                                                                          • Opcode Fuzzy Hash: a1ffe7ba94ff1e4674c840b2735416142d45f0825a5ec57cc80e6ab516f9a778
                                                                          • Instruction Fuzzy Hash: 9631AB71100604AADB209F28DC80EFF7BADFF89724F10861DF8A597290DB31AD81D760
                                                                          Function 00504537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 0050461F
                                                                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00504634
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend
                                                                          • String ID: '
                                                                          • API String ID: 3850602802-1997036262
                                                                          • Opcode ID: ed8170a35c72133cde5dcb1d2f495f796a22df054b7387e99a751416f4ad2023
                                                                          • Instruction ID: 3293873b1adc1c2a63a408741b71807f8db5da41ba034746893a96973ca3ce5d
                                                                          • Opcode Fuzzy Hash: ed8170a35c72133cde5dcb1d2f495f796a22df054b7387e99a751416f4ad2023
                                                                          • Instruction Fuzzy Hash: DC3138B4A013099FDB14CFA9C981BEE7BB5FF49300F10406AEA05AB381E771A941DF90
                                                                          Function 005031EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0050327C
                                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00503287
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend
                                                                          • String ID: Combobox
                                                                          • API String ID: 3850602802-2096851135
                                                                          • Opcode ID: 5341cd2eb6760b68016fb7a5ded453b34a3baf7606ab8268493da8441accd93a
                                                                          • Instruction ID: 9042935a785756639037338ba7ed73597d1e9aba51e5e6c2d31f3c371dec3fd7
                                                                          • Opcode Fuzzy Hash: 5341cd2eb6760b68016fb7a5ded453b34a3baf7606ab8268493da8441accd93a
                                                                          • Instruction Fuzzy Hash: 4D119D7520020A7FEF219F94DC85EBF3BAEFB983A4F104629F9189B2D0D6319D519760
                                                                          Function 00503710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0047600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0047604C
                                                                            • Part of subcall function 0047600E: GetStockObject.GDI32(00000011), ref: 00476060
                                                                            • Part of subcall function 0047600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0047606A
                                                                          • GetWindowRect.USER32(00000000,?), ref: 0050377A
                                                                          • GetSysColor.USER32(00000012), ref: 00503794
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                          • String ID: static
                                                                          • API String ID: 1983116058-2160076837
                                                                          • Opcode ID: 6f31b98081439d9ad5aece0e11fc86c8a18d222007c5443cdc6cf85abac9b32d
                                                                          • Instruction ID: ddbb7c403a2979b60ae226a95209f8652772d97a1844296c7b9bcc66db44513e
                                                                          • Opcode Fuzzy Hash: 6f31b98081439d9ad5aece0e11fc86c8a18d222007c5443cdc6cf85abac9b32d
                                                                          • Instruction Fuzzy Hash: 2C1129B2610209AFDB00DFA8CC46EEE7BB8FB09314F004A15F955E2291E735E9559B50
                                                                          Function 004ECD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004ECD7D
                                                                          • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 004ECDA6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Internet$OpenOption
                                                                          • String ID: <local>
                                                                          • API String ID: 942729171-4266983199
                                                                          • Opcode ID: 308364c41fb1c6cda640eeb1696add7ffaed513d51db367ddc341b9a15df1514
                                                                          • Instruction ID: ea7d68b69f46d3cc6d858f0ef712806274b8828c0e3d25269c13e92b4d745ec7
                                                                          • Opcode Fuzzy Hash: 308364c41fb1c6cda640eeb1696add7ffaed513d51db367ddc341b9a15df1514
                                                                          • Instruction Fuzzy Hash: 0F110671241671BAD7344B678C84EF7BEACEF127A5F00422BB10983180D3799846D6F4
                                                                          Function 00503429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetWindowTextLengthW.USER32(00000000), ref: 005034AB
                                                                          • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 005034BA
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: LengthMessageSendTextWindow
                                                                          • String ID: edit
                                                                          • API String ID: 2978978980-2167791130
                                                                          • Opcode ID: a00a0190d8d3397b208bb0e5af7008f19741bed7f0164c74fa382982f674df35
                                                                          • Instruction ID: 5876c5717b8cbeac859390610dfb6b8097b38fc1a04cbaabe83b4e2ed4f1048c
                                                                          • Opcode Fuzzy Hash: a00a0190d8d3397b208bb0e5af7008f19741bed7f0164c74fa382982f674df35
                                                                          • Instruction Fuzzy Hash: 97116D71100108AAEF218F64DC48AEE3F6EFB15378F504724F9659B1D0C771DC559750
                                                                          Function 004D6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00479CB3: _wcslen.LIBCMT ref: 00479CBD
                                                                          • CharUpperBuffW.USER32(?,?,?), ref: 004D6CB6
                                                                          • _wcslen.LIBCMT ref: 004D6CC2
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: _wcslen$BuffCharUpper
                                                                          • String ID: STOP
                                                                          • API String ID: 1256254125-2411985666
                                                                          • Opcode ID: 00cfe0354e427d2ee77d2a500f74acc89c76fb33907e5af453f25fca8205ffcc
                                                                          • Instruction ID: f8f310fe0b541de3047f15c0cc7b8107e5c876de9d44d6431942c0318c0d1053
                                                                          • Opcode Fuzzy Hash: 00cfe0354e427d2ee77d2a500f74acc89c76fb33907e5af453f25fca8205ffcc
                                                                          • Instruction Fuzzy Hash: DF0108326105268ACB209FBDEC608BF37A5EB61714702052BE45292391EB39D800C654
                                                                          Function 004D1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00479CB3: _wcslen.LIBCMT ref: 00479CBD
                                                                            • Part of subcall function 004D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 004D3CCA
                                                                          • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 004D1D4C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: ClassMessageNameSend_wcslen
                                                                          • String ID: ComboBox$ListBox
                                                                          • API String ID: 624084870-1403004172
                                                                          • Opcode ID: 26f4fa8c297a45dd4c646823176f4d3f0aef9b72057bf45a198c13749b6527ce
                                                                          • Instruction ID: 6574ab9636bec86c99fe929bb9ede41b48c0e93ed07d098367c94f3a6ef60330
                                                                          • Opcode Fuzzy Hash: 26f4fa8c297a45dd4c646823176f4d3f0aef9b72057bf45a198c13749b6527ce
                                                                          • Instruction Fuzzy Hash: FE01F131610218ABCB08EBA4CC21CFE77A9FB12354B00060FE826673D1EB3869088665
                                                                          Function 004D1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00479CB3: _wcslen.LIBCMT ref: 00479CBD
                                                                            • Part of subcall function 004D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 004D3CCA
                                                                          • SendMessageW.USER32(?,00000180,00000000,?), ref: 004D1C46
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: ClassMessageNameSend_wcslen
                                                                          • String ID: ComboBox$ListBox
                                                                          • API String ID: 624084870-1403004172
                                                                          • Opcode ID: 94f5d4e82976185e17ef33a8c736110b77ca6d5c84ded065cafe6bd6500d8932
                                                                          • Instruction ID: a555d5529fb8c18d5df1119a4f92564001356fe27cb19a603be1ba3bee9404d1
                                                                          • Opcode Fuzzy Hash: 94f5d4e82976185e17ef33a8c736110b77ca6d5c84ded065cafe6bd6500d8932
                                                                          • Instruction Fuzzy Hash: FE01A7757A11047ADF14EB91CD66DFF77A89B11744F14001FA80767392EA289E0886BA
                                                                          Function 004D1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00479CB3: _wcslen.LIBCMT ref: 00479CBD
                                                                            • Part of subcall function 004D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 004D3CCA
                                                                          • SendMessageW.USER32(?,00000182,?,00000000), ref: 004D1CC8
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: ClassMessageNameSend_wcslen
                                                                          • String ID: ComboBox$ListBox
                                                                          • API String ID: 624084870-1403004172
                                                                          • Opcode ID: c5770be0f3ff73c39c0e5ef1d8307b732c04aee107d6243a5bb1361840a4068b
                                                                          • Instruction ID: 26764c05702b2d482d87787b7a0f635e3cd8914b8bec1be226e92b6eef0693c5
                                                                          • Opcode Fuzzy Hash: c5770be0f3ff73c39c0e5ef1d8307b732c04aee107d6243a5bb1361840a4068b
                                                                          • Instruction Fuzzy Hash: 1F01A77175011476CB14EB95CA22EFF77A89B11744F14001BBC0677391EA299F09967A
                                                                          Function 0048A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __Init_thread_footer.LIBCMT ref: 0048A529
                                                                            • Part of subcall function 00479CB3: _wcslen.LIBCMT ref: 00479CBD
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Init_thread_footer_wcslen
                                                                          • String ID: ,%T$3yL
                                                                          • API String ID: 2551934079-2271862204
                                                                          • Opcode ID: 93c6d19d1be2d74da3514578f3fc10cf851dcc053cd577325d9be766b8d1cae6
                                                                          • Instruction ID: 46f6908f009492206fbdc8dfaeb0ef9662b5fd6172f978f79a427208c8c95cdf
                                                                          • Opcode Fuzzy Hash: 93c6d19d1be2d74da3514578f3fc10cf851dcc053cd577325d9be766b8d1cae6
                                                                          • Instruction Fuzzy Hash: 2F01F7317006109BDA04F769E81BADD3764AB05718F90486FF5051B2C2DE986D458B9F
                                                                          Function 00508172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00543018,0054305C), ref: 005081BF
                                                                          • CloseHandle.KERNEL32 ref: 005081D1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: CloseCreateHandleProcess
                                                                          • String ID: \0T
                                                                          • API String ID: 3712363035-698854872
                                                                          • Opcode ID: 1706f08ff3f4a660968fa67d14e6becaff6b6886baf0f96a6a81787d7c8cfd2b
                                                                          • Instruction ID: 19bd0033aca8bf7d696bf4d1d80e2e84197ae5c9a8db11fb1c13e61524062e8d
                                                                          • Opcode Fuzzy Hash: 1706f08ff3f4a660968fa67d14e6becaff6b6886baf0f96a6a81787d7c8cfd2b
                                                                          • Instruction Fuzzy Hash: 8FF054B5640700BAE7206761AC49FF73E9CEB26758F004525BF0CD51B1D67A8A04A2B8
                                                                          Function 004F747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: _wcslen
                                                                          • String ID: 3, 3, 16, 1
                                                                          • API String ID: 176396367-3042988571
                                                                          • Opcode ID: ded03ab3af687579fbb70f6d5579ad1def87ee6bc47c452452fcc7838da0a827
                                                                          • Instruction ID: 8002c83da73897ee2a23f75c47720e1062d2c8398b35d68a5387739194e6484d
                                                                          • Opcode Fuzzy Hash: ded03ab3af687579fbb70f6d5579ad1def87ee6bc47c452452fcc7838da0a827
                                                                          • Instruction Fuzzy Hash: 37E02B42604224109231227BDCC1D7F5E89DFC9760710183FFA81C2366EA9C8D9293A8
                                                                          Function 004D0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 004D0B23
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Message
                                                                          • String ID: AutoIt$Error allocating memory.
                                                                          • API String ID: 2030045667-4017498283
                                                                          • Opcode ID: d68ed3ed3b354a8745b217500c17f866b3ec78fad1954f6a68474836e2cdd917
                                                                          • Instruction ID: 91d56a848d33f3215cdb8f7b814e9d99379462933178ee33346731378f17a7d7
                                                                          • Opcode Fuzzy Hash: d68ed3ed3b354a8745b217500c17f866b3ec78fad1954f6a68474836e2cdd917
                                                                          • Instruction Fuzzy Hash: 3FE0D83224430866D6243795BC07F9D7FC49F06B55F10082FF758555C38AD5649046AD
                                                                          Function 00490D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0048F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00490D71,?,?,?,0047100A), ref: 0048F7CE
                                                                          • IsDebuggerPresent.KERNEL32(?,?,?,0047100A), ref: 00490D75
                                                                          • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0047100A), ref: 00490D84
                                                                          Strings
                                                                          • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00490D7F
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                                                                          • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                          • API String ID: 55579361-631824599
                                                                          • Opcode ID: 542774e64a3db709d8b66baafeed87095a7d4fa2159f91ea5c33043131eca4d9
                                                                          • Instruction ID: 0a1e33c3881ceffc0f83b1bb80dd29d7c1b6ad2c37427f674ae571813ac9c921
                                                                          • Opcode Fuzzy Hash: 542774e64a3db709d8b66baafeed87095a7d4fa2159f91ea5c33043131eca4d9
                                                                          • Instruction Fuzzy Hash: 35E092742007418FE7709FB9E40834A7FE4BF10748F008E3EE896C6A91DBB8E4489B95
                                                                          Function 0048E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __Init_thread_footer.LIBCMT ref: 0048E3D5
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Init_thread_footer
                                                                          • String ID: 0%T$8%T
                                                                          • API String ID: 1385522511-773869289
                                                                          • Opcode ID: 54d5919222a08e57e64ba4457752270f4dcb3611fb37bdc1fa55fdc9b8ad3608
                                                                          • Instruction ID: 759fa26d1d994ccbdbcfdc75fc94971b8fa82ab541eff3acca12fec427cafa0b
                                                                          • Opcode Fuzzy Hash: 54d5919222a08e57e64ba4457752270f4dcb3611fb37bdc1fa55fdc9b8ad3608
                                                                          • Instruction Fuzzy Hash: 6EE02635500930CFCA04B71AB855ACC3791FB0632CF9005BBF9028F2D19B386C41A74D
                                                                          Function 004E3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 004E302F
                                                                          • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 004E3044
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: Temp$FileNamePath
                                                                          • String ID: aut
                                                                          • API String ID: 3285503233-3010740371
                                                                          • Opcode ID: 19807a155fa7d6b9afd0f2e7ba0f5254b3aea5ed24051a6d720c139da0e76d28
                                                                          • Instruction ID: 804e1f0558e7721f4e323c12be0e1c759b79a1c2cd20ef73b20706644177228a
                                                                          • Opcode Fuzzy Hash: 19807a155fa7d6b9afd0f2e7ba0f5254b3aea5ed24051a6d720c139da0e76d28
                                                                          • Instruction Fuzzy Hash: 3ED05E76500328B7DA20A7A4AC0EFCB3F6CDB06750F0002A1BA95E20D1DAB09988CAD0
                                                                          Function 004CD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: LocalTime
                                                                          • String ID: %.3d$X64
                                                                          • API String ID: 481472006-1077770165
                                                                          • Opcode ID: fd31ccc67d341200b88415bb40c948da5e7922a79d3b583b71a2068df5fef09b
                                                                          • Instruction ID: 7e9c093df44165a1c4fb62dc994f7a265a1c21fed8ced6df3b2a4b8a3e4b64a8
                                                                          • Opcode Fuzzy Hash: fd31ccc67d341200b88415bb40c948da5e7922a79d3b583b71a2068df5fef09b
                                                                          • Instruction Fuzzy Hash: 5CD01D65C05109E5CBD0A7D0DC45EBDB77CFB19301F5044B7F80691040D63CD54A6757
                                                                          Function 00502356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0050236C
                                                                          • PostMessageW.USER32(00000000), ref: 00502373
                                                                            • Part of subcall function 004DE97B: Sleep.KERNEL32 ref: 004DE9F3
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: FindMessagePostSleepWindow
                                                                          • String ID: Shell_TrayWnd
                                                                          • API String ID: 529655941-2988720461
                                                                          • Opcode ID: 8bc96b0293c8a89b7be847570e70c10a469265dce5ac04e1bd2e37ff19cd8216
                                                                          • Instruction ID: 25018df5915c0daca4c5d3ddcf92501acc5dc1918e88e979c5abe92bb13e75b5
                                                                          • Opcode Fuzzy Hash: 8bc96b0293c8a89b7be847570e70c10a469265dce5ac04e1bd2e37ff19cd8216
                                                                          • Instruction Fuzzy Hash: 45D0C9763813107AE678B7719C1FFCA6A18AB16B14F504A1A7645AE1D0C9A4A8058A58
                                                                          Function 00502322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0050232C
                                                                          • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0050233F
                                                                            • Part of subcall function 004DE97B: Sleep.KERNEL32 ref: 004DE9F3
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2051628525.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                                          • Associated: 00000000.00000002.2051607125.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051755103.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051799967.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2051826178.0000000000544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_470000_Payment_Advice_USD_48,054.jbxd
                                                                          Similarity
                                                                          • API ID: FindMessagePostSleepWindow
                                                                          • String ID: Shell_TrayWnd
                                                                          • API String ID: 529655941-2988720461
                                                                          • Opcode ID: c9677b2fe2f4013330829423a679e13b89d987023842693d8a2aa32447de994d
                                                                          • Instruction ID: 8a174a43cfe47c0967c27d4d31f33ef849b2fd720840e12c4afc92f06615d9f5
                                                                          • Opcode Fuzzy Hash: c9677b2fe2f4013330829423a679e13b89d987023842693d8a2aa32447de994d
                                                                          • Instruction Fuzzy Hash: 45D0C976395310B6E678B7719C1FFCA6E18AB11B14F104A1A7645AE1D0C9A4A8058A54