Edit tour

Windows Analysis Report
Payment 01.08.25.pdf.exe

Overview

General Information

Sample name:	Payment 01.08.25.pdf.exe
Analysis ID:	1586737
MD5:	00999bb19db0f763b52315ac98a7c8d3
SHA1:	b354ea577e59ed9c314e587c1c8c53de3ca19c27
SHA256:	b9f10bbaec165ee961fd1bfa4a18de52c97054ee962f842514eff1c5e21785c4
Tags:	exeuser-James_inthe_box
Infos:

Detection

MassLogger RAT, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Double Extension File Execution

Yara detected AntiVM3

Yara detected MassLogger RAT

Yara detected PureLog Stealer

Yara detected Telegram RAT

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Payment 01.08.25.pdf.exe (PID: 7736 cmdline: "C:\Users\user\Desktop\Payment 01.08.25.pdf.exe" MD5: 00999BB19DB0F763B52315AC98A7C8D3)

RegSvcs.exe (PID: 7800 cmdline: "C:\Users\user\Desktop\Payment 01.08.25.pdf.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "8130225934:AAEyhcaCjU8efiL3IfiEzJIIBH2y4dJ4Vug", "Telegram Chatid": "8008584601"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.2588684454.0000000000400000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 77 88 44 24 2B 88 44 24 2F B0 D8 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000000.00000002.1371195942.0000000004010000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 77 88 44 24 2B 88 44 24 2F B0 D8 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000002.00000002.2591642315.00000000034E9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2591559592.00000000031D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000002.00000002.2591559592.00000000031D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2591559592.00000000031D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.2591559592.00000000031D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.2591559592.00000000031D0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1d582:$a1: get_encryptedPassword 0x1d556:$a2: get_encryptedUsername 0x1d61a:$a3: get_timePasswordChanged 0x1d532:$a4: get_passwordField 0x1d598:$a5: set_encryptedPassword 0x1d365:$a7: get_logins 0x1c8f8:$a8: GetOutlookPasswords 0x1be21:$a9: StartKeylogger 0x1a82b:$a10: KeyLoggerEventArgs 0x1a7fa:$a11: KeyLoggerEventArgsEventHandler 0x1d439:$a13: _encryptedPassword
00000002.00000002.2591559592.00000000031D0000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x21e3d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2133b:$a3: \Google\Chrome\User Data\Default\Login Data 0x21649:$a4: \Orbitum\User Data\Default\Login Data 0x22441:$a5: \Kometa\User Data\Default\Login Data
00000002.00000002.2593397587.0000000004321000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000002.00000002.2593397587.0000000004321000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2593397587.0000000004321000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.2593397587.0000000004321000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.2593397587.0000000004321000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x229da:$a1: get_encryptedPassword 0x4bb12:$a1: get_encryptedPassword 0x229ae:$a2: get_encryptedUsername 0x4bae6:$a2: get_encryptedUsername 0x22a72:$a3: get_timePasswordChanged 0x4bbaa:$a3: get_timePasswordChanged 0x2298a:$a4: get_passwordField 0x4bac2:$a4: get_passwordField 0x229f0:$a5: set_encryptedPassword 0x4bb28:$a5: set_encryptedPassword 0x227bd:$a7: get_logins 0x4b8f5:$a7: get_logins 0x21d50:$a8: GetOutlookPasswords 0x4ae88:$a8: GetOutlookPasswords 0x21279:$a9: StartKeylogger 0x4a3b1:$a9: StartKeylogger 0x1fc83:$a10: KeyLoggerEventArgs 0x48dbb:$a10: KeyLoggerEventArgs 0x1fc52:$a11: KeyLoggerEventArgsEventHandler 0x48d8a:$a11: KeyLoggerEventArgsEventHandler 0x22891:$a13: _encryptedPassword
00000002.00000002.2590935227.00000000030D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000002.00000002.2590935227.00000000030D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2590935227.00000000030D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.2590935227.00000000030D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.2590935227.00000000030D0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1e46a:$a1: get_encryptedPassword 0x1e43e:$a2: get_encryptedUsername 0x1e502:$a3: get_timePasswordChanged 0x1e41a:$a4: get_passwordField 0x1e480:$a5: set_encryptedPassword 0x1e24d:$a7: get_logins 0x1d7e0:$a8: GetOutlookPasswords 0x1cd09:$a9: StartKeylogger 0x1b713:$a10: KeyLoggerEventArgs 0x1b6e2:$a11: KeyLoggerEventArgsEventHandler 0x1e321:$a13: _encryptedPassword
00000002.00000002.2590935227.00000000030D0000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x22d25:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x22223:$a3: \Google\Chrome\User Data\Default\Login Data 0x22531:$a4: \Orbitum\User Data\Default\Login Data 0x23329:$a5: \Kometa\User Data\Default\Login Data
00000002.00000002.2590696831.0000000002F40000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000002.00000002.2590696831.0000000002F40000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2590696831.0000000002F40000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.2590696831.0000000002F40000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.2590696831.0000000002F40000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x5f3b8:$a1: get_encryptedPassword 0x5f38c:$a2: get_encryptedUsername 0x5f450:$a3: get_timePasswordChanged 0x5f368:$a4: get_passwordField 0x5f3ce:$a5: set_encryptedPassword 0x5f19b:$a7: get_logins 0x5e72e:$a8: GetOutlookPasswords 0x5dc57:$a9: StartKeylogger 0x5c661:$a10: KeyLoggerEventArgs 0x5c630:$a11: KeyLoggerEventArgsEventHandler 0x5f26f:$a13: _encryptedPassword
Process Memory Space: RegSvcs.exe PID: 7800	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 7800	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7800	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 7800	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 7800	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x422f:$a1: get_encryptedPassword 0x610cb:$a1: get_encryptedPassword 0x7804c:$a1: get_encryptedPassword 0x9a533:$a1: get_encryptedPassword 0x4203:$a2: get_encryptedUsername 0x6109f:$a2: get_encryptedUsername 0x78020:$a2: get_encryptedUsername 0x9a507:$a2: get_encryptedUsername 0x42c7:$a3: get_timePasswordChanged 0x61163:$a3: get_timePasswordChanged 0x780e4:$a3: get_timePasswordChanged 0x9a5cb:$a3: get_timePasswordChanged 0x41df:$a4: get_passwordField 0x6107b:$a4: get_passwordField 0x77ffc:$a4: get_passwordField 0x9a4e3:$a4: get_passwordField 0x4245:$a5: set_encryptedPassword 0x610e1:$a5: set_encryptedPassword 0x78062:$a5: set_encryptedPassword 0x9a549:$a5: set_encryptedPassword 0x401b:$a7: get_logins
Click to see the 25 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.RegSvcs.exe.4325570.7.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.4325570.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.4325570.7.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.4325570.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.4325570.7.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c66a:$a1: get_encryptedPassword 0x1c63e:$a2: get_encryptedUsername 0x1c702:$a3: get_timePasswordChanged 0x1c61a:$a4: get_passwordField 0x1c680:$a5: set_encryptedPassword 0x1c44d:$a7: get_logins 0x1b9e0:$a8: GetOutlookPasswords 0x1af09:$a9: StartKeylogger 0x19913:$a10: KeyLoggerEventArgs 0x198e2:$a11: KeyLoggerEventArgsEventHandler 0x1c521:$a13: _encryptedPassword
2.2.RegSvcs.exe.4325570.7.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20f25:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x20423:$a3: \Google\Chrome\User Data\Default\Login Data 0x20731:$a4: \Orbitum\User Data\Default\Login Data 0x21529:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 77 88 44 24 2B 88 44 24 2F B0 D8 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
2.2.RegSvcs.exe.30d0000.4.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.30d0000.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.30d0000.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.30d0000.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.30d0000.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c66a:$a1: get_encryptedPassword 0x1c63e:$a2: get_encryptedUsername 0x1c702:$a3: get_timePasswordChanged 0x1c61a:$a4: get_passwordField 0x1c680:$a5: set_encryptedPassword 0x1c44d:$a7: get_logins 0x1b9e0:$a8: GetOutlookPasswords 0x1af09:$a9: StartKeylogger 0x19913:$a10: KeyLoggerEventArgs 0x198e2:$a11: KeyLoggerEventArgsEventHandler 0x1c521:$a13: _encryptedPassword
2.2.RegSvcs.exe.30d0000.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20f25:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x20423:$a3: \Google\Chrome\User Data\Default\Login Data 0x20731:$a4: \Orbitum\User Data\Default\Login Data 0x21529:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.30d0000.4.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.30d0000.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.30d0000.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.30d0000.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.30d0000.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1e46a:$a1: get_encryptedPassword 0x1e43e:$a2: get_encryptedUsername 0x1e502:$a3: get_timePasswordChanged 0x1e41a:$a4: get_passwordField 0x1e480:$a5: set_encryptedPassword 0x1e24d:$a7: get_logins 0x1d7e0:$a8: GetOutlookPasswords 0x1cd09:$a9: StartKeylogger 0x1b713:$a10: KeyLoggerEventArgs 0x1b6e2:$a11: KeyLoggerEventArgsEventHandler 0x1e321:$a13: _encryptedPassword
2.2.RegSvcs.exe.30d0000.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x22d25:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x22223:$a3: \Google\Chrome\User Data\Default\Login Data 0x22531:$a4: \Orbitum\User Data\Default\Login Data 0x23329:$a5: \Kometa\User Data\Default\Login Data
0.2.Payment 01.08.25.pdf.exe.4010000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 77 88 44 24 2B 88 44 24 2F B0 D8 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
2.2.RegSvcs.exe.434f590.8.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.434f590.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.434f590.8.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.434f590.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.434f590.8.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1d582:$a1: get_encryptedPassword 0x1d556:$a2: get_encryptedUsername 0x1d61a:$a3: get_timePasswordChanged 0x1d532:$a4: get_passwordField 0x1d598:$a5: set_encryptedPassword 0x1d365:$a7: get_logins 0x1c8f8:$a8: GetOutlookPasswords 0x1be21:$a9: StartKeylogger 0x1a82b:$a10: KeyLoggerEventArgs 0x1a7fa:$a11: KeyLoggerEventArgsEventHandler 0x1d439:$a13: _encryptedPassword
2.2.RegSvcs.exe.434f590.8.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x21e3d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2133b:$a3: \Google\Chrome\User Data\Default\Login Data 0x21649:$a4: \Orbitum\User Data\Default\Login Data 0x22441:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.4326458.6.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.4326458.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.4326458.6.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.4326458.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.4326458.6.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1b782:$a1: get_encryptedPassword 0x1b756:$a2: get_encryptedUsername 0x1b81a:$a3: get_timePasswordChanged 0x1b732:$a4: get_passwordField 0x1b798:$a5: set_encryptedPassword 0x1b565:$a7: get_logins 0x1aaf8:$a8: GetOutlookPasswords 0x1a021:$a9: StartKeylogger 0x18a2b:$a10: KeyLoggerEventArgs 0x189fa:$a11: KeyLoggerEventArgsEventHandler 0x1b639:$a13: _encryptedPassword
2.2.RegSvcs.exe.4326458.6.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2003d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1f53b:$a3: \Google\Chrome\User Data\Default\Login Data 0x1f849:$a4: \Orbitum\User Data\Default\Login Data 0x20641:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.2f80f4e.2.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.2f80f4e.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2f80f4e.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.2f80f4e.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2f80f4e.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1e46a:$a1: get_encryptedPassword 0x1e43e:$a2: get_encryptedUsername 0x1e502:$a3: get_timePasswordChanged 0x1e41a:$a4: get_passwordField 0x1e480:$a5: set_encryptedPassword 0x1e24d:$a7: get_logins 0x1d7e0:$a8: GetOutlookPasswords 0x1cd09:$a9: StartKeylogger 0x1b713:$a10: KeyLoggerEventArgs 0x1b6e2:$a11: KeyLoggerEventArgsEventHandler 0x1e321:$a13: _encryptedPassword
2.2.RegSvcs.exe.2f80f4e.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x22d25:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x22223:$a3: \Google\Chrome\User Data\Default\Login Data 0x22531:$a4: \Orbitum\User Data\Default\Login Data 0x23329:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 77 88 44 24 2B 88 44 24 2F B0 D8 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
2.2.RegSvcs.exe.31d0000.5.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.31d0000.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.31d0000.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.31d0000.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.31d0000.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1d582:$a1: get_encryptedPassword 0x1d556:$a2: get_encryptedUsername 0x1d61a:$a3: get_timePasswordChanged 0x1d532:$a4: get_passwordField 0x1d598:$a5: set_encryptedPassword 0x1d365:$a7: get_logins 0x1c8f8:$a8: GetOutlookPasswords 0x1be21:$a9: StartKeylogger 0x1a82b:$a10: KeyLoggerEventArgs 0x1a7fa:$a11: KeyLoggerEventArgsEventHandler 0x1d439:$a13: _encryptedPassword
2.2.RegSvcs.exe.31d0000.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x21e3d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2133b:$a3: \Google\Chrome\User Data\Default\Login Data 0x21649:$a4: \Orbitum\User Data\Default\Login Data 0x22441:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.2f80f4e.2.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.2f80f4e.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2f80f4e.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.2f80f4e.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2f80f4e.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c66a:$a1: get_encryptedPassword 0x1c63e:$a2: get_encryptedUsername 0x1c702:$a3: get_timePasswordChanged 0x1c61a:$a4: get_passwordField 0x1c680:$a5: set_encryptedPassword 0x1c44d:$a7: get_logins 0x1b9e0:$a8: GetOutlookPasswords 0x1af09:$a9: StartKeylogger 0x19913:$a10: KeyLoggerEventArgs 0x198e2:$a11: KeyLoggerEventArgsEventHandler 0x1c521:$a13: _encryptedPassword
2.2.RegSvcs.exe.2f80f4e.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20f25:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x20423:$a3: \Google\Chrome\User Data\Default\Login Data 0x20731:$a4: \Orbitum\User Data\Default\Login Data 0x21529:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.2f81e36.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.2f81e36.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2f81e36.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.2f81e36.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2f81e36.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1b782:$a1: get_encryptedPassword 0x1b756:$a2: get_encryptedUsername 0x1b81a:$a3: get_timePasswordChanged 0x1b732:$a4: get_passwordField 0x1b798:$a5: set_encryptedPassword 0x1b565:$a7: get_logins 0x1aaf8:$a8: GetOutlookPasswords 0x1a021:$a9: StartKeylogger 0x18a2b:$a10: KeyLoggerEventArgs 0x189fa:$a11: KeyLoggerEventArgsEventHandler 0x1b639:$a13: _encryptedPassword
2.2.RegSvcs.exe.2f81e36.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2003d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1f53b:$a3: \Google\Chrome\User Data\Default\Login Data 0x1f849:$a4: \Orbitum\User Data\Default\Login Data 0x20641:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.31d0000.5.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.31d0000.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.31d0000.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.31d0000.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.31d0000.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1b782:$a1: get_encryptedPassword 0x1b756:$a2: get_encryptedUsername 0x1b81a:$a3: get_timePasswordChanged 0x1b732:$a4: get_passwordField 0x1b798:$a5: set_encryptedPassword 0x1b565:$a7: get_logins 0x1aaf8:$a8: GetOutlookPasswords 0x1a021:$a9: StartKeylogger 0x18a2b:$a10: KeyLoggerEventArgs 0x189fa:$a11: KeyLoggerEventArgsEventHandler 0x1b639:$a13: _encryptedPassword
2.2.RegSvcs.exe.31d0000.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2003d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1f53b:$a3: \Google\Chrome\User Data\Default\Login Data 0x1f849:$a4: \Orbitum\User Data\Default\Login Data 0x20641:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.30d0ee8.3.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.30d0ee8.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.30d0ee8.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.30d0ee8.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.30d0ee8.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1b782:$a1: get_encryptedPassword 0x1b756:$a2: get_encryptedUsername 0x1b81a:$a3: get_timePasswordChanged 0x1b732:$a4: get_passwordField 0x1b798:$a5: set_encryptedPassword 0x1b565:$a7: get_logins 0x1aaf8:$a8: GetOutlookPasswords 0x1a021:$a9: StartKeylogger 0x18a2b:$a10: KeyLoggerEventArgs 0x189fa:$a11: KeyLoggerEventArgsEventHandler 0x1b639:$a13: _encryptedPassword
2.2.RegSvcs.exe.30d0ee8.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2003d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1f53b:$a3: \Google\Chrome\User Data\Default\Login Data 0x1f849:$a4: \Orbitum\User Data\Default\Login Data 0x20641:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.30d0ee8.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.30d0ee8.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.30d0ee8.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.30d0ee8.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.30d0ee8.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1d582:$a1: get_encryptedPassword 0x1d556:$a2: get_encryptedUsername 0x1d61a:$a3: get_timePasswordChanged 0x1d532:$a4: get_passwordField 0x1d598:$a5: set_encryptedPassword 0x1d365:$a7: get_logins 0x1c8f8:$a8: GetOutlookPasswords 0x1be21:$a9: StartKeylogger 0x1a82b:$a10: KeyLoggerEventArgs 0x1a7fa:$a11: KeyLoggerEventArgsEventHandler 0x1d439:$a13: _encryptedPassword
2.2.RegSvcs.exe.30d0ee8.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x21e3d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2133b:$a3: \Google\Chrome\User Data\Default\Login Data 0x21649:$a4: \Orbitum\User Data\Default\Login Data 0x22441:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.434f590.8.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.434f590.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.434f590.8.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.434f590.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.434f590.8.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1b782:$a1: get_encryptedPassword 0x1b756:$a2: get_encryptedUsername 0x1b81a:$a3: get_timePasswordChanged 0x1b732:$a4: get_passwordField 0x1b798:$a5: set_encryptedPassword 0x1b565:$a7: get_logins 0x1aaf8:$a8: GetOutlookPasswords 0x1a021:$a9: StartKeylogger 0x18a2b:$a10: KeyLoggerEventArgs 0x189fa:$a11: KeyLoggerEventArgsEventHandler 0x1b639:$a13: _encryptedPassword
2.2.RegSvcs.exe.434f590.8.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2003d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1f53b:$a3: \Google\Chrome\User Data\Default\Login Data 0x1f849:$a4: \Orbitum\User Data\Default\Login Data 0x20641:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.2f81e36.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.2f81e36.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2f81e36.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.2f81e36.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2f81e36.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1d582:$a1: get_encryptedPassword 0x1d556:$a2: get_encryptedUsername 0x1d61a:$a3: get_timePasswordChanged 0x1d532:$a4: get_passwordField 0x1d598:$a5: set_encryptedPassword 0x1d365:$a7: get_logins 0x1c8f8:$a8: GetOutlookPasswords 0x1be21:$a9: StartKeylogger 0x1a82b:$a10: KeyLoggerEventArgs 0x1a7fa:$a11: KeyLoggerEventArgsEventHandler 0x1d439:$a13: _encryptedPassword
2.2.RegSvcs.exe.2f81e36.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x21e3d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2133b:$a3: \Google\Chrome\User Data\Default\Login Data 0x21649:$a4: \Orbitum\User Data\Default\Login Data 0x22441:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.4325570.7.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.4325570.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.4325570.7.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.4325570.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.4325570.7.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1e46a:$a1: get_encryptedPassword 0x475a2:$a1: get_encryptedPassword 0x1e43e:$a2: get_encryptedUsername 0x47576:$a2: get_encryptedUsername 0x1e502:$a3: get_timePasswordChanged 0x4763a:$a3: get_timePasswordChanged 0x1e41a:$a4: get_passwordField 0x47552:$a4: get_passwordField 0x1e480:$a5: set_encryptedPassword 0x475b8:$a5: set_encryptedPassword 0x1e24d:$a7: get_logins 0x47385:$a7: get_logins 0x1d7e0:$a8: GetOutlookPasswords 0x46918:$a8: GetOutlookPasswords 0x1cd09:$a9: StartKeylogger 0x45e41:$a9: StartKeylogger 0x1b713:$a10: KeyLoggerEventArgs 0x4484b:$a10: KeyLoggerEventArgs 0x1b6e2:$a11: KeyLoggerEventArgsEventHandler 0x4481a:$a11: KeyLoggerEventArgsEventHandler 0x1e321:$a13: _encryptedPassword
2.2.RegSvcs.exe.4325570.7.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x22d25:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x4be5d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x22223:$a3: \Google\Chrome\User Data\Default\Login Data 0x4b35b:$a3: \Google\Chrome\User Data\Default\Login Data 0x22531:$a4: \Orbitum\User Data\Default\Login Data 0x4b669:$a4: \Orbitum\User Data\Default\Login Data 0x23329:$a5: \Kometa\User Data\Default\Login Data 0x4c461:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.4326458.6.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.4326458.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.4326458.6.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.4326458.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.4326458.6.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1d582:$a1: get_encryptedPassword 0x466ba:$a1: get_encryptedPassword 0x1d556:$a2: get_encryptedUsername 0x4668e:$a2: get_encryptedUsername 0x1d61a:$a3: get_timePasswordChanged 0x46752:$a3: get_timePasswordChanged 0x1d532:$a4: get_passwordField 0x4666a:$a4: get_passwordField 0x1d598:$a5: set_encryptedPassword 0x466d0:$a5: set_encryptedPassword 0x1d365:$a7: get_logins 0x4649d:$a7: get_logins 0x1c8f8:$a8: GetOutlookPasswords 0x45a30:$a8: GetOutlookPasswords 0x1be21:$a9: StartKeylogger 0x44f59:$a9: StartKeylogger 0x1a82b:$a10: KeyLoggerEventArgs 0x43963:$a10: KeyLoggerEventArgs 0x1a7fa:$a11: KeyLoggerEventArgsEventHandler 0x43932:$a11: KeyLoggerEventArgsEventHandler 0x1d439:$a13: _encryptedPassword
2.2.RegSvcs.exe.4326458.6.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x21e3d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x4af75:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2133b:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a473:$a3: \Google\Chrome\User Data\Default\Login Data 0x21649:$a4: \Orbitum\User Data\Default\Login Data 0x4a781:$a4: \Orbitum\User Data\Default\Login Data 0x22441:$a5: \Kometa\User Data\Default\Login Data 0x4b579:$a5: \Kometa\User Data\Default\Login Data
Click to see the 94 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Double Extension File Execution

Source: Process started

Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Payment 01.08.25.pdf.exe", CommandLine: "C:\Users\user\Desktop\Payment 01.08.25.pdf.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe, NewProcessName: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe, OriginalFileName: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: "C:\Users\user\Desktop\Payment 01.08.25.pdf.exe", ProcessId: 7736, ProcessName: Payment 01.08.25.pdf.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T15:06:45.971389+0100	2803274	2	Potentially Bad Traffic	192.168.2.9	49742	193.122.6.168	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000002.00000002.2593397587.0000000004321000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "8130225934:AAEyhcaCjU8efiL3IfiEzJIIBH2y4dJ4Vug", "Telegram Chatid": "8008584601"}

Multi AV Scanner detection for submitted file

Source: Payment 01.08.25.pdf.exe

ReversingLabs: Detection: 52%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Payment 01.08.25.pdf.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Payment 01.08.25.pdf.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.9:49748 version: TLS 1.0

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000002.00000002.2593397587.0000000004321000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2590696831.0000000002F40000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2590935227.00000000030D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Payment 01.08.25.pdf.exe, 00000000.00000003.1360664380.00000000041D0000.00000004.00001000.00020000.00000000.sdmp, Payment 01.08.25.pdf.exe, 00000000.00000003.1360931745.0000000004370000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Payment 01.08.25.pdf.exe, 00000000.00000003.1360664380.00000000041D0000.00000004.00001000.00020000.00000000.sdmp, Payment 01.08.25.pdf.exe, 00000000.00000003.1360931745.0000000004370000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_0018C2A2 FindFirstFileExW,	0_2_0018C2A2
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_001C68EE FindFirstFileW,FindClose,	0_2_001C68EE
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_001C698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_001C698F
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_001BD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_001BD076
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_001BD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_001BD3A9
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_001C9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_001C9642
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_001C979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_001C979D
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_001C9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_001C9B2B
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_001BDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_001BDBBE
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_001C5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_001C5C97

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	2_2_02EEE190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05824C97h	2_2_05824878
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05824541h	2_2_05824290
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0582F831h	2_2_0582F588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0582EF81h	2_2_0582ECD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0582FC89h	2_2_0582F9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0582F3D9h	2_2_0582F130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05824C97h	2_2_0582486B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05824C97h	2_2_05824BC4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05F59910h	2_2_05F59668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05F5E878h	2_2_05F5E5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05F5C480h	2_2_05F5C1D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05F5C028h	2_2_05F5BD80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05F5E420h	2_2_05F5E178
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05F5DFC8h	2_2_05F5DD20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05F5BBD0h	2_2_05F5B928
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05F5B778h	2_2_05F5B4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05F5DB70h	2_2_05F5D8C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05F507D5h	2_2_05F50498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05F5D718h	2_2_05F5D470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05F5B320h	2_2_05F5B078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05F502E9h	2_2_05F50040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05F59060h	2_2_05F58C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05F532F0h	2_2_05F53048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05F5AEC8h	2_2_05F5AC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05F5D2C0h	2_2_05F5D018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05F52E98h	2_2_05F52BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05F5CE68h	2_2_05F5CBC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05F5AA70h	2_2_05F5A7C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05F52A40h	2_2_05F52798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05F5A618h	2_2_05F5A370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05F525E8h	2_2_05F52340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05F5A1C0h	2_2_05F59F18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05F52190h	2_2_05F51EE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05F5F580h	2_2_05F5F2D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05F59D68h	2_2_05F59AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05F51D38h	2_2_05F51A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05F5F128h	2_2_05F5EE80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05F5131Ah	2_2_05F51270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05F5131Ah	2_2_05F51268
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05F5C8DAh	2_2_05F5C630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05F5ECD0h	2_2_05F5EA28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05F594B8h	2_2_05F59210

Source: global traffic

HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168
Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49742 -> 193.122.6.168:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.9:49748 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe

Code function: 0_2_001CCE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_001CCE44

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: RegSvcs.exe, 00000002.00000002.2591642315.000000000340C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000002.00000002.2591642315.0000000003400000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2591642315.000000000340C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000002.00000002.2591642315.0000000003389000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegSvcs.exe, 00000002.00000002.2593397587.0000000004321000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2591559592.00000000031D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2590696831.0000000002F40000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2590935227.00000000030D0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000002.00000002.2591642315.0000000003428000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000002.00000002.2591642315.0000000003389000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000002.00000002.2593397587.0000000004321000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2591559592.00000000031D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2590696831.0000000002F40000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2590935227.00000000030D0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: RegSvcs.exe, 00000002.00000002.2591642315.000000000340C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: RegSvcs.exe, 00000002.00000002.2593397587.0000000004321000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2591559592.00000000031D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2591642315.000000000340C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2590696831.0000000002F40000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2590935227.00000000030D0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000002.00000002.2591642315.000000000340C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l

Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748

Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe

Code function: 0_2_001CEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_001CEAFF

Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe

Code function: 0_2_001CED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_001CED6A

Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe

0_2_001CEAFF

Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe

Code function: 0_2_001BAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_001BAA57

Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe

Code function: 0_2_001E9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_001E9576

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.RegSvcs.exe.4325570.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.4325570.7.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.RegSvcs.exe.30d0000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.30d0000.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.30d0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.30d0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Payment 01.08.25.pdf.exe.4010000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.RegSvcs.exe.434f590.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.434f590.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.4326458.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.4326458.6.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.2f80f4e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2f80f4e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.RegSvcs.exe.31d0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.31d0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.2f80f4e.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2f80f4e.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.2f81e36.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2f81e36.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.31d0000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.31d0000.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.30d0ee8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.30d0ee8.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.30d0ee8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.30d0ee8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.434f590.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.434f590.8.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.2f81e36.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2f81e36.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.4325570.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.4325570.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.4326458.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.4326458.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000002.2588684454.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000002.1371195942.0000000004010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000002.00000002.2591559592.00000000031D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.2591559592.00000000031D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000002.2593397587.0000000004321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.2590935227.00000000030D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.2590935227.00000000030D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000002.2590696831.0000000002F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 7800, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Binary is likely a compiled AutoIt script file

Source: Payment 01.08.25.pdf.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Payment 01.08.25.pdf.exe, 00000000.00000000.1347386077.0000000000212000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_e6553ec1-2
Source: Payment 01.08.25.pdf.exe, 00000000.00000000.1347386077.0000000000212000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_9384d6d1-0
Source: Payment 01.08.25.pdf.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_443dd714-4
Source: Payment 01.08.25.pdf.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_1356e343-5

Initial sample is a PE file and has a suspicious name

Source: initial sample	Static PE information: Filename: Payment 01.08.25.pdf.exe
Source: initial sample	Static PE information: Filename: Payment 01.08.25.pdf.exe

Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe

Code function: 0_2_001BD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_001BD5EB

Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe

Code function: 0_2_001B1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_001B1201

Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe

Code function: 0_2_001BE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_001BE8F6

Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_001C2046	0_2_001C2046
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_00158060	0_2_00158060
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_001B8298	0_2_001B8298
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_0018E4FF	0_2_0018E4FF
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_0018676B	0_2_0018676B
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_001E4873	0_2_001E4873
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_0017CAA0	0_2_0017CAA0
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_0015CAF0	0_2_0015CAF0
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_0016CC39	0_2_0016CC39
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_00186DD9	0_2_00186DD9
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_0016B119	0_2_0016B119
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_001591C0	0_2_001591C0
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_00171394	0_2_00171394
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_00171706	0_2_00171706
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_0017781B	0_2_0017781B
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_00157920	0_2_00157920
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_0016997D	0_2_0016997D
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_001719B0	0_2_001719B0
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_00177A4A	0_2_00177A4A
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_00171C77	0_2_00171C77
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_00177CA7	0_2_00177CA7
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_001DBE44	0_2_001DBE44
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_00189EEE	0_2_00189EEE
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_00171F32	0_2_00171F32
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_0015BF40	0_2_0015BF40
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_016DAE00	0_2_016DAE00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00408C60	2_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040DC11	2_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00407C3F	2_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00418CCC	2_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00406CA0	2_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004028B0	2_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041A4BE	2_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00418244	2_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00401650	2_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00402F20	2_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004193C4	2_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00418788	2_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00402F89	2_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00402B90	2_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004073A0	2_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02EE1448	2_2_02EE1448
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02EE1438	2_2_02EE1438
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02EE11A8	2_2_02EE11A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02EE1199	2_2_02EE1199
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0582B490	2_2_0582B490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05826F70	2_2_05826F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0582BB60	2_2_0582BB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05824290	2_2_05824290
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0582F588	2_2_0582F588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0582F579	2_2_0582F579
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0582ECC8	2_2_0582ECC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0582ECD8	2_2_0582ECD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05826F60	2_2_05826F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0582F9CF	2_2_0582F9CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0582F9E0	2_2_0582F9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0582F121	2_2_0582F121
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0582F130	2_2_0582F130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05824280	2_2_05824280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_058222B0	2_2_058222B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0582AAD9	2_2_0582AAD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0582AAE8	2_2_0582AAE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F55938	2_2_05F55938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F59668	2_2_05F59668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F5E5D0	2_2_05F5E5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F5C1D8	2_2_05F5C1D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F5E5C0	2_2_05F5E5C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F5C1C8	2_2_05F5C1C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F5BD80	2_2_05F5BD80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F5BD70	2_2_05F5BD70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F5E178	2_2_05F5E178
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F5E169	2_2_05F5E169
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F5DD20	2_2_05F5DD20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F5B928	2_2_05F5B928
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F5DD11	2_2_05F5DD11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F5B919	2_2_05F5B919
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F5B4D0	2_2_05F5B4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F5B4C0	2_2_05F5B4C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F5D8C8	2_2_05F5D8C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F5D8B9	2_2_05F5D8B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F534A0	2_2_05F534A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F50498	2_2_05F50498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F50487	2_2_05F50487
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F5D470	2_2_05F5D470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F5B078	2_2_05F5B078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F5D461	2_2_05F5D461
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F5B068	2_2_05F5B068
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F50040	2_2_05F50040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F58C40	2_2_05F58C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F53048	2_2_05F53048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F53038	2_2_05F53038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F5AC20	2_2_05F5AC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F5AC11	2_2_05F5AC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F5D018	2_2_05F5D018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F50006	2_2_05F50006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F5D008	2_2_05F5D008
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F52BF0	2_2_05F52BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F52BE0	2_2_05F52BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F5CBC0	2_2_05F5CBC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F5A7C8	2_2_05F5A7C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F5A7B8	2_2_05F5A7B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F5CBAF	2_2_05F5CBAF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F52798	2_2_05F52798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F52789	2_2_05F52789
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F5A370	2_2_05F5A370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F5A361	2_2_05F5A361
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F52340	2_2_05F52340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F52330	2_2_05F52330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F59F18	2_2_05F59F18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F59F08	2_2_05F59F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F50AF8	2_2_05F50AF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F51EE8	2_2_05F51EE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F50AE8	2_2_05F50AE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F5F2D8	2_2_05F5F2D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F51ED8	2_2_05F51ED8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F59AC0	2_2_05F59AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F5F2C8	2_2_05F5F2C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F59AB1	2_2_05F59AB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F51A90	2_2_05F51A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F5EE80	2_2_05F5EE80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F5EE70	2_2_05F5EE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F51A7F	2_2_05F51A7F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F59658	2_2_05F59658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F5C630	2_2_05F5C630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F5C620	2_2_05F5C620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F5EA28	2_2_05F5EA28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F59210	2_2_05F59210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F5EA19	2_2_05F5EA19
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F59200	2_2_05F59200

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0040E1D8 appears 44 times
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: String function: 00174963 appears 31 times
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: String function: 00170A30 appears 46 times
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: String function: 0016F9F2 appears 40 times
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: String function: 00159CB3 appears 31 times

Source: Payment 01.08.25.pdf.exe, 00000000.00000003.1360172009.000000000449D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Payment 01.08.25.pdf.exe
Source: Payment 01.08.25.pdf.exe, 00000000.00000003.1359038750.00000000042F3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Payment 01.08.25.pdf.exe
Source: Payment 01.08.25.pdf.exe, 00000000.00000002.1371195942.0000000004010000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs Payment 01.08.25.pdf.exe

Source: Payment 01.08.25.pdf.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.RegSvcs.exe.4325570.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.4325570.7.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.RegSvcs.exe.30d0000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.30d0000.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.30d0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.30d0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Payment 01.08.25.pdf.exe.4010000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.RegSvcs.exe.434f590.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.434f590.8.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.4326458.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.4326458.6.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.2f80f4e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2f80f4e.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.RegSvcs.exe.31d0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.31d0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.2f80f4e.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2f80f4e.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.2f81e36.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2f81e36.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.31d0000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.31d0000.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.30d0ee8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.30d0ee8.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.30d0ee8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.30d0ee8.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.434f590.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.434f590.8.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.2f81e36.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2f81e36.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.4325570.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.4325570.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.4326458.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.4326458.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.2588684454.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000002.1371195942.0000000004010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000002.00000002.2591559592.00000000031D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.2591559592.00000000031D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.2593397587.0000000004321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.2590935227.00000000030D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.2590935227.00000000030D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.2590696831.0000000002F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 7800, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@2/2

Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe

Code function: 0_2_001C37B5 GetLastError,FormatMessageW,

0_2_001C37B5

Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_001B10BF AdjustTokenPrivileges,CloseHandle,		0_2_001B10BF
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_001B16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_001B16C3

Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe

Code function: 0_2_001C51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_001C51CD

Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe

Code function: 0_2_001DA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_001DA67C

Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe

Code function: 0_2_001C648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_001C648E

Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe

Code function: 0_2_001542A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_001542A2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe

File created: C:\Users\user\AppData\Local\Temp\Dunlop

Jump to behavior

Source: Payment 01.08.25.pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.2591642315.000000000347B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2593397587.00000000043A0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2591642315.0000000003489000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2591642315.000000000346B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2591642315.000000000349E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2591642315.00000000034AA000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Payment 01.08.25.pdf.exe

ReversingLabs: Detection: 52%

Source: unknown	Process created: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe "C:\Users\user\Desktop\Payment 01.08.25.pdf.exe"
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Payment 01.08.25.pdf.exe"
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Payment 01.08.25.pdf.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Payment 01.08.25.pdf.exe

Static file information: File size 1589760 > 1048576

Source: Payment 01.08.25.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Payment 01.08.25.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Payment 01.08.25.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Payment 01.08.25.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Payment 01.08.25.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Payment 01.08.25.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Payment 01.08.25.pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000002.00000002.2593397587.0000000004321000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2590696831.0000000002F40000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2590935227.00000000030D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Payment 01.08.25.pdf.exe, 00000000.00000003.1360664380.00000000041D0000.00000004.00001000.00020000.00000000.sdmp, Payment 01.08.25.pdf.exe, 00000000.00000003.1360931745.0000000004370000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Payment 01.08.25.pdf.exe, 00000000.00000003.1360664380.00000000041D0000.00000004.00001000.00020000.00000000.sdmp, Payment 01.08.25.pdf.exe, 00000000.00000003.1360931745.0000000004370000.00000004.00001000.00020000.00000000.sdmp

Source: Payment 01.08.25.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Payment 01.08.25.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Payment 01.08.25.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Payment 01.08.25.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Payment 01.08.25.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe

Code function: 0_2_001542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001542DE

Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_00170A76 push ecx; ret	0_2_00170A89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041C40C push cs; iretd	2_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00423149 push eax; ret	2_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041C50E push cs; iretd	2_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004231C8 push eax; ret	2_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040E21D push ecx; ret	2_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041C6BE push ebx; ret	2_2_0041C6BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02EE4A8C push esp; retf	2_2_02EE4A8D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02EE3A86 push esp; iretd	2_2_02EE3A87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02EE43A9 push esp; iretd	2_2_02EE43B5

Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_0016F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0016F98E
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_001E1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_001E1C41

Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: RegSvcs.exe PID: 7800, type: MEMORYSTR

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-99006

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe

API/Special instruction interceptor: Address: 16DAA24

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 2_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

2_2_004019F0

Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe

API coverage: 3.6 %

Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_0018C2A2 FindFirstFileExW,	0_2_0018C2A2
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_001C68EE FindFirstFileW,FindClose,	0_2_001C68EE
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_001C698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_001C698F
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_001BD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_001BD076
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_001BD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_001BD3A9
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_001C9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_001C9642
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_001C979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_001C979D
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_001C9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_001C9B2B
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_001BDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_001BDBBE
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_001C5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_001C5C97

Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe

Code function: 0_2_001542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001542DE

Source: Payment 01.08.25.pdf.exe, 00000000.00000002.1369489918.0000000001638000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: A1KvmCiZKdUEI0cV
Source: RegSvcs.exe, 00000002.00000002.2589319122.0000000001451000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllj

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

API call chain: ExitProcess graph end node

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 2_2_0582B490 LdrInitializeThunk,

2_2_0582B490

Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe

Code function: 0_2_001CEAA2 BlockInput,

0_2_001CEAA2

Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe

Code function: 0_2_00182622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00182622

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

2_2_004019F0

Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe

Code function: 0_2_001542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001542DE

Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_00174CE8 mov eax, dword ptr fs:[00000030h]	0_2_00174CE8
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_016DACF0 mov eax, dword ptr fs:[00000030h]	0_2_016DACF0
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_016DAC90 mov eax, dword ptr fs:[00000030h]	0_2_016DAC90
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_016D9660 mov eax, dword ptr fs:[00000030h]	0_2_016D9660

Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe

Code function: 0_2_001B0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_001B0B62

Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_00182622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00182622
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_0017083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0017083F
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_001709D5 SetUnhandledExceptionFilter,	0_2_001709D5
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_00170C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00170C21
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004123F1 SetUnhandledExceptionFilter,	2_2_004123F1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1111008

Jump to behavior

Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe

0_2_001B1201

Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe

Code function: 0_2_00192BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00192BA5

Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe

Code function: 0_2_001BB226 SendInput,keybd_event,

0_2_001BB226

Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe

Code function: 0_2_001D22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_001D22DA

Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Payment 01.08.25.pdf.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe

0_2_001B0B62

Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe

Code function: 0_2_001B1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_001B1663

Source: Payment 01.08.25.pdf.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Payment 01.08.25.pdf.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe

Code function: 0_2_00170698 cpuid

0_2_00170698

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: GetLocaleInfoA,

2_2_00417A20

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe

Code function: 0_2_001C8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_001C8195

Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe

Code function: 0_2_001AD27A GetUserNameW,

0_2_001AD27A

Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe

Code function: 0_2_0018B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0018B952

Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe

Code function: 0_2_001542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001542DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 2.2.RegSvcs.exe.4325570.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.30d0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.30d0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.434f590.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4326458.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2f80f4e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.31d0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2f80f4e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2f81e36.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.31d0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.30d0ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.30d0ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.434f590.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2f81e36.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4325570.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4326458.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2591559592.00000000031D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2593397587.0000000004321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2590935227.00000000030D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2590696831.0000000002F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7800, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 2.2.RegSvcs.exe.4325570.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.30d0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.30d0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.434f590.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4326458.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2f80f4e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.31d0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2f80f4e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2f81e36.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.31d0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.30d0ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.30d0ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.434f590.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2f81e36.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4325570.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4326458.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2591559592.00000000031D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2593397587.0000000004321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2590935227.00000000030D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2590696831.0000000002F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 2.2.RegSvcs.exe.4325570.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.30d0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.30d0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.434f590.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4326458.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2f80f4e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.31d0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2f80f4e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2f81e36.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.31d0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.30d0ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.30d0ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.434f590.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2f81e36.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4325570.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4326458.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2591559592.00000000031D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2593397587.0000000004321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2590935227.00000000030D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2590696831.0000000002F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7800, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Payment 01.08.25.pdf.exe	Binary or memory string: WIN_81
Source: Payment 01.08.25.pdf.exe	Binary or memory string: WIN_XP
Source: Payment 01.08.25.pdf.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Payment 01.08.25.pdf.exe	Binary or memory string: WIN_XPe
Source: Payment 01.08.25.pdf.exe	Binary or memory string: WIN_VISTA
Source: Payment 01.08.25.pdf.exe	Binary or memory string: WIN_7
Source: Payment 01.08.25.pdf.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 2.2.RegSvcs.exe.4325570.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.30d0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.30d0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.434f590.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4326458.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2f80f4e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.31d0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2f80f4e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2f81e36.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.31d0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.30d0ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.30d0ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.434f590.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2f81e36.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4325570.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4326458.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2591642315.00000000034E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2591559592.00000000031D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2593397587.0000000004321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2590935227.00000000030D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2590696831.0000000002F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7800, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 2.2.RegSvcs.exe.4325570.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.30d0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.30d0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.434f590.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4326458.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2f80f4e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.31d0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2f80f4e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2f81e36.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.31d0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.30d0ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.30d0ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.434f590.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2f81e36.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4325570.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4326458.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2591559592.00000000031D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2593397587.0000000004321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2590935227.00000000030D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2590696831.0000000002F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7800, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 2.2.RegSvcs.exe.4325570.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.30d0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.30d0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.434f590.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4326458.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2f80f4e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.31d0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2f80f4e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2f81e36.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.31d0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.30d0ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.30d0ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.434f590.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2f81e36.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4325570.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4326458.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2591559592.00000000031D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2593397587.0000000004321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2590935227.00000000030D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2590696831.0000000002F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 2.2.RegSvcs.exe.4325570.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.30d0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.30d0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.434f590.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4326458.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2f80f4e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.31d0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2f80f4e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2f81e36.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.31d0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.30d0ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.30d0ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.434f590.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2f81e36.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4325570.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4326458.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2591559592.00000000031D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2593397587.0000000004321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2590935227.00000000030D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2590696831.0000000002F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7800, type: MEMORYSTR

Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_001D1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_001D1204
Source: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe	Code function: 0_2_001D1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_001D1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	137 System Information Discovery	Distributed Component Object Model	21 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	2 Valid Accounts	LSA Secrets	231 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Payment 01.08.25.pdf.exe	53%	ReversingLabs	Win32.Trojan.AutoitInject
Payment 01.08.25.pdf.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high
reallyfreegeoip.org	104.21.96.1	true	false	high
checkip.dyndns.com	193.122.6.168	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://reallyfreegeoip.org	RegSvcs.exe, 00000002.00000002.2591642315.000000000340C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	RegSvcs.exe, 00000002.00000002.2591642315.0000000003400000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2591642315.000000000340C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	RegSvcs.exe, 00000002.00000002.2591642315.000000000340C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189l	RegSvcs.exe, 00000002.00000002.2591642315.000000000340C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000002.00000002.2591642315.0000000003389000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot-/sendDocument?chat_id=	RegSvcs.exe, 00000002.00000002.2593397587.0000000004321000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2591559592.00000000031D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2590696831.0000000002F40000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2590935227.00000000030D0000.00000004.08000000.00040000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	RegSvcs.exe, 00000002.00000002.2593397587.0000000004321000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2591559592.00000000031D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2590696831.0000000002F40000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2590935227.00000000030D0000.00000004.08000000.00040000.00000000.sdmp	false	high
http://reallyfreegeoip.org	RegSvcs.exe, 00000002.00000002.2591642315.0000000003428000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	RegSvcs.exe, 00000002.00000002.2593397587.0000000004321000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2591559592.00000000031D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2591642315.000000000340C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2590696831.0000000002F40000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2590935227.00000000030D0000.00000004.08000000.00040000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.122.6.168	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false
104.21.96.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1586737
Start date and time:	2025-01-09 15:05:50 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Payment 01.08.25.pdf.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 42 Number of non-executed functions: 310
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 52.149.20.212
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Payment 01.08.25.pdf.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
193.122.6.168	December Reconciliation QuanKang.exe	Get hash	malicious	Unknown	Browse	checkip.dyndns.org/
	PO.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	New order 2025.msg	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	file.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	INQUIRY.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	Technonomic.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	HALKBANK EKSTRE.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	EPIRTURMEROOO0060.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Proforma Invoice.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	HUBED342024.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
104.21.96.1	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	pelisplus.so/administrator/index.php
104.21.96.1	Recibos.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/1a34/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	December Reconciliation QuanKang.exe	Get hash	malicious	Unknown	Browse	104.21.48.1
	JB#40044 Order.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	PO.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	BgroUcYHpy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	pbCN4g6sN5.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	HVSU7GbA5N.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	oagkiAhXgZ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	VSLS SCHEDULE_pdf.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	ungziped_file.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	fatura098002.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
checkip.dyndns.com	December Reconciliation QuanKang.exe	Get hash	malicious	Unknown	Browse	193.122.6.168
	JB#40044 Order.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	PO.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	BgroUcYHpy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	pbCN4g6sN5.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	HVSU7GbA5N.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
	oagkiAhXgZ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	VSLS SCHEDULE_pdf.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	ungziped_file.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	fatura098002.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
s-part-0017.t-0009.t-msedge.net	24EPV9vjc5.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	VmjvNTbD5J.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://combatironapparel.com/collections/ranger-panty-shorts	Get hash	malicious	Unknown	Browse	13.107.246.45
	cLm7ThwEvh.msi	Get hash	malicious	Unknown	Browse	13.107.246.45
	EMfRi659Ir.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://laserglow-technologies-industrial-48815730.hubspotpagebuilder.com/laserglow	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	colleague[1].htm	Get hash	malicious	Unknown	Browse	13.107.246.45
	bc7EKCf.exe	Get hash	malicious	StormKitty	Browse	13.107.246.45
	https://mo.iecxtug.ru/eoQpd/	Get hash	malicious	Unknown	Browse	13.107.246.45
	1In8uYbvZJ.ps1	Get hash	malicious	Unknown	Browse	13.107.246.45

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	December Reconciliation QuanKang.exe	Get hash	malicious	Unknown	Browse	193.122.6.168
	PO.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	BgroUcYHpy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	VSLS SCHEDULE_pdf.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	ungziped_file.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	miori.x86.elf	Get hash	malicious	Unknown	Browse	140.204.251.205
	New order 2025.msg	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	193.122.130.0
	FORTUNE RICH_PARTICULARS.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
CLOUDFLARENETUS	24EPV9vjc5.exe	Get hash	malicious	Unknown	Browse	172.67.174.91
	kXzODlqJak.exe	Get hash	malicious	Unknown	Browse	104.21.80.52
	https://combatironapparel.com/collections/ranger-panty-shorts	Get hash	malicious	Unknown	Browse	104.21.72.124
	24EPV9vjc5.exe	Get hash	malicious	Unknown	Browse	172.67.174.91
	kXzODlqJak.exe	Get hash	malicious	Unknown	Browse	104.21.80.52
	cLm7ThwEvh.msi	Get hash	malicious	Unknown	Browse	172.67.174.91
	https://meliopayments.cloudfilesbureau.com/j319C	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	https://laserglow-technologies-industrial-48815730.hubspotpagebuilder.com/laserglow	Get hash	malicious	HTMLPhisher	Browse	104.16.117.116
	http://cipassoitalia.it	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	104.21.48.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	December Reconciliation QuanKang.exe	Get hash	malicious	Unknown	Browse	104.21.96.1
	JB#40044 Order.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	PO.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	BgroUcYHpy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	pbCN4g6sN5.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	HVSU7GbA5N.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.96.1
	oagkiAhXgZ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	VSLS SCHEDULE_pdf.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	ungziped_file.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	fatura098002.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1

Process:	C:\Users\user\Desktop\Payment 01.08.25.pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	210432
Entropy (8bit):	7.868208492099875
Encrypted:	false
SSDEEP:	6144:QsovZ5FOzviPfibtwdLGZQipYMF/MaBVr:98ZjyMfibtwdLGiiV0aBVr
MD5:	93596E6DFAD0649164A4CBDA28D9B987
SHA1:	53DD7D4AC11D35F514A68312F15F9347B710F0AA
SHA-256:	905823C3BD22911C7562150D9FFE99CE2C5985FAF8E57427D72E1FE5AB7D56E9
SHA-512:	E912B14B40D80D1CF45150F281FA29BA300A038A9A0ED96B6FF794149E150F62E2FF72A767941706DC5718384427B27CFAA80FC7F4943CD696133E320A3F4378
Malicious:	false
Reputation:	low
Preview:	...KU1O22UXE..61.TJPIYQIrQ4SGNKV1O26UXEOK61UTJPIYQI2Q4SGNKV1.26UVZ.E6.\.k.H..hf9] g>99V=S[u;$!%YEu6/p;,?i[?....k;^+W.XUOkK61UTJP!I.d. .-k?.(.>.Hg{:1tG.+_..7r .L}E.9.:.O}.X+D4.5..<*.!.'cjI/.".0.?R'.G.&EOK61UTJPIYQI2Q4.)..V1O2f.XE.J21!.J.IYQI2Q4S.NhW:N;6U.DOK.0UTJPIv.I2Q$SGN.W1O2vUXUOK63UTOPIYQI2Q1SGNKV1O2.VXEKK6.nVJRIY.I2A4SWNKV1_26EXEOK61ETJPIYQI2Q4S.[IVaO26U8GOc#0UTJPIYQI2Q4SGNKV1O26UXEOK..TTVPIYQI2Q4SGNKV1O26UXEOK61UTJ.D[Q.2Q4SGNKV1O26.YE.J61UTJPIYQI2Q4SGNKV1O26UXEOeBT- JPIA.H2Q$SGN.W1O66UXEOK61UTJPIYqI21.!#/?71O.[UXE.J61;TJP.XQI2Q4SGNKV1O2vUX.a/WE4TJP.iQI2q6SGXKV1E06UXEOK61UTJPI.QI..F 5-KV1g'7UX%MK6'TTJpKYQI2Q4SGNKV1Or6U.EOK61UTJPIYQI2Q4SGNKV1O26UXEOK61UTJPIYQI2Q4SGNKV1O26UXEOK61UTJPIYQI2Q4SGNKV1O26UXEOK61UTJPIYQI2Q4SGNKV1O26UXEOK61UTJPIYQI2Q4SGNKV1O26UXEOK61UTJPIYQI2Q4SGNKV1O26UXEOK61UTJPIYQI2Q4SGNKV1O26UXEOK61UTJPIYQI2Q4SGNKV1O26UXEOK61UTJPIYQI2Q4SGNKV1O26UXEOK61UTJPIYQI2Q4SGNKV1O26UXEOK61UTJPIYQI2Q4SGNKV1O26UXEOK61UTJPIYQI2Q4SGNKV1O26UXEOK61UTJPIYQI2Q4SGNKV1O26UXEOK61UTJPIYQI2Q4S

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.202670306919577
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Payment 01.08.25.pdf.exe
File size:	1'589'760 bytes
MD5:	00999bb19db0f763b52315ac98a7c8d3
SHA1:	b354ea577e59ed9c314e587c1c8c53de3ca19c27
SHA256:	b9f10bbaec165ee961fd1bfa4a18de52c97054ee962f842514eff1c5e21785c4
SHA512:	cd286d9e2cd2e156bf3359328d016e19c66787ed5157cca4201e25b924572f1a0bbc17b7c3dc251f895558ac87f851b1b9f0236defbc81343a2214993f09c7c6
SSDEEP:	24576:aqDEvCTbMWu7rQYlBQcBiT6rprG8aA1ZAsvc+hgo53deR26h0Df+qiQ:aTvC/MTQYxsWR7a39+hgkdegE0L+q
TLSH:	CF756A26EA40E555EED75132CA85B1BB4EF89F6ACD32F11F23543C2A7B307EC0129652
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	96336dcccc92d4cc

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x677F2766 [Thu Jan 9 01:33:26 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F5CE8EBC6F3h
jmp 00007F5CE8EBBFFFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F5CE8EBC1DDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F5CE8EBC1AAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F5CE8EBED9Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F5CE8EBEDE8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F5CE8EBEDD1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0xad74c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x182000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0xad74c	0xad800	37c47d4b13f9731614cbf0ce4b43b32b	False	0.7879888441102305	data	7.571467218400745	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x182000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45d8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd4700	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd4828	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4950	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 886 x 886 px/m	English	Great Britain	0.5895390070921985
RT_ICON	0xd4db8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 886 x 886 px/m	English	Great Britain	0.4086065573770492
RT_ICON	0xd5740	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 886 x 886 px/m	English	Great Britain	0.3142589118198874
RT_ICON	0xd67e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 886 x 886 px/m	English	Great Britain	0.21234439834024896
RT_ICON	0xd8d90	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 886 x 886 px/m	English	Great Britain	0.16922531884742562
RT_ICON	0xdcfb8	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 20736, resolution 886 x 886 px/m	English	Great Britain	0.15027726432532348
RT_ICON	0xe2440	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 36864, resolution 886 x 886 px/m	English	Great Britain	0.11598696657557284
RT_ICON	0xeb8e8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 886 x 886 px/m	English	Great Britain	0.06364604282503253
RT_ICON	0xfc110	0x50b7	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	Great Britain	0.9974350287954314
RT_MENU	0x1011c8	0x50	data	English	Great Britain	0.9
RT_STRING	0x101218	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0x1017ac	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0x101e38	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0x1022c8	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0x1028c4	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0x102f20	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0x103388	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0x1034e0	0x7dce0	data			1.0003221449419364
RT_GROUP_ICON	0x1811c0	0x84	data	English	Great Britain	0.75
RT_GROUP_ICON	0x181244	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x181258	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x18126c	0x14	data	English	Great Britain	1.25
RT_VERSION	0x181280	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x18135c	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-09T15:06:45.971389+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49742	193.122.6.168	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 15:06:45.026132107 CET	49742	80	192.168.2.9	193.122.6.168
Jan 9, 2025 15:06:45.030999899 CET	80	49742	193.122.6.168	192.168.2.9
Jan 9, 2025 15:06:45.031086922 CET	49742	80	192.168.2.9	193.122.6.168
Jan 9, 2025 15:06:45.031408072 CET	49742	80	192.168.2.9	193.122.6.168
Jan 9, 2025 15:06:45.036159992 CET	80	49742	193.122.6.168	192.168.2.9
Jan 9, 2025 15:06:45.718791962 CET	80	49742	193.122.6.168	192.168.2.9
Jan 9, 2025 15:06:45.724293947 CET	49742	80	192.168.2.9	193.122.6.168
Jan 9, 2025 15:06:45.729082108 CET	80	49742	193.122.6.168	192.168.2.9
Jan 9, 2025 15:06:45.916696072 CET	80	49742	193.122.6.168	192.168.2.9
Jan 9, 2025 15:06:45.926430941 CET	49748	443	192.168.2.9	104.21.96.1
Jan 9, 2025 15:06:45.926476002 CET	443	49748	104.21.96.1	192.168.2.9
Jan 9, 2025 15:06:45.926541090 CET	49748	443	192.168.2.9	104.21.96.1
Jan 9, 2025 15:06:45.935125113 CET	49748	443	192.168.2.9	104.21.96.1
Jan 9, 2025 15:06:45.935137033 CET	443	49748	104.21.96.1	192.168.2.9
Jan 9, 2025 15:06:45.971389055 CET	49742	80	192.168.2.9	193.122.6.168
Jan 9, 2025 15:06:46.406188011 CET	443	49748	104.21.96.1	192.168.2.9
Jan 9, 2025 15:06:46.406301022 CET	49748	443	192.168.2.9	104.21.96.1
Jan 9, 2025 15:06:46.411896944 CET	49748	443	192.168.2.9	104.21.96.1
Jan 9, 2025 15:06:46.411921978 CET	443	49748	104.21.96.1	192.168.2.9
Jan 9, 2025 15:06:46.412235022 CET	443	49748	104.21.96.1	192.168.2.9
Jan 9, 2025 15:06:46.455667019 CET	49748	443	192.168.2.9	104.21.96.1
Jan 9, 2025 15:06:46.496697903 CET	49748	443	192.168.2.9	104.21.96.1
Jan 9, 2025 15:06:46.539347887 CET	443	49748	104.21.96.1	192.168.2.9
Jan 9, 2025 15:06:46.616565943 CET	443	49748	104.21.96.1	192.168.2.9
Jan 9, 2025 15:06:46.616717100 CET	443	49748	104.21.96.1	192.168.2.9
Jan 9, 2025 15:06:46.616774082 CET	49748	443	192.168.2.9	104.21.96.1
Jan 9, 2025 15:06:46.623588085 CET	49748	443	192.168.2.9	104.21.96.1
Jan 9, 2025 15:07:50.916547060 CET	80	49742	193.122.6.168	192.168.2.9
Jan 9, 2025 15:07:50.916623116 CET	49742	80	192.168.2.9	193.122.6.168
Jan 9, 2025 15:08:25.925035000 CET	49742	80	192.168.2.9	193.122.6.168
Jan 9, 2025 15:08:25.930022955 CET	80	49742	193.122.6.168	192.168.2.9

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 15:06:45.010416985 CET	65065	53	192.168.2.9	1.1.1.1
Jan 9, 2025 15:06:45.017240047 CET	53	65065	1.1.1.1	192.168.2.9
Jan 9, 2025 15:06:45.918577909 CET	52657	53	192.168.2.9	1.1.1.1
Jan 9, 2025 15:06:45.925702095 CET	53	52657	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 9, 2025 15:06:45.010416985 CET	192.168.2.9	1.1.1.1	0x9a3a	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 9, 2025 15:06:45.918577909 CET	192.168.2.9	1.1.1.1	0xe725	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 9, 2025 15:06:38.467410088 CET	1.1.1.1	192.168.2.9	0xd65e	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 15:06:38.467410088 CET	1.1.1.1	192.168.2.9	0xd65e	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Jan 9, 2025 15:06:45.017240047 CET	1.1.1.1	192.168.2.9	0x9a3a	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 15:06:45.017240047 CET	1.1.1.1	192.168.2.9	0x9a3a	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 9, 2025 15:06:45.017240047 CET	1.1.1.1	192.168.2.9	0x9a3a	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 9, 2025 15:06:45.017240047 CET	1.1.1.1	192.168.2.9	0x9a3a	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 9, 2025 15:06:45.017240047 CET	1.1.1.1	192.168.2.9	0x9a3a	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 9, 2025 15:06:45.017240047 CET	1.1.1.1	192.168.2.9	0x9a3a	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 9, 2025 15:06:45.925702095 CET	1.1.1.1	192.168.2.9	0xe725	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 15:06:45.925702095 CET	1.1.1.1	192.168.2.9	0xe725	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 15:06:45.925702095 CET	1.1.1.1	192.168.2.9	0xe725	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 15:06:45.925702095 CET	1.1.1.1	192.168.2.9	0xe725	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 15:06:45.925702095 CET	1.1.1.1	192.168.2.9	0xe725	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 15:06:45.925702095 CET	1.1.1.1	192.168.2.9	0xe725	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 15:06:45.925702095 CET	1.1.1.1	192.168.2.9	0xe725	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49742	193.122.6.168	80	7800	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 15:06:45.031408072 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 9, 2025 15:06:45.718791962 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 14:06:45 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 9, 2025 15:06:45.724293947 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 9, 2025 15:06:45.916696072 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 14:06:45 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49748	104.21.96.1	443	7800	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 14:06:46 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-09 14:06:46 UTC	853	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 14:06:46 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1746395 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RD2UoxM2KzRz8nrH6wUM7jclXqPGobUXsgtsO1BSNILAj8BIWb7EmKCUDS3ktExjRkz%2BbUCvx9MzYjRHXrwD9QNaFzN3n8vJNy6aRzkB%2FS4lpa5mOZtdJ5On9lGgZ3krBvKFd2NZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff4fd64efea4363-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1599&min_rtt=1592&rtt_var=602&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1834170&cwnd=240&unsent_bytes=0&cid=1585de6e322e425b&ts=223&x=0"
2025-01-09 14:06:46 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	09:06:41
Start date:	09/01/2025
Path:	C:\Users\user\Desktop\Payment 01.08.25.pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Payment 01.08.25.pdf.exe"
Imagebase:	0x150000
File size:	1'589'760 bytes
MD5 hash:	00999BB19DB0F763B52315AC98A7C8D3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.1371195942.0000000004010000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:06:42
Start date:	09/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Payment 01.08.25.pdf.exe"
Imagebase:	0xe10000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000002.00000002.2588684454.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2591642315.00000000034E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.2591559592.00000000031D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2591559592.00000000031D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.2591559592.00000000031D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.2591559592.00000000031D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.2591559592.00000000031D0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000002.00000002.2591559592.00000000031D0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.2593397587.0000000004321000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2593397587.0000000004321000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.2593397587.0000000004321000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.2593397587.0000000004321000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.2593397587.0000000004321000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.2590935227.00000000030D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2590935227.00000000030D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.2590935227.00000000030D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.2590935227.00000000030D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.2590935227.00000000030D0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000002.00000002.2590935227.00000000030D0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.2590696831.0000000002F40000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2590696831.0000000002F40000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.2590696831.0000000002F40000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.2590696831.0000000002F40000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.2590696831.0000000002F40000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.5%
Dynamic/Decrypted Code Coverage:	1.1%
Signature Coverage:	3.8%
Total number of Nodes:	1507
Total number of Limit Nodes:	28

Executed Functions

Function 001542DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0015430D

Part of subcall function 00156B57: _wcslen.LIBCMT ref: 00156B6A

GetCurrentProcess.KERNEL32(?,001ECB64,00000000,?,?), ref: 00154422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00154429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00154454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00154466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00154474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0015447B
GetSystemInfo.KERNEL32(?,?,?), ref: 001544A0

Strings

GetNativeSystemInfo, xrefs: 00154460
|O, xrefs: 001936F8
kernel32.dll, xrefs: 0015444F

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 240c760eb0e82da9d2a588675ec6738c74e7775eb517bcdbb185bff271dcdb08
Instruction ID: 22279f1435e5948761dc6f94fb5d01f71915e6be01572e06a91aeca22725e525
Opcode Fuzzy Hash: 240c760eb0e82da9d2a588675ec6738c74e7775eb517bcdbb185bff271dcdb08
Instruction Fuzzy Hash: DCA1B66290A2C0EFCB35CBE97C4C9997FA67B36304B0874D9E45197A61D33046ABCB61

Function 001542A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,001550AA,?,?,00000000,00000000), ref: 001542B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,001550AA,?,?,00000000,00000000), ref: 001542C9
LoadResource.KERNEL32(?,00000000,?,?,001550AA,?,?,00000000,00000000,?,?,?,?,?,?,00154F20), ref: 001935BE
SizeofResource.KERNEL32(?,00000000,?,?,001550AA,?,?,00000000,00000000,?,?,?,?,?,?,00154F20), ref: 001935D3
LockResource.KERNEL32(001550AA,?,?,001550AA,?,?,00000000,00000000,?,?,?,?,?,?,00154F20,?), ref: 001935E6

Strings

SCRIPT, xrefs: 001542BF

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: ac72ea9211f716bc877a8379519253496d4644c31e57652ac41b0543c50c65cb
Instruction ID: 2d84d6eb4e90176d410e896e0c7df889038c66e723828ae807ea6bd24b13b1cf
Opcode Fuzzy Hash: ac72ea9211f716bc877a8379519253496d4644c31e57652ac41b0543c50c65cb
Instruction Fuzzy Hash: 2711C270200701FFD7218BA5EC88F2B7BB9EBC5B56F104169F913CA550DB71DC458660

Function 00192BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00152B6B

Part of subcall function 00153A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00221418,?,00152E7F,?,?,?,00000000), ref: 00153A78

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00212224), ref: 00192C10
ShellExecuteW.SHELL32(00000000,?,?,00212224), ref: 00192C17

Strings

runas, xrefs: 00192C0B

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 656612735b52c8760b4d8968c6a784bd6ed1a488f9142df7b8d00c06b22c761f
Instruction ID: ebea74c824aaa9a418887711b52f2fa7500cc38d7cba04a52d75cc58b4ae3fb6
Opcode Fuzzy Hash: 656612735b52c8760b4d8968c6a784bd6ed1a488f9142df7b8d00c06b22c761f
Instruction Fuzzy Hash: AC119332204345EAC718FFA0E851DAD77A4ABB6342F44142DF8765F0A2DF31955EC752

Function 0015D730 Relevance: 21.6, APIs: 14, Instructions: 621windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0015D807
timeGetTime.WINMM ref: 0015DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0015DB28
TranslateMessage.USER32(?), ref: 0015DB7B
DispatchMessageW.USER32(?), ref: 0015DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0015DB9F
Sleep.KERNEL32(0000000A), ref: 0015DBB1

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 437f50303dabf0e22ddf9bd009698b027e19bf35d8c1c24558d75e64be7184b3
Instruction ID: 9eef2bd8b21c24a71ea063b0ad71f7351fae7f4cc0c81e5461f4bfac29f06e6a
Opcode Fuzzy Hash: 437f50303dabf0e22ddf9bd009698b027e19bf35d8c1c24558d75e64be7184b3
Instruction Fuzzy Hash: C0422434608341EFD739CF24D884BAAB7E1BF56315F14851DF8668B2A1D770E888CB92

Function 00152CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00152D07
RegisterClassExW.USER32(00000030), ref: 00152D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00152D42
InitCommonControlsEx.COMCTL32(?), ref: 00152D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00152D6F
LoadIconW.USER32(000000A9), ref: 00152D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00152D94

Strings

0, xrefs: 00152CE9
AutoIt v3 GUI, xrefs: 00152D23
+, xrefs: 00152CF0
TaskbarCreated, xrefs: 00152D37

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 393e87357262f625bcd433c5f229192c53d5805d20eff818350458c81381a417
Instruction ID: f220f92beb78e75089e2b27634b59152673c77134e32fc2e4ae806c0524f9357
Opcode Fuzzy Hash: 393e87357262f625bcd433c5f229192c53d5805d20eff818350458c81381a417
Instruction Fuzzy Hash: E521B2B5D01258AFDB10DFE8ED89A9DBBB4FB08704F00511AF911AA2A0D7B14596CF91

Function 0019065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0019039A: CreateFileW.KERNELBASE(00000000,00000000,?,00190704,?,?,00000000,?,00190704,00000000,0000000C), ref: 001903B7

GetLastError.KERNEL32 ref: 0019076F
__dosmaperr.LIBCMT ref: 00190776
GetFileType.KERNELBASE(00000000), ref: 00190782
GetLastError.KERNEL32 ref: 0019078C
__dosmaperr.LIBCMT ref: 00190795
CloseHandle.KERNEL32(00000000), ref: 001907B5
CloseHandle.KERNEL32(?), ref: 001908FF
GetLastError.KERNEL32 ref: 00190931
__dosmaperr.LIBCMT ref: 00190938

Strings

H, xrefs: 001908BD

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: dd29e7648831ef77aae96efeb2537e84f0c64d52af1e53b066db5272329f35da
Instruction ID: 896c7a75568dfb04cb60b2deaf355aae5e2707f52066c283392bd72e4042ca27
Opcode Fuzzy Hash: dd29e7648831ef77aae96efeb2537e84f0c64d52af1e53b066db5272329f35da
Instruction Fuzzy Hash: 60A12632A041449FDF1AEFA8DC95BAE7BA1AB0A320F14415DF8159F392DB319D13CB91

Function 0015344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00153A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00221418,?,00152E7F,?,?,?,00000000), ref: 00153A78

Part of subcall function 00153357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00153379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0015356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0019318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 001931CE
RegCloseKey.ADVAPI32(?), ref: 00193210
_wcslen.LIBCMT ref: 00193277
_wcslen.LIBCMT ref: 00193286

Strings

Software\AutoIt v3\AutoIt, xrefs: 00153560
Include, xrefs: 00193184, 001931C5
\, xrefs: 0019328C
\Include\, xrefs: 00153527

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 518a2cbcdce32ae0157eb4f28ef9d508968f50778d7d8f8b6d3a90d4b9bb247f
Instruction ID: 387e2a8fa13d084288f1438e1125601ca0a7066f27d1997106f025b3993c0680
Opcode Fuzzy Hash: 518a2cbcdce32ae0157eb4f28ef9d508968f50778d7d8f8b6d3a90d4b9bb247f
Instruction Fuzzy Hash: 58717D71404301FEC724EFA5EC8586BBBE8FFA4340B80146EF955971A1EB359A4ECB52

Function 00152B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00152B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00152B9D
LoadIconW.USER32(00000063), ref: 00152BB3
LoadIconW.USER32(000000A4), ref: 00152BC5
LoadIconW.USER32(000000A2), ref: 00152BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00152BEF
RegisterClassExW.USER32(?), ref: 00152C40

Part of subcall function 00152CD4: GetSysColorBrush.USER32(0000000F), ref: 00152D07
Part of subcall function 00152CD4: RegisterClassExW.USER32(00000030), ref: 00152D31
Part of subcall function 00152CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00152D42
Part of subcall function 00152CD4: InitCommonControlsEx.COMCTL32(?), ref: 00152D5F
Part of subcall function 00152CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00152D6F
Part of subcall function 00152CD4: LoadIconW.USER32(000000A9), ref: 00152D85
Part of subcall function 00152CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00152D94

Strings

AutoIt v3, xrefs: 00152C2F
#, xrefs: 00152C16
0, xrefs: 00152C0F

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: c619eebd999e65a80e4f93fded6aea761491e80e4d3b47599afd59e7125f83f3
Instruction ID: 1304dc6d78f2f16c4ba3c4b46fe6eae8ac0fdc18bf6d3dc6ab4368f21da69224
Opcode Fuzzy Hash: c619eebd999e65a80e4f93fded6aea761491e80e4d3b47599afd59e7125f83f3
Instruction Fuzzy Hash: 0021FA71E00354BBDB20DFE5FC99E9D7FB6FB58B50F0410AAE500A66A0D7B105528F90

Function 0015B710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0015BB4E

Strings

p%", xrefs: 0015BB32
p%", xrefs: 0015B8DC
p#", xrefs: 001A024F
p#", xrefs: 001A0263
p#", xrefs: 0015BA72
x#", xrefs: 001A0168
x#", xrefs: 001A0207
p#", xrefs: 0015BB6B

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Init_thread_footer
String ID: p#"$p#"$p#"$p#"$p%"$p%"$x#"$x#"
API String ID: 1385522511-472378502
Opcode ID: 7abff7bf65060766a63e7eef82b098bbab0be1f8c675337e5d3d93a565e489b1
Instruction ID: ea858f5c6a0ce23db74ff6d3d8262d06f45044c58e647233fbd964ba8a41ae3d
Opcode Fuzzy Hash: 7abff7bf65060766a63e7eef82b098bbab0be1f8c675337e5d3d93a565e489b1
Instruction Fuzzy Hash: CC32EB78A08209EFCB24CF54C884ABAB7B9FF49301F158059ED25AF291C775ED49CB91

Function 00153170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0015316A,?,?), ref: 001531D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0015316A,?,?), ref: 00153204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00153227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0015316A,?,?), ref: 00153232
CreatePopupMenu.USER32 ref: 00153246
PostQuitMessage.USER32(00000000), ref: 00153267

Strings

TaskbarCreated, xrefs: 0015322D

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: b0f331cab91a1ba589bef847fbeb9a3e474c748e66f85cc96c5cb3523cfc6dbe
Instruction ID: 389454fc490a789ce3d0748bcb41b302b47e659529619440398dac85b043004b
Opcode Fuzzy Hash: b0f331cab91a1ba589bef847fbeb9a3e474c748e66f85cc96c5cb3523cfc6dbe
Instruction Fuzzy Hash: 36416B34600644FBDF286BF8AC8DF7D3A5AE715382F040125FD318F1A1CB718A9997A1

Function 0015DFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

Strings

D%"D%", xrefs: 0015E27E
D%", xrefs: 0015E4B1
D%", xrefs: 0015E1E0
D%", xrefs: 001A302D
Variable must be of type 'Object'., xrefs: 001A32B7
D%", xrefs: 001A2FDA

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID:
String ID: D%"$D%"$D%"$D%"$D%"D%"$Variable must be of type 'Object'.
API String ID: 0-2232411389
Opcode ID: 6a34b79ce7e406268740b442feeff3619e34674316337c3e061ec1706205c8a6
Instruction ID: 35e466c78d2816cd3f2abdd6d4dc664f1d3f82cf47a0d9dfad153ee2f59ce889
Opcode Fuzzy Hash: 6a34b79ce7e406268740b442feeff3619e34674316337c3e061ec1706205c8a6
Instruction Fuzzy Hash: A2C29C75E00204DFCB28CF98D884BADB7F1BF19311F258159E925AB291D331EE5ACB91

Function 016D9DE0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 016D9EB1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 016DA0D7

Memory Dump Source

Source File: 00000000.00000002.1370353485.00000000016D7000.00000040.00000020.00020000.00000000.sdmp, Offset: 016D7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d7000_Payment 01.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction ID: f1f03afd0d70e460e0467334228540f9f4c458ff758c346abbde68635aab7a43
Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction Fuzzy Hash: B1A10670E04209EBDB14CFE8C994BEEBBB5BF48308F208599E505BB281D7759A41CF95

Function 00152C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00152C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00152CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00151CAD,?), ref: 00152CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00151CAD,?), ref: 00152CCF

Strings

AutoIt v3, xrefs: 00152C89, 00152C8E, 00152C8F
edit, xrefs: 00152CAC

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 609bedc9f948df990950406489f3f230b16dc9bb547066eab377f04b45e4842f
Instruction ID: b3610b9807e9c10911eb4002153c4be3c31df604297b6eb06743b222432c2d5d
Opcode Fuzzy Hash: 609bedc9f948df990950406489f3f230b16dc9bb547066eab377f04b45e4842f
Instruction Fuzzy Hash: 6BF03A759403D47AEB304797BC4CE7B3EBED7DAF50B0110AAF900A65A0C2710862DAB0

Function 016D9BA0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 149
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 016D9A90: Sleep.KERNELBASE(000001F4), ref: 016D9AA1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 016D9CD2

Strings

SGNKV1O26UXEOK61UTJPIYQI2Q4, xrefs: 016D9D35, 016D9D38

Memory Dump Source

Source File: 00000000.00000002.1370353485.00000000016D7000.00000040.00000020.00020000.00000000.sdmp, Offset: 016D7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d7000_Payment 01.jbxd

Similarity

API ID: CreateFileSleep
String ID: SGNKV1O26UXEOK61UTJPIYQI2Q4
API String ID: 2694422964-3441870279
Opcode ID: f5f50d73c85ce3ed760b089f7505cfc2436e6900a037a63ba721ac904262ed1b
Instruction ID: 935a0c804e53805205066a0dd034288c3e498949852d5f4d1f5a33c8e79ae7b8
Opcode Fuzzy Hash: f5f50d73c85ce3ed760b089f7505cfc2436e6900a037a63ba721ac904262ed1b
Instruction Fuzzy Hash: D8518231D04288EAEF11DBA4CC58BEFBBB5AF19304F044199D6497B2C1D7B90B49CB66

Function 00153B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00153B0F,SwapMouseButtons,00000004,?), ref: 00153B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00153B0F,SwapMouseButtons,00000004,?), ref: 00153B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00153B0F,SwapMouseButtons,00000004,?), ref: 00153B83

Strings

Control Panel\Mouse, xrefs: 00153B3E

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: f48dbbc770470e6fda1ec9a14b0e8887d808ae09f95cbef7ccf183ce99fb5b9c
Instruction ID: f0334f4aea488dab96224e12e8b01e6d658bb8a024b8cbc38965afd9d38cb95c
Opcode Fuzzy Hash: f48dbbc770470e6fda1ec9a14b0e8887d808ae09f95cbef7ccf183ce99fb5b9c
Instruction Fuzzy Hash: F1112AB5510218FFDB21CFA5DC84AAEB7B8EF44785B104459F825DB110D3319F4597A0

Function 016D8A90 Relevance: 6.7, APIs: 4, Instructions: 720
processthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 016D92BD
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 016D92E1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 016D9303

Memory Dump Source

Source File: 00000000.00000002.1370353485.00000000016D7000.00000040.00000020.00020000.00000000.sdmp, Offset: 016D7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d7000_Payment 01.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: e3f14b9100784c2d13b4d96e4da997e342e741b63af52aad6d222721779d43e7
Instruction ID: df93faf6f69fe145c7942b748686b5b45af2ccf9e961c0bd4d0abc5646921a8c
Opcode Fuzzy Hash: e3f14b9100784c2d13b4d96e4da997e342e741b63af52aad6d222721779d43e7
Instruction Fuzzy Hash: 0862E930E142589AEB24CFA4CC50BDEB776EF58304F1091A9D20DEB394E7769E81CB59

Function 00153923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 001933A2

Part of subcall function 00156B57: _wcslen.LIBCMT ref: 00156B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00153A04

Strings

Line: , xrefs: 001933EB

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: c1a55154927985d95d6dc02297fd520a351f402f04ecfaadf0a3e1a76482d0d8
Instruction ID: 45db604e97f9be54285074f500d90cd7ba81e5562891da5f36c691529aec36c2
Opcode Fuzzy Hash: c1a55154927985d95d6dc02297fd520a351f402f04ecfaadf0a3e1a76482d0d8
Instruction Fuzzy Hash: B031D071408304EAC725EB60EC45FEBB7E8AB64355F00496AF9B98B091DB70965DC7C2

Function 00152DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00192C8C

Part of subcall function 00153AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00153A97,?,?,00152E7F,?,?,?,00000000), ref: 00153AC2

Part of subcall function 00152DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00152DC4

Strings

X, xrefs: 00192C5A
`e!, xrefs: 00192C85

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e!
API String ID: 779396738-4247064546
Opcode ID: b61e56b9f93613f5df470afa4b12179bcfd770656f9c41f8629f370578f00c78
Instruction ID: 23da9e6a72118012514a764e8b9dee6ff7fd8b9a096deeb11fa974ccc1de7399
Opcode Fuzzy Hash: b61e56b9f93613f5df470afa4b12179bcfd770656f9c41f8629f370578f00c78
Instruction Fuzzy Hash: 4F21C671A10258AFDF01DF94C849BEE7BF8AF59305F004059E815AB241DBB4558DCBA1

Function 0016FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00170668

Part of subcall function 001732A4: RaiseException.KERNEL32(?,?,?,0017068A,?,00221444,?,?,?,?,?,?,0017068A,00151129,00218738,00151129), ref: 00173304

__CxxThrowException@8.LIBVCRUNTIME ref: 00170685

Strings

Unknown exception, xrefs: 00170692

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 74b1f0236fa26702e3205815963ea2cdb4fac2bb2d48f05228676e405ea36782
Instruction ID: db31edd7bda9dbad8db7d786f4887efe2cb9241e137d192a7372764bbf91e7e1
Opcode Fuzzy Hash: 74b1f0236fa26702e3205815963ea2cdb4fac2bb2d48f05228676e405ea36782
Instruction Fuzzy Hash: 95F0C23490030DB7CB05BAA4EC96C9E7BBC5E64350B60C135B82C965D2EF71EB76C980

Function 001D7F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 001D82F5
TerminateProcess.KERNEL32(00000000), ref: 001D82FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 001D84DD

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 911d74d78cc79994a17ab70aacaec80d2a5f841ddf8ee89317924f1190dd7265
Instruction ID: 757195486f09686e86e797024616ed5b770520ee1ef69a45ab9e1ffaa077e586
Opcode Fuzzy Hash: 911d74d78cc79994a17ab70aacaec80d2a5f841ddf8ee89317924f1190dd7265
Instruction Fuzzy Hash: EC125B719083419FC714DF28C484B6ABBE5BF99314F04895EE8998B392DB31E946CB92

Function 001510F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00151BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00151BF4
Part of subcall function 00151BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00151BFC
Part of subcall function 00151BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00151C07
Part of subcall function 00151BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00151C12
Part of subcall function 00151BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00151C1A
Part of subcall function 00151BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00151C22

Part of subcall function 00151B4A: RegisterWindowMessageW.USER32(00000004,?,001512C4), ref: 00151BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0015136A
OleInitialize.OLE32 ref: 00151388
CloseHandle.KERNEL32(00000000,00000000), ref: 001924AB

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 2054f7988b704262271a2bdcbc1e2a08f23171d050befb70204785570737961e
Instruction ID: b7e3722a0c2ae6b87b1220d582af9d9f125d0cca09defd9e3b1e8167a2f9fc4c
Opcode Fuzzy Hash: 2054f7988b704262271a2bdcbc1e2a08f23171d050befb70204785570737961e
Instruction Fuzzy Hash: 4171D1B4811244BED7A4EFF9BD89E553AE0BBB834439462BAD41ACB261E7344437CF41

Function 001886AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,001885CC,?,00218CC8,0000000C), ref: 00188704
GetLastError.KERNEL32(?,001885CC,?,00218CC8,0000000C), ref: 0018870E
__dosmaperr.LIBCMT ref: 00188739

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: fe54fc5881fbe1bb2b9ba0caba8ad4ec6a26aa326cad3875413a445b5667cc96
Instruction ID: e18fbbcb7a22c04552bfd8c4311a74cff24dfe44b4008bbd8a2a9dba4590c955
Opcode Fuzzy Hash: fe54fc5881fbe1bb2b9ba0caba8ad4ec6a26aa326cad3875413a445b5667cc96
Instruction Fuzzy Hash: AA018932A0466026C3347374A889B7E275A9B92774F79011DFC188B1D3EFA0DE828F90

Function 00161310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001617F6

Strings

CALL, xrefs: 001617C6

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 5116e1678f8c7be137c016c4d35ce5f696504fdaa82e1790097c2e581240d0c1
Instruction ID: e62a7f3171b7e9c9f78c7abf41bc3218ac573b2289cfa89c4ddb93691e861322
Opcode Fuzzy Hash: 5116e1678f8c7be137c016c4d35ce5f696504fdaa82e1790097c2e581240d0c1
Instruction Fuzzy Hash: 93229C74608341EFC714DF14C884A2ABBF1BF9A314F19895DF49A8B361D771E865CB82

Function 00153837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00153908

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: bf5512c0029c98896f892e4a8930ac1ae1fbeda0acfdf5a615a9c0a76a8bbe44
Instruction ID: a4d6993749833659bc8b2e26ca2dc6817443b920e4babc63e1648584db71ec1c
Opcode Fuzzy Hash: bf5512c0029c98896f892e4a8930ac1ae1fbeda0acfdf5a615a9c0a76a8bbe44
Instruction Fuzzy Hash: 4C31C370504300DFD721DF64D884B97BBE4FB59349F00096EF9B98B240E771AA58CB52

Function 00155745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0015949C,?,00008000), ref: 00155773
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,0015949C,?,00008000), ref: 00194052

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: fe784b0afee8b0c68e2a3dd27b28c1b96d28e477fb176ad2ac95b17a822f601e
Instruction ID: 18399e9a5f507f7fe2313f86503f05fec8529435b9f21520834aed59db488917
Opcode Fuzzy Hash: fe784b0afee8b0c68e2a3dd27b28c1b96d28e477fb176ad2ac95b17a822f601e
Instruction Fuzzy Hash: 69018030145225F6E7305A6ACC0EF977F99EF067B1F148200BEAC5E1E1C7B45855CB90

Function 016D8A8D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 016D92BD
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 016D92E1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 016D9303

Memory Dump Source

Source File: 00000000.00000002.1370353485.00000000016D7000.00000040.00000020.00020000.00000000.sdmp, Offset: 016D7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d7000_Payment 01.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction ID: 99543e6c6c48dfaf9ca44bb3597cfb29b1405748a5ae7644b3a601a34db7982c
Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction Fuzzy Hash: BB12C024E24658C6EB24DF64D8507DEB232EF68300F1094E9910DEB7A5E77A4F81CF5A

Function 001D709C Relevance: 1.8, APIs: 1, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 87d7822eff0b8cce6a4ecc467edff627c208dc868ff73914e9f9e980dd9408ef
Instruction ID: f0a9f8931c149a52bfe8cb8093fd34550cff8d7bccf6f93375fc1bb1e8c95c3e
Opcode Fuzzy Hash: 87d7822eff0b8cce6a4ecc467edff627c208dc868ff73914e9f9e980dd9408ef
Instruction Fuzzy Hash: 07D16C75A04209EFCB14EF98D881DAEBBB5FF58310F14415AE915AB391EB30AD85CF90

Function 0016FC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0016FD1F

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 2fde72b48f03e580a4ba6bbb1022041e7a8e18f57e1c66ff8e0f4b6389d84fd6
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 7431E675A00109DBC718CF59E880969F7A6FF49310B2586A9E809CF655D731EDE2DBC0

Function 00154ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00154E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00154EDD,?,00221418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00154E9C
Part of subcall function 00154E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00154EAE
Part of subcall function 00154E90: FreeLibrary.KERNEL32(00000000,?,?,00154EDD,?,00221418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00154EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00221418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00154EFD

Part of subcall function 00154E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00193CDE,?,00221418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00154E62
Part of subcall function 00154E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00154E74
Part of subcall function 00154E59: FreeLibrary.KERNEL32(00000000,?,?,00193CDE,?,00221418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00154E87

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: f32eeda59d358b207b6d847c99ae75751666db2f49ae4877ae19baa38fbebb68
Instruction ID: 501098067aefdcdbef2e4c27f7a51e3fbaababab33a5ad6c587006d69eddd621
Opcode Fuzzy Hash: f32eeda59d358b207b6d847c99ae75751666db2f49ae4877ae19baa38fbebb68
Instruction Fuzzy Hash: DE112731600205EBCF14AB68DC03FAD77A59F60716F10842EF962AE1C1EF749A899B90

Function 00188402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00188440

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 80122547a7aed2b4037712062a4c4b51d6ddb010f8cf338af3cda2cc05d62ff4
Instruction ID: 237f13ae5aae9d315b32253252335dde486ff305c5ad59a887ca06a2d954d51f
Opcode Fuzzy Hash: 80122547a7aed2b4037712062a4c4b51d6ddb010f8cf338af3cda2cc05d62ff4
Instruction Fuzzy Hash: 4C11187690410AAFCF15DF58E945A9A7BF5EF48314F114059FC08AB312DB31EA11CBA5

Function 0017E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 9192162ffa43677d8bf2b1cab57c54a852e11a505a80a1161616c7fa7224d287
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: F1F0F432510A14A6C7323A699C05B5A33F89F76334F218759F829931D2DB74D9028EA5

Function 00159CB3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00159CBD

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: 10c9670d2fbedfdd3de16219deb42da2e1224f8142166eedce00cb261b24ac3f
Instruction ID: 55034eaec8795e807a6e160f945f61550f4479324f4438cba1dbde4e4d840ec4
Opcode Fuzzy Hash: 10c9670d2fbedfdd3de16219deb42da2e1224f8142166eedce00cb261b24ac3f
Instruction Fuzzy Hash: 14F0C8B3600700AFD7159F68DC06A67BBA4EB54760F10852EFA19CF1D1DB31E514C7A0

Function 00183820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00221444,?,0016FDF5,?,?,0015A976,00000010,00221440,001513FC,?,001513C6,?,00151129), ref: 00183852

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9ef2e33a7c6039a8854e25277eeb00b2972a405547d0d93aa9bd63c05781e6dd
Instruction ID: ca1e5ffeb78cbc3c9f5ffbcdd1f886644a5b74298dc14cf5c30ea4e0e75842e8
Opcode Fuzzy Hash: 9ef2e33a7c6039a8854e25277eeb00b2972a405547d0d93aa9bd63c05781e6dd
Instruction Fuzzy Hash: 24E06531601224A7D63137A69C05B9B3659AB53FB0F1D4225BC39A65D1DB21DF028BE1

Function 00154F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00221418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00154F6D

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: f06c731ea1d0295a420e8a1efd795d577c73adf9c90e477d90118cc40548df0d
Instruction ID: c274e3cab27d9c4fe7ca6e658373c3cfeed37e84bc4eb7e34f6a84454f370eab
Opcode Fuzzy Hash: f06c731ea1d0295a420e8a1efd795d577c73adf9c90e477d90118cc40548df0d
Instruction Fuzzy Hash: 9FF03071105751CFDB389F6CD490856B7F4AF1431E324897FE5EA8A511C7319888DF50

Function 001BCCFF Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,?,0019EE51,00213630,00000002), ref: 001BCD26

Part of subcall function 001BCC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,00000000,?,00000000,?,?,?,001BCD19,?,?,?), ref: 001BCC59
Part of subcall function 001BCC37: SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000001,?,001BCD19,?,?,?,?,0019EE51,00213630,00000002), ref: 001BCC6E
Part of subcall function 001BCC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,001BCD19,?,?,?,?,0019EE51,00213630,00000002), ref: 001BCC7A

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: File$Pointer$Write
String ID:
API String ID: 3847668363-0
Opcode ID: 3b46cf46b4c3d18e08ba69abad7954e8b323555b6a35ac55f584dcf7dce32c50
Instruction ID: feb73a49d3786d98551e36be0d093f963c02924b456361ae21ea13679f0f6c76
Opcode Fuzzy Hash: 3b46cf46b4c3d18e08ba69abad7954e8b323555b6a35ac55f584dcf7dce32c50
Instruction Fuzzy Hash: 89E0397A400604EFC7219F8ADD408AABBF8FFD4260710852FE99682510D3B1AA54DBA0

Function 00152DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00152DC4

Part of subcall function 00156B57: _wcslen.LIBCMT ref: 00156B6A

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 63b820c59a015440930083b23cc156460eca80ee5d47d6f3796c1450b1e73343
Instruction ID: 0f8d8b00ee095c2fad70037e07bc94a94d6d71952ed2b50350fbd9ea1d371ab0
Opcode Fuzzy Hash: 63b820c59a015440930083b23cc156460eca80ee5d47d6f3796c1450b1e73343
Instruction Fuzzy Hash: 1FE0CD726001245BCB1092989C06FEA77DDDFC8790F040071FD09D7248DA70ADC48590

Function 00152B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00153837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00153908

Part of subcall function 0015D730: GetInputState.USER32 ref: 0015D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00152B6B

Part of subcall function 001530F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0015314E

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 5e9e99f8fa916f4b233e9fd6b7814c16367fece52896a0e721133e716468c0fa
Instruction ID: 6a5e2ced6c320aa542ad8b84e63477d3500cb0dcd2ff9d8b2cef9be1383cd4d6
Opcode Fuzzy Hash: 5e9e99f8fa916f4b233e9fd6b7814c16367fece52896a0e721133e716468c0fa
Instruction Fuzzy Hash: 64E0262230024492C608BBB0B8528ADB7599BF1393F40153EF8768F1A3CF20459EC352

Function 0019039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00190704,?,?,00000000,?,00190704,00000000,0000000C), ref: 001903B7

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 92ad80be1a8b5e84785cd9e18822406134445285d4fa554f582d6f6398a23406
Instruction ID: 263ca8a7be3c85cdedb0e1741aa2d76239c49ba3c2e2e45523dbede234988dcb
Opcode Fuzzy Hash: 92ad80be1a8b5e84785cd9e18822406134445285d4fa554f582d6f6398a23406
Instruction Fuzzy Hash: A8D06C3204014DFBDF029F84DD46EDA3FAAFB48714F014000BE1856020C732E862AB91

Function 00151CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00151CBC

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: b3970d8e762584551636f77641a773482374235680d34a3536d592eef430d3c5
Instruction ID: 5095d367b59a5931935b5d184ef67e570825c68cac49f9b677528450d7295d32
Opcode Fuzzy Hash: b3970d8e762584551636f77641a773482374235680d34a3536d592eef430d3c5
Instruction Fuzzy Hash: 0AC09B35380345FFF23487C0BC4EF147755A75CB00F449001F609695E3C3A21471D690

Function 001C744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 00155745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0015949C,?,00008000), ref: 00155773

GetLastError.KERNEL32(00000002,00000000), ref: 001C76DE

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: cd41094040e163791ede9c6f2841e24db059df6c4cccecf014898a85166d7297
Instruction ID: 3c01f7b87100c6e5047470e5d5a009fad584682f0d32c46d6e9139e1feb41262
Opcode Fuzzy Hash: cd41094040e163791ede9c6f2841e24db059df6c4cccecf014898a85166d7297
Instruction Fuzzy Hash: 98816A30608701DFCB14EF28C491B69B7E1AFA9315F04451DF8AA5B2A2DB70ED49CF92

Function 00156246 Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,00000000,001924E0), ref: 00156266

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 5f9770a1e9a0d5798783402af04712fb0198edf1d06eab452319a6872e5c675a
Instruction ID: 407ced465182b985a460cf311753b8876f8a6ef6fdd5986af88028dcb0242020
Opcode Fuzzy Hash: 5f9770a1e9a0d5798783402af04712fb0198edf1d06eab452319a6872e5c675a
Instruction Fuzzy Hash: 80E0B675400B01CFC3318F1AE804412FBF5FFE13623214A2ED8F69A660D3B0588A8F90

Function 016D9A90 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 016D9AA1

Memory Dump Source

Source File: 00000000.00000002.1370353485.00000000016D7000.00000040.00000020.00020000.00000000.sdmp, Offset: 016D7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d7000_Payment 01.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 59b56913ddd98e3d7e03159fee951fcd7f92bc89b7c7b8f5051675d9ee4c0fce
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 2CE0E67594010DDFDF00EFB8D94969E7FB4EF04301F100165FD01D2281D6309D50CA62

Non-executed Functions

Function 001E9576 Relevance: 75.9, APIs: 39, Strings: 4, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00169BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00169BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 001E961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001E965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 001E969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001E96C9
SendMessageW.USER32 ref: 001E96F2
GetKeyState.USER32(00000011), ref: 001E978B
GetKeyState.USER32(00000009), ref: 001E9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001E97AE
GetKeyState.USER32(00000010), ref: 001E97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001E97E9
SendMessageW.USER32 ref: 001E9810
SendMessageW.USER32(?,00001030,?,001E7E95), ref: 001E9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 001E992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 001E9941
SetCapture.USER32(?), ref: 001E994A
ClientToScreen.USER32(?,?), ref: 001E99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 001E99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001E99D6
ReleaseCapture.USER32 ref: 001E99E1
GetCursorPos.USER32(?), ref: 001E9A19
ScreenToClient.USER32(?,?), ref: 001E9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 001E9A80
SendMessageW.USER32 ref: 001E9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 001E9AEB
SendMessageW.USER32 ref: 001E9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 001E9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 001E9B4A
GetCursorPos.USER32(?), ref: 001E9B68
ScreenToClient.USER32(?,?), ref: 001E9B75
GetParent.USER32(?), ref: 001E9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 001E9BFA
SendMessageW.USER32 ref: 001E9C2B
ClientToScreen.USER32(?,?), ref: 001E9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 001E9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 001E9CDE
SendMessageW.USER32 ref: 001E9D01
ClientToScreen.USER32(?,?), ref: 001E9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 001E9D82

Part of subcall function 00169944: GetWindowLongW.USER32(?,000000EB), ref: 00169952

GetWindowLongW.USER32(?,000000F0), ref: 001E9E05

Strings

@GUI_DRAGID, xrefs: 001E997D
p#", xrefs: 001E9990
@U=u, xrefs: 001E965B, 001E96C9, 001E96F2, 001E97AE, 001E97E9, 001E9810, 001E9918, 001E9A80, 001E9AAE, 001E9AEB, 001E9B1A, 001E9BFA, 001E9C2B, 001E9CDE, 001E9D01
F, xrefs: 001E9D07

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$@U=u$F$p#"
API String ID: 3429851547-2754999434
Opcode ID: de314fda1e5eac13547d0908f68120e8627eed4996f8ec70c71ef000542ec713
Instruction ID: 279d97150fe9a2c962686be5d7b86b5a0e154bd01ffcf9c16e3175b489333b5b
Opcode Fuzzy Hash: de314fda1e5eac13547d0908f68120e8627eed4996f8ec70c71ef000542ec713
Instruction Fuzzy Hash: 91428C70604680AFD724CF66CC84EAEBBF5FF49310F14061AFA598B2A1D77198A5CF81

Function 001E4873 Relevance: 61.8, APIs: 33, Strings: 2, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 001E48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 001E4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 001E4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 001E494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 001E495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 001E497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 001E49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 001E49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 001E4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 001E4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 001E4A7E
IsMenu.USER32(?), ref: 001E4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001E4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001E4B20
GetWindowLongW.USER32(?,000000F0), ref: 001E4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 001E4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 001E4C82
wsprintfW.USER32 ref: 001E4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 001E4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 001E4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 001E4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 001E4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 001E4D5A

Strings

%d/%02d/%02d, xrefs: 001E4CA8
@U=u, xrefs: 001E48F3, 001E4908, 001E495C, 001E4A0F, 001E4A56, 001E4A7E, 001E4BE3, 001E4C82, 001E4CC9, 001E4D13, 001E4D33, 001E4E15, 001E4E4E, 001E4EA5, 001E4F10

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d$@U=u
API String ID: 4054740463-2764005415
Opcode ID: ea08b3a75722771f087bd87bfffeed9af1fc5dd61373ed9573a163c5e13e3775
Instruction ID: 79083e14ba169be7842d394b5b2c23bfa05bba7b125f48832ccfb2d3e4092715
Opcode Fuzzy Hash: ea08b3a75722771f087bd87bfffeed9af1fc5dd61373ed9573a163c5e13e3775
Instruction Fuzzy Hash: 9912F231A00684ABEB248F69DC49FAF7BF8EF49710F144129F916EB2E1D7749941CB50

Function 0016F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0016F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001AF474
IsIconic.USER32(00000000), ref: 001AF47D
ShowWindow.USER32(00000000,00000009), ref: 001AF48A
SetForegroundWindow.USER32(00000000), ref: 001AF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 001AF4AA
GetCurrentThreadId.KERNEL32 ref: 001AF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 001AF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 001AF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 001AF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 001AF4DE
SetForegroundWindow.USER32(00000000), ref: 001AF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 001AF4F6
keybd_event.USER32(00000012,00000000), ref: 001AF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 001AF50B
keybd_event.USER32(00000012,00000000), ref: 001AF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 001AF519
keybd_event.USER32(00000012,00000000), ref: 001AF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 001AF528
keybd_event.USER32(00000012,00000000), ref: 001AF52D
SetForegroundWindow.USER32(00000000), ref: 001AF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 001AF557

Strings

Shell_TrayWnd, xrefs: 001AF46F

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 1a57ac36e70ee863361d0286729292ccb6460a3fcfcb008be90bd732da5a462b
Instruction ID: 69f32ccf145a88b4cdcabd124d56a2d5d4e21a39452486ed25d48656a4cbcedd
Opcode Fuzzy Hash: 1a57ac36e70ee863361d0286729292ccb6460a3fcfcb008be90bd732da5a462b
Instruction Fuzzy Hash: 79314175B40258BFEB206BE55C89FBF7E6DEB45B50F100029FA00EA1D1C7B05942AAA0

Function 001B1201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 001B16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001B170D
Part of subcall function 001B16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 001B173A
Part of subcall function 001B16C3: GetLastError.KERNEL32 ref: 001B174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 001B1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 001B12A8
CloseHandle.KERNEL32(?), ref: 001B12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 001B12D1
GetProcessWindowStation.USER32 ref: 001B12EA
SetProcessWindowStation.USER32(00000000), ref: 001B12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 001B1310

Part of subcall function 001B10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001B11FC), ref: 001B10D4
Part of subcall function 001B10BF: CloseHandle.KERNEL32(?,?,001B11FC), ref: 001B10E9

Strings

default, xrefs: 001B130B
, xrefs: 001B125A
Z!, xrefs: 001B1392
winsta0, xrefs: 001B12CC

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z!
API String ID: 22674027-3215132610
Opcode ID: 444baa8cba430dc3f3e84362d8933e9d53d43d671c914f1e7d02ee1140e2e7a7
Instruction ID: 9105ee5edfa453d83b831d06af66bc9ea284ba980c8a85a69b11ae768dd9df97
Opcode Fuzzy Hash: 444baa8cba430dc3f3e84362d8933e9d53d43d671c914f1e7d02ee1140e2e7a7
Instruction Fuzzy Hash: F6818B71900249BFDF219FA4DC99FEE7BB9FF08704F154129F910A62A0DB718A95CB60

Function 001B0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001B10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 001B1114
Part of subcall function 001B10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,001B0B9B,?,?,?), ref: 001B1120
Part of subcall function 001B10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,001B0B9B,?,?,?), ref: 001B112F
Part of subcall function 001B10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,001B0B9B,?,?,?), ref: 001B1136
Part of subcall function 001B10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 001B114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 001B0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 001B0C00
GetLengthSid.ADVAPI32(?), ref: 001B0C17
GetAce.ADVAPI32(?,00000000,?), ref: 001B0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 001B0C6D
GetLengthSid.ADVAPI32(?), ref: 001B0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 001B0C8C
HeapAlloc.KERNEL32(00000000), ref: 001B0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 001B0CB4
CopySid.ADVAPI32(00000000), ref: 001B0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 001B0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 001B0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 001B0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001B0D45
HeapFree.KERNEL32(00000000), ref: 001B0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001B0D55
HeapFree.KERNEL32(00000000), ref: 001B0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001B0D65
HeapFree.KERNEL32(00000000), ref: 001B0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 001B0D78
HeapFree.KERNEL32(00000000), ref: 001B0D7F

Part of subcall function 001B1193: GetProcessHeap.KERNEL32(00000008,001B0BB1,?,00000000,?,001B0BB1,?), ref: 001B11A1
Part of subcall function 001B1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,001B0BB1,?), ref: 001B11A8
Part of subcall function 001B1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,001B0BB1,?), ref: 001B11B7

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 424fbaa48e33db09396dd5ce3b43a5bd04a0ec4b881c71cf12a0398e6243f98d
Instruction ID: e85c926202946918aaaaf372646a74cb385abfe11c4194fb40c47030a80f5435
Opcode Fuzzy Hash: 424fbaa48e33db09396dd5ce3b43a5bd04a0ec4b881c71cf12a0398e6243f98d
Instruction Fuzzy Hash: B2716B7690020AABDF11DFE4DC84BEFBBB8BF09310F044515F915AA1A1D771AA46CBA0

Function 001CEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(001ECC08), ref: 001CEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 001CEB37
GetClipboardData.USER32(0000000D), ref: 001CEB43
CloseClipboard.USER32 ref: 001CEB4F
GlobalLock.KERNEL32(00000000), ref: 001CEB87
CloseClipboard.USER32 ref: 001CEB91
GlobalUnlock.KERNEL32(00000000), ref: 001CEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 001CEBC9
GetClipboardData.USER32(00000001), ref: 001CEBD1
GlobalLock.KERNEL32(00000000), ref: 001CEBE2
GlobalUnlock.KERNEL32(00000000), ref: 001CEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 001CEC38
GetClipboardData.USER32(0000000F), ref: 001CEC44
GlobalLock.KERNEL32(00000000), ref: 001CEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 001CEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 001CEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 001CECD2
GlobalUnlock.KERNEL32(00000000), ref: 001CECF3
CountClipboardFormats.USER32 ref: 001CED14
CloseClipboard.USER32 ref: 001CED59

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 3fa127d3b071b0cdee6813af2fdf217bb8de672520feed363cba390c4ee90b52
Instruction ID: b52ee8486c02a4bbff46c1c70372c36913a94d289e6207ee75a2f7f202f06d9e
Opcode Fuzzy Hash: 3fa127d3b071b0cdee6813af2fdf217bb8de672520feed363cba390c4ee90b52
Instruction Fuzzy Hash: 2B619D342042429FD310EFA4DC85F7A77E4AFA4714F14451DF8669B2A2DB31DD8ACBA2

Function 001C698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001C69BE
FindClose.KERNEL32(00000000), ref: 001C6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 001C6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 001C6A75

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 001C6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 001C6ADF

Strings

%4d%02d%02d%02d%02d%02d%03d, xrefs: 001C6B32
%03d, xrefs: 001C6DA2
%4d, xrefs: 001C6BB1
%02d, xrefs: 001C6C00, 001C6C0A, 001C6C5A, 001C6CAA, 001C6CFA, 001C6D4A
%4d%02d%02d%02d%02d%02d, xrefs: 001C6B6A

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 9433981c6fa60b6bd09d1899411d78bbe4e89ce8750821182b9c379bdc67ce3f
Instruction ID: ede99f6efc3b507eb69c58265ab1bb8cc1c1694130bedb3542276015a1c5e269
Opcode Fuzzy Hash: 9433981c6fa60b6bd09d1899411d78bbe4e89ce8750821182b9c379bdc67ce3f
Instruction Fuzzy Hash: 0DD15071508300AEC314DBA4DC82EAFB7E8AFA8705F44491DF995CB191EB74DA48C7A2

Function 001C9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 001C9663
GetFileAttributesW.KERNEL32(?), ref: 001C96A1
SetFileAttributesW.KERNEL32(?,?), ref: 001C96BB
FindNextFileW.KERNEL32(00000000,?), ref: 001C96D3
FindClose.KERNEL32(00000000), ref: 001C96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 001C96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 001C974A
SetCurrentDirectoryW.KERNEL32(00216B7C), ref: 001C9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 001C9772
FindClose.KERNEL32(00000000), ref: 001C977F
FindClose.KERNEL32(00000000), ref: 001C978F

Strings

*.*, xrefs: 001C96F5

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: a0875ab335729fed06abc33b7698cacb29cdcf37b3b4eb0621efc9c2fbb20c7d
Instruction ID: 55954cf24a365900b1bbc544dc4939497ab7b6ea0c1479575ac82afad1bc5e79
Opcode Fuzzy Hash: a0875ab335729fed06abc33b7698cacb29cdcf37b3b4eb0621efc9c2fbb20c7d
Instruction Fuzzy Hash: 2731DF3254125AAACB14AFF4DC4DEDE77ACAF19320F104059E914E60A0DB70DE818E94

Function 001C979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 001C97BE
FindNextFileW.KERNEL32(00000000,?), ref: 001C9819
FindClose.KERNEL32(00000000), ref: 001C9824
FindFirstFileW.KERNEL32(*.*,?), ref: 001C9840
SetCurrentDirectoryW.KERNEL32(?), ref: 001C9890
SetCurrentDirectoryW.KERNEL32(00216B7C), ref: 001C98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 001C98B8
FindClose.KERNEL32(00000000), ref: 001C98C5
FindClose.KERNEL32(00000000), ref: 001C98D5

Part of subcall function 001BDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 001BDB00

Strings

*.*, xrefs: 001C983B

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: d95f823b25e9b20222e8a974e1e2374fc93aa01a22958857989c0ea7bc4a903f
Instruction ID: b41d630f7744eeec3afe4bd7041c9a53935a670594df71fe497f711e8abff7e2
Opcode Fuzzy Hash: d95f823b25e9b20222e8a974e1e2374fc93aa01a22958857989c0ea7bc4a903f
Instruction Fuzzy Hash: B831E13250069EAADB10AFB4EC4DFDE77ACAF26320F108159E914A30D1DB71DE858A64

Function 001C8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 001C8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 001C8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 001C8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 001C8310
SetCurrentDirectoryW.KERNEL32(?), ref: 001C8324
SetCurrentDirectoryW.KERNEL32(?), ref: 001C8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 001C838C
SetCurrentDirectoryW.KERNEL32(?), ref: 001C8395

Strings

*.*, xrefs: 001C839B

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 6517d764fe60f7c8030f16a84aac0dcb98d34eb60eeb5e5be57fe7dbc5f55f35
Instruction ID: 631fa9b0e7218815ae8d74771f6bacdd26f1ae552c13aeea003fb732116d9ff5
Opcode Fuzzy Hash: 6517d764fe60f7c8030f16a84aac0dcb98d34eb60eeb5e5be57fe7dbc5f55f35
Instruction Fuzzy Hash: 8D618D715143459FC710EF64D884EAEB3E8FFA9310F04881EF99987251EB31E949CB92

Function 001BD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00153AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00153A97,?,?,00152E7F,?,?,?,00000000), ref: 00153AC2

Part of subcall function 001BE199: GetFileAttributesW.KERNEL32(?,001BCF95), ref: 001BE19A

FindFirstFileW.KERNEL32(?,?), ref: 001BD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 001BD1DD
MoveFileW.KERNEL32(?,?), ref: 001BD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 001BD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 001BD237

Part of subcall function 001BD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,001BD21C,?,?), ref: 001BD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 001BD253
FindClose.KERNEL32(00000000), ref: 001BD264

Strings

\*.*, xrefs: 001BD0CD, 001BD0D6, 001BD0EB

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 6a1c9eb6883f785b28d795e33a76e2fc3ce502884f728340bcc768f61c1bf302
Instruction ID: 10f6049485debdbb7d8d068a47dae82dcce15a862d70293689e2f54112e65920
Opcode Fuzzy Hash: 6a1c9eb6883f785b28d795e33a76e2fc3ce502884f728340bcc768f61c1bf302
Instruction Fuzzy Hash: 4A616E3180114DEBCF09EBE0ED929EDB7B5AF25305F6041A5E8127B192EB309F49CB61

Function 001CED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 001CED91
EmptyClipboard.USER32 ref: 001CED97
GlobalAlloc.KERNEL32(00000002,?), ref: 001CEDAC
CloseClipboard.USER32 ref: 001CEEA3

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 4491312509fa7833efb0df3316c5a74ad42b492f25fb97aa9e21489763a5ca9c
Instruction ID: bc904c38d51d00df5a90d8906bfcdd02f592ed1869a5f704d955e96fb1c58be3
Opcode Fuzzy Hash: 4491312509fa7833efb0df3316c5a74ad42b492f25fb97aa9e21489763a5ca9c
Instruction Fuzzy Hash: DF419D31204251AFD720DF55D889F2ABBE1EF54358F14809DE8268FA62C735EC82CBD0

Function 001BE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 001B16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001B170D
Part of subcall function 001B16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 001B173A
Part of subcall function 001B16C3: GetLastError.KERNEL32 ref: 001B174A

ExitWindowsEx.USER32(?,00000000), ref: 001BE932

Strings

, xrefs: 001BE95C
@, xrefs: 001BE925
, xrefs: 001BE920
SeShutdownPrivilege, xrefs: 001BE902

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: d246d29cdf8dff98294542e5aa11ff17d8d71a180b02c0de9fedc5728404da5e
Instruction ID: 250e3ff05877f975ac3ae262b09e96de3e3dc1b2fbcee6b75fd64deb8ed9de82
Opcode Fuzzy Hash: d246d29cdf8dff98294542e5aa11ff17d8d71a180b02c0de9fedc5728404da5e
Instruction Fuzzy Hash: 3E01D673610311AFEB5826B49C8ABFF72DCAB14758F160422F913E61D1D7A05C8885D0

Function 001D1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 001D1276
WSAGetLastError.WSOCK32 ref: 001D1283
bind.WSOCK32(00000000,?,00000010), ref: 001D12BA
WSAGetLastError.WSOCK32 ref: 001D12C5
closesocket.WSOCK32(00000000), ref: 001D12F4
listen.WSOCK32(00000000,00000005), ref: 001D1303
WSAGetLastError.WSOCK32 ref: 001D130D
closesocket.WSOCK32(00000000), ref: 001D133C

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 33eb14acc38c5fa0b4f8b4d93dd902e12cf82fe67d35e261b38bb9d8f45fd821
Instruction ID: 2824b1ddf449cbe5d90ddc281371746f36721b56db1a5eca6484104ad14ef15a
Opcode Fuzzy Hash: 33eb14acc38c5fa0b4f8b4d93dd902e12cf82fe67d35e261b38bb9d8f45fd821
Instruction Fuzzy Hash: 89416E31600240BFD714DF64D9C4B29BBE6AF46318F288189E8568F392C771ED86CBE1

Function 0018B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0018B9D4
_free.LIBCMT ref: 0018B9F8
_free.LIBCMT ref: 0018BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,001F3700), ref: 0018BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0022121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0018BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00221270,000000FF,?,0000003F,00000000,?), ref: 0018BC36
_free.LIBCMT ref: 0018BD4B

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 67976a178e3b98c5b7a248e7408fe8c31daf7bfe46ae6a324c2ec6a51fd30686
Instruction ID: 2782d061b71345cf7349bb8c17baa7ebee3de4612e48d0593dbeca3664962830
Opcode Fuzzy Hash: 67976a178e3b98c5b7a248e7408fe8c31daf7bfe46ae6a324c2ec6a51fd30686
Instruction Fuzzy Hash: ABC11671908215AFDB24BF689CD1BAE7BB8EF61310F1442AAE894D7251EB309F41CF50

Function 001BD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00153AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00153A97,?,?,00152E7F,?,?,?,00000000), ref: 00153AC2

Part of subcall function 001BE199: GetFileAttributesW.KERNEL32(?,001BCF95), ref: 001BE19A

FindFirstFileW.KERNEL32(?,?), ref: 001BD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 001BD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 001BD481
FindClose.KERNEL32(00000000), ref: 001BD498
FindClose.KERNEL32(00000000), ref: 001BD4A1

Strings

\*.*, xrefs: 001BD3F2

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 3adcb1df1dbc5a6b9ec2020a8c79e0ce764c2ffa2d527d828f350de9c6262f68
Instruction ID: 8e1928faaa61526c1fe3562a54a7601e2343824e696ea88b82348d5551492a0a
Opcode Fuzzy Hash: 3adcb1df1dbc5a6b9ec2020a8c79e0ce764c2ffa2d527d828f350de9c6262f68
Instruction Fuzzy Hash: ED315071008385DBC304EF64D8918EF77E8BEA5315F844A2DF8E597191EB20AA0DC7A3

Function 0018E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0018E645

Strings

1#IND, xrefs: 0018F83D
1#SNAN, xrefs: 0018F844
1#QNAN, xrefs: 0018F84B
1#INF, xrefs: 0018F852

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 93cb1c46b9e5e13d8024ebc4a86ea0e8a6ec144539d1401132164a8017ee99bf
Instruction ID: 0d67b57e32c1b7215673050b53335ccb7e66ec660e97ca35eb17efe3af968a72
Opcode Fuzzy Hash: 93cb1c46b9e5e13d8024ebc4a86ea0e8a6ec144539d1401132164a8017ee99bf
Instruction Fuzzy Hash: E1C22A71E086288FDB29DE28DD447EAB7B5EB49305F1541EAD84DE7240E774AF828F40

Function 001C648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001C64DC
CoInitialize.OLE32(00000000), ref: 001C6639
CoCreateInstance.OLE32(001EFCF8,00000000,00000001,001EFB68,?), ref: 001C6650
CoUninitialize.OLE32 ref: 001C68D4

Strings

.lnk, xrefs: 001C64BA, 001C6524, 001C65E0

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 0d56d6de16557666e6cd5a1256cdffc43c6f15af98f598b152c8cdb2ab5babd3
Instruction ID: 9b8994dd53980e347a7bd9ef2b3789f0887e634f7e7562bfa3f5a9a73bbdb77e
Opcode Fuzzy Hash: 0d56d6de16557666e6cd5a1256cdffc43c6f15af98f598b152c8cdb2ab5babd3
Instruction Fuzzy Hash: 5BD13971508301AFC304EF24C881E6BB7E9FFA9705F50496DF9958B291EB70E949CB92

Function 001D22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 001D22E8

Part of subcall function 001CE4EC: GetWindowRect.USER32(?,?), ref: 001CE504

GetDesktopWindow.USER32 ref: 001D2312
GetWindowRect.USER32(00000000), ref: 001D2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 001D2355
GetCursorPos.USER32(?), ref: 001D2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 001D23DF

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 5cd8cd006655e815744ceaf1222fa96fc79b3939d7140bbd28bb6d39f21c4568
Instruction ID: f9c07c8710d9d9a2e10f417a60e3b8b817a5220b3e61fe86275b92693d15ae2f
Opcode Fuzzy Hash: 5cd8cd006655e815744ceaf1222fa96fc79b3939d7140bbd28bb6d39f21c4568
Instruction Fuzzy Hash: 9C31CF72504355ABCB20DF54CC45B9BB7E9FF98314F00091AF9959B281DB34E949CBD2

Function 001C9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 001C9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 001C9C8B

Part of subcall function 001C3874: GetInputState.USER32 ref: 001C38CB
Part of subcall function 001C3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001C3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 001C9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 001C9C75

Strings

*.*, xrefs: 001C9B5D

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 8557ce91e45e25c836292da9795a58483a07c9b7a621a403ec3ed5d08bba007c
Instruction ID: bfbe55b58f696b5d16cb5ea3b184bef5cf8e25d0ef12880b6e97f59811b68495
Opcode Fuzzy Hash: 8557ce91e45e25c836292da9795a58483a07c9b7a621a403ec3ed5d08bba007c
Instruction Fuzzy Hash: F7417E7190420AEBCF14DFA4C889FEEBBB4EF25311F204159E815A6191EB31DE85CBA4

Function 00158060 Relevance: 8.7, Strings: 6, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 0015843C
VUUU, xrefs: 001583FA
VUUU, xrefs: 00195DF0
VUUU, xrefs: 001583E8
ERCP, xrefs: 0015813C
93495959494652b79b45c580ec314c3236769213f14b3431552069d1b059504932252268893a406dfb3a213b5554454fa03a3c555c4a50a25c5c49365134d88ccf, xrefs: 0015839B, 001583A6

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID:
String ID: 93495959494652b79b45c580ec314c3236769213f14b3431552069d1b059504932252268893a406dfb3a213b5554454fa03a3c555c4a50a25c5c49365134d88ccf$ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-2236466466
Opcode ID: a280816d2047eeb631aab91fa2114c35197f7463e651139ff1a3ef53474c07a5
Instruction ID: 537a44b064c303331cce422b7ee4cd13fde73b36ce28a5fc3f9f3a82b083f821
Opcode Fuzzy Hash: a280816d2047eeb631aab91fa2114c35197f7463e651139ff1a3ef53474c07a5
Instruction Fuzzy Hash: 77A28070E0061ACBDF25CF58C9807ADB7B2BF54315F2581A9EC25BB285EB709D85CB50

Function 0016997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00169BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00169BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00169A4E
GetSysColor.USER32(0000000F), ref: 00169B23
SetBkColor.GDI32(?,00000000), ref: 00169B36

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 790e4faa0e81b3b50514defcbd69403a941cf8e452adcd6897fb16e8bf2a00ff
Instruction ID: 44a15f85a88c5a92fd172d527e7b4458376fb4b2c2849127a40e9710d6f2890e
Opcode Fuzzy Hash: 790e4faa0e81b3b50514defcbd69403a941cf8e452adcd6897fb16e8bf2a00ff
Instruction Fuzzy Hash: 40A10671208444BFE728AAAD9C9CE7F369DDB53300B16021AF502C76D1CB359E62C672

Function 001D1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 001D304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 001D307A
Part of subcall function 001D304E: _wcslen.LIBCMT ref: 001D309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 001D185D
WSAGetLastError.WSOCK32 ref: 001D1884
bind.WSOCK32(00000000,?,00000010), ref: 001D18DB
WSAGetLastError.WSOCK32 ref: 001D18E6
closesocket.WSOCK32(00000000), ref: 001D1915

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 524c8709c6816e60cba6a91478b6c1d9939614e38fd67cfebc168d441014fad2
Instruction ID: d3abde47b7a8b9bf9dbb6058febb4e778c510e69e17f0cf00898e8a0277756ac
Opcode Fuzzy Hash: 524c8709c6816e60cba6a91478b6c1d9939614e38fd67cfebc168d441014fad2
Instruction Fuzzy Hash: 2351A071A00200AFDB10EF64D886F2A77E5AB58718F48805DF9155F3D3DB71AD428BE1

Function 001BD5EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 001BD608
DeviceIoControl.KERNEL32(00000000,t.Windows.Common-Controls" version="6.0.0.0" language="*" processorArchitecture="*" publicKeyToken="6595b64144ccf1df"/> </dependentAssembly> </dependency> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges>,?,0000000C,?,00000028,?,00000000), ref: 001BD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 001BD650

Strings

t.Windows.Common-Controls" version="6.0.0.0" language="*" processorArchitecture="*" publicKeyToken="6595b64144ccf1df"/> </dependentAssembly> </dependency> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges>, xrefs: 001BD63F

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID: t.Windows.Common-Controls" version="6.0.0.0" language="*" processorArchitecture="*" publicKeyToken="6595b64144ccf1df"/> </dependentAssembly> </dependency> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges>
API String ID: 33631002-3738756521
Opcode ID: 72fe3e8a5982f03c42408e34d9e3032dc0a07cb69a7ed1a1128890ebd2fb647c
Instruction ID: 7accb0fec2b4bf41894f3732a82e6eabbd09bab834b209508cd83eb0436649da
Opcode Fuzzy Hash: 72fe3e8a5982f03c42408e34d9e3032dc0a07cb69a7ed1a1128890ebd2fb647c
Instruction Fuzzy Hash: 86113C75E05228BBDB148F95AC85FEFBFBCEB45B50F108115F904E7290D7704A058BA1

Function 001B8298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 001B82AA

Strings

tb!, xrefs: 001B84F4
|, xrefs: 001B82DA
(, xrefs: 001B82F0

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: lstrlen
String ID: ($tb!$|
API String ID: 1659193697-4054476356
Opcode ID: 237daa366bd53e7bf8398243008fb621946b6911fff3036d60ab0840a94e09dc
Instruction ID: 7ad4624306908a307f1f2c5d7fae134fb6b9cb67a3fa46e875f93df43a15572f
Opcode Fuzzy Hash: 237daa366bd53e7bf8398243008fb621946b6911fff3036d60ab0840a94e09dc
Instruction Fuzzy Hash: 02322775A00605DFC728DF59C481AAAB7F4FF48B10B15C56EE49ADB3A1EB70E981CB40

Function 001DA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 001DA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 001DA6BA

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

Process32NextW.KERNEL32(00000000,?), ref: 001DA79C
CloseHandle.KERNEL32(00000000), ref: 001DA7AB

Part of subcall function 0016CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00193303,?), ref: 0016CE8A

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: e5d3d9f7360322ac5f816b5851a1f4c86a0c502c3d8b5c1fda9cf03744d2cf7e
Instruction ID: f79779971db662369d5db8a15bece0f87c69b7aaf9b38d1ac70d47b540af7d7e
Opcode Fuzzy Hash: e5d3d9f7360322ac5f816b5851a1f4c86a0c502c3d8b5c1fda9cf03744d2cf7e
Instruction Fuzzy Hash: 31516C71508300EFD710EF24D886A6BBBE8FF99754F40491DF9999B252EB70D908CB92

Function 001BAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 001BAAAC
SetKeyboardState.USER32(00000080), ref: 001BAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 001BAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 001BAB88

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: f1c9dc47794938a000995dbf99f6b7e781b72d45a494111d35cd1099ae68ba98
Instruction ID: eba3e0e6f83b455b085a864aa64c0a34aea105aa19d058d50d192e65d19810a2
Opcode Fuzzy Hash: f1c9dc47794938a000995dbf99f6b7e781b72d45a494111d35cd1099ae68ba98
Instruction Fuzzy Hash: 58313730A80248AEFF35CB65CD45BFE7BAAAF48310F84421AF5A1961D0D3759D85C7A2

Function 001CCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 001CCE89
GetLastError.KERNEL32(?,00000000), ref: 001CCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 001CCEFE

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: f2bda7f1f5815093911e0c6cde5d56d7d7f2cdbc154b883f0d9a066105f9a64d
Instruction ID: f3dd7ab47a16324c9a616c4d148f51cfdbc35423217bfa8d4b534f5ebc07753e
Opcode Fuzzy Hash: f2bda7f1f5815093911e0c6cde5d56d7d7f2cdbc154b883f0d9a066105f9a64d
Instruction Fuzzy Hash: 3E21BD719003059BD720DFA5C988FAA7BF8EB61314F10841EE64AD6551E770EE45CBA0

Function 001BDBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00195222), ref: 001BDBCE
GetFileAttributesW.KERNEL32(?), ref: 001BDBDD
FindFirstFileW.KERNEL32(?,?), ref: 001BDBEE
FindClose.KERNEL32(00000000), ref: 001BDBFA

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 8ca1aac5982ec2a1784c3ff525446598cc6e5b3461bb71809edcd7d85cfb7ce7
Instruction ID: c9b63c0114dc520e3fbedca63bea8d9aed94008bfbd053fa7e804c1cc7e91434
Opcode Fuzzy Hash: 8ca1aac5982ec2a1784c3ff525446598cc6e5b3461bb71809edcd7d85cfb7ce7
Instruction Fuzzy Hash: BAF0A0308109109782246BB8AC4E8AE3B6D9F06334B10470AF936C24E0FBB05D9686D5

Function 00182622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0018271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00182724
UnhandledExceptionFilter.KERNEL32(?), ref: 00182731

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 87c4ecdf8546e1b95c3ea30659d5f79569a847b4fd813c0876e129ec67fcf48b
Instruction ID: 2e0e93659f5268022adf931b90bcf71c4fe7f2d16c43b9cb06fd36b2f5620cf3
Opcode Fuzzy Hash: 87c4ecdf8546e1b95c3ea30659d5f79569a847b4fd813c0876e129ec67fcf48b
Instruction Fuzzy Hash: D031B474951328ABCB21DF64DC8979DB7B8BF18310F5081EAE81CA7261E7309F818F45

Function 001C51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001C51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 001C5238
SetErrorMode.KERNEL32(00000000), ref: 001C52A1

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: e8e668b4601b23c38ce0f574e84d22a172d85f3a5361bcd5f7c4d69853ceca44
Instruction ID: 765cc65b53c6edbaf20f4e4f7ae455fe4d61f71e1ba2a6f387c559e3cbd989ca
Opcode Fuzzy Hash: e8e668b4601b23c38ce0f574e84d22a172d85f3a5361bcd5f7c4d69853ceca44
Instruction Fuzzy Hash: 9A310975A00618DFDB00DF94D884EADBBF5FF59314F048099E805AF2A2DB31E85ACB91

Function 001B16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0016FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00170668
Part of subcall function 0016FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00170685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001B170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 001B173A
GetLastError.KERNEL32 ref: 001B174A

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 94d2036cd7fb16b389652e10f09e4eb6d20296c460d0340bf5f61c74af9be33c
Instruction ID: dc4db161f5a45bd7269fa87509e9129cad179ef4441af2565a9f268150a024c3
Opcode Fuzzy Hash: 94d2036cd7fb16b389652e10f09e4eb6d20296c460d0340bf5f61c74af9be33c
Instruction Fuzzy Hash: 991191B2404304BFD718AF94ECC6DABB7BDEB45714B21852EF45657681EB70BC428B60

Function 001B1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 001B168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 001B16A1
FreeSid.ADVAPI32(?), ref: 001B16B1

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: c6644a2e5a34488b4a3a10b85e61d13284a20a88ecec5c5820418322c17872f2
Instruction ID: f0c3502245d358522e38f40fb83de7eb29c0cabb3634b64058d89c4596c47703
Opcode Fuzzy Hash: c6644a2e5a34488b4a3a10b85e61d13284a20a88ecec5c5820418322c17872f2
Instruction Fuzzy Hash: FDF0F475950309FBDB00DFE49C89AAEBBBCFB08704F504565E501E6181E774AA448A90

Function 00174CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(001828E9,?,00174CBE,001828E9,002188B8,0000000C,00174E15,001828E9,00000002,00000000,?,001828E9), ref: 00174D09
TerminateProcess.KERNEL32(00000000,?,00174CBE,001828E9,002188B8,0000000C,00174E15,001828E9,00000002,00000000,?,001828E9), ref: 00174D10
ExitProcess.KERNEL32 ref: 00174D22

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: dfa6e6311f33323395abbf339abff63f72ffdd7b3eda6dc1f8acb25304a6499f
Instruction ID: 1c807072b102770047d93a06dc622fd4619fab239725dec4ea4504903891d686
Opcode Fuzzy Hash: dfa6e6311f33323395abbf339abff63f72ffdd7b3eda6dc1f8acb25304a6499f
Instruction Fuzzy Hash: 93E0B631000188AFCF21AFD4DD59A583B79FB61781B158014FC599A522DB35EE92CB80

Function 0018C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0018C36C

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 62b03a0e87ac17ad6016b4d326925409cfe5a9df6993710f76196f8043516481
Instruction ID: d3d1ee18ba1b9f84214412e078655f2e0ed3d9bcde84cfab2ddd7157bc629cd6
Opcode Fuzzy Hash: 62b03a0e87ac17ad6016b4d326925409cfe5a9df6993710f76196f8043516481
Instruction Fuzzy Hash: 61410876500219ABCB24AFB9DC49EBB7779FB84354F504269F905D7180E7709E818FA0

Function 001AD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 001AD28C

Strings

X64, xrefs: 001AD2A8

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 8d96aa1334d777ada449dcaff991e04b4b3da82e6d1f975c5c6701caa68e7455
Instruction ID: da603a9316b1ca49e03ba00c6a7ae9b626bed7a79e83e9d299d45527a55fb86a
Opcode Fuzzy Hash: 8d96aa1334d777ada449dcaff991e04b4b3da82e6d1f975c5c6701caa68e7455
Instruction Fuzzy Hash: E2D0C9B880111DEACB94DB90ECC8DDEB37CBB04305F110152F506A2000DB3095498F50

Function 0017CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 353e45805d69377230ec44f27d0e511099c3c35a3d332279eba0220d56fcbe14
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 06021B71E002199BDF24CFA9C8906ADFBF1EF58314F25816ED919E7384D731AA418BD4

Function 0015CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 001A0C40
p#", xrefs: 0015CF7F

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#"
API String ID: 0-2226386633
Opcode ID: 3ba75b3c5bf2b76f5ded02ecedf849f24a60799d682b3f103f564bfdb0b9863d
Instruction ID: e6788ab9e68f919d5ae92f26a5c0e20fefbddc94f7d5f6762ae3879121acd0a4
Opcode Fuzzy Hash: 3ba75b3c5bf2b76f5ded02ecedf849f24a60799d682b3f103f564bfdb0b9863d
Instruction Fuzzy Hash: 6B327974900318DFCF19DF94C881AEDB7B5BF1A305F144059E826AF292D775AE49CBA0

Function 001C68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001C6918
FindClose.KERNEL32(00000000), ref: 001C6961

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: aedafde08dcd7b9990856c0ba85b717a0798850d58ce5772da3595ed1b633e8b
Instruction ID: cb8cebed15263defe83a7d9a38091470666a780f663452734b99ad9b7b08e580
Opcode Fuzzy Hash: aedafde08dcd7b9990856c0ba85b717a0798850d58ce5772da3595ed1b633e8b
Instruction Fuzzy Hash: 8311BE316042019FC710CF69D885E1ABBE1EF98329F04C69DE8698F6A2C730EC45CBD0

Function 001C37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,001D4891,?,?,00000035,?), ref: 001C37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,001D4891,?,?,00000035,?), ref: 001C37F4

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 649a568e95372d558c5bb00017136e765842fca748a510eeaa05256f533d29b8
Instruction ID: 0d806c60f141454299a9fe1ae095506f788598809ec2eb0a897d291245ee0e3b
Opcode Fuzzy Hash: 649a568e95372d558c5bb00017136e765842fca748a510eeaa05256f533d29b8
Instruction Fuzzy Hash: EFF0E5B16043296AEB2017A68C8DFEB7AAEEFC5761F000165F519D2281DA609944C6F0

Function 001BB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 001BB25D
keybd_event.USER32(?,753DC0D0,?,00000000), ref: 001BB270

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 16937ffffb7f8227e6ae5d8b96f983665ccdfd3369cf2b1fe3b19ca9929b5d94
Instruction ID: 181517e38a4b2ff027b0b3c224695ee2eec24733d1d80b23ac04a90051dec9d6
Opcode Fuzzy Hash: 16937ffffb7f8227e6ae5d8b96f983665ccdfd3369cf2b1fe3b19ca9929b5d94
Instruction Fuzzy Hash: 6CF01D7190428EABDB059FA1C845BEE7BB4FF04305F008049F965A9191C379D6519F94

Function 001B10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001B11FC), ref: 001B10D4
CloseHandle.KERNEL32(?,?,001B11FC), ref: 001B10E9

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 0f05c0d7edc46ddefa2b4b115e2539b28a7e91323d9c116bcc2fbed42d038ef3
Instruction ID: 226fd330bbba92d0709267fe84b32f6bfd97537d7d80a80ee7159cb8d4d119a5
Opcode Fuzzy Hash: 0f05c0d7edc46ddefa2b4b115e2539b28a7e91323d9c116bcc2fbed42d038ef3
Instruction Fuzzy Hash: 67E04F32004600AEE7252B51FC05EB77BA9FB04310B10882EF4A5844B1DB626CE1DB50

Function 0018676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00186766,?,?,00000008,?,?,0018FEFE,00000000), ref: 00186998

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 7efdca6b6de1e8e9f838ceb9e88d152baab41f40cf381180628403ae2db99702
Instruction ID: 9bfe75c222f64e5ec982550b100e19866e543599ca4d78efbf4873f1714a709b
Opcode Fuzzy Hash: 7efdca6b6de1e8e9f838ceb9e88d152baab41f40cf381180628403ae2db99702
Instruction Fuzzy Hash: 7EB13B31610609DFD719DF28C48AB657BE0FF45368F258658E89ACF2A2C735EA91CF40

Function 0016B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 001A851F

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 82aa001afdb5d6f65a5e020ab521dfae21cd02f4d58943eac68545285ed04267
Instruction ID: 313af184affb30cb9f5ea653d44c337edcd3bb2866dcfb1bbdad865218d7e918
Opcode Fuzzy Hash: 82aa001afdb5d6f65a5e020ab521dfae21cd02f4d58943eac68545285ed04267
Instruction Fuzzy Hash: E0124075D042299BDB24CF58C8807EEB7F5FF48710F1581AAE849EB255EB309E91CB90

Function 001CEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 001CEABD

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: bcf00c57f613047c4544b588b4e39f11e078695fea6f1e51366c5ae0b102192a
Instruction ID: 024d7c106a67a6646738c74a8a72d81279c34f3de4f4968b0fd84092d86be4b0
Opcode Fuzzy Hash: bcf00c57f613047c4544b588b4e39f11e078695fea6f1e51366c5ae0b102192a
Instruction Fuzzy Hash: 69E04F312102049FC710EF69D844E9AF7E9AFA8760F00841AFC49CB751DBB0E8458B90

Function 001709D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,001703EE), ref: 001709DA

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 802fb7797659b3b728709d5b70caf001c6ae58f0c7cc04cbf027d018100d0a5c
Instruction ID: 154f79b0d7f5f09755330166283a257bd882121cb5ff6d08619dcd53b9fca18e
Opcode Fuzzy Hash: 802fb7797659b3b728709d5b70caf001c6ae58f0c7cc04cbf027d018100d0a5c
Instruction Fuzzy Hash:

Function 0017781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0017798B

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 51a7e498feb8b096793290e993707060369b2d86b0323a33945bddb6f5a2ed3a
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: CF51887164C705ABDF388568C85EBBE63B99B12358F18C919E98EC72C2C711DE41D393

Function 001C2046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&", xrefs: 001C2053

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID:
String ID: 0&"
API String ID: 0-3449093698
Opcode ID: 2627cc5f48510c8a37ac77796b6f6e8dfead87f0c9f1fb73ecefabd65589e713
Instruction ID: cd654b31cc05e0e0be617e21116041658166cab8eb6d2b65d112cb4e55a30b73
Opcode Fuzzy Hash: 2627cc5f48510c8a37ac77796b6f6e8dfead87f0c9f1fb73ecefabd65589e713
Instruction Fuzzy Hash: 4821B7326206119BD728CF79D92367E73E9A764310F15862EE4A7C77D1DE3AE904CB80

Function 00186DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77d7abe44138616d7bd2ef4e51195efccc77e87f9baa4961c8739b9fa3a81edc
Instruction ID: 34283e9119d23779ff2c4252e097093873a9d9afd2a2f44c0ba8dc2d5cb560f4
Opcode Fuzzy Hash: 77d7abe44138616d7bd2ef4e51195efccc77e87f9baa4961c8739b9fa3a81edc
Instruction Fuzzy Hash: 4532F321D29F014DD723A634D822335A649AFB73C5F25D737E81AB5DAAEB39C5C38600

Function 0016CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f49192fc4c1b10feb3632740c1fd46f237f3380d41a39de5cbd48247e7256cd
Instruction ID: b2c1d17542a7bec7d5957da00b4372dac64ca418dcf669dc1f19bd9aa3f1f886
Opcode Fuzzy Hash: 6f49192fc4c1b10feb3632740c1fd46f237f3380d41a39de5cbd48247e7256cd
Instruction Fuzzy Hash: 5E32373AA041158BCF28CF6CC8946BD7BA1EF46314F29856AD49ADB391E730DD81DBD0

Function 00157920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83718c6028ff0f629af7dd43d74f75842ba613054085a579b547488a55d027d0
Instruction ID: 9ee16eb595346af47c890bd2842d56c3da12b36eb881c4dd2ae70674a3140bae
Opcode Fuzzy Hash: 83718c6028ff0f629af7dd43d74f75842ba613054085a579b547488a55d027d0
Instruction Fuzzy Hash: CF22C2B0A04609DFDF14CF64D882AAEB7F6FF54301F144529E826EB291EB36AD15CB50

Function 001591C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea5bf06a02faaebc43a6518cedcc2cc3e8edb46503a64cf77027f48fdd224b92
Instruction ID: ce52f3b31a2a47d720de1609251c19317ece2e914cea1ee3e4952525fa969d8d
Opcode Fuzzy Hash: ea5bf06a02faaebc43a6518cedcc2cc3e8edb46503a64cf77027f48fdd224b92
Instruction Fuzzy Hash: C402B6B1E00209EBDF04DF64D881AADBBF5FF54300F118169E816DB291EB31EA65CB95

Function 001719B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 815156f3c3dd5adc3df66e13d35b1b868088af752db7552e44a448c99f7c8796
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: B99130722090E25ADB2D467E857403DFEF15A923A131A879DD4FACB1C1FF248659D620

Function 00177A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0462ae075220569421503736d0015834fdb0a28793959f49ad4d55881531e2fe
Instruction ID: 7104e99ce7bf15d4157ad1316843741d0bbf4cc2354614b711f26d50d2626b90
Opcode Fuzzy Hash: 0462ae075220569421503736d0015834fdb0a28793959f49ad4d55881531e2fe
Instruction Fuzzy Hash: 48616831748709A6EE38AA288C95BBE23B4DF55700F18C91AE94EDB2C1DB119F42C755

Function 00171706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: f633d32736c9c6c9d2fbf2fc55baca527b92d4ba7fe3de46f20a2499283c0b80
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 7D8184336080A319DB6D463E853407EFFF15A923A531A879DD4FACB1C1EF24C659E620

Function 016DAE00 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1370353485.00000000016D7000.00000040.00000020.00020000.00000000.sdmp, Offset: 016D7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d7000_Payment 01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 19b5074e35d2593079c9cde714163e59e5bbc9029be077b286fae261bd9a52ec
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: C841D371D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB80

Function 016DACF0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1370353485.00000000016D7000.00000040.00000020.00020000.00000000.sdmp, Offset: 016D7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d7000_Payment 01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 82549b2e4b84eefa629f7c2219171f8bc6b19853b6e2a958f780ed933b5c9bf2
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 8F019279E04109EFCB44DF98C5909AEF7B6FF48310F208599D809A7301D730AE42DB80

Function 016DAC90 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1370353485.00000000016D7000.00000040.00000020.00020000.00000000.sdmp, Offset: 016D7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d7000_Payment 01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: a5bda67e0884583ca349bb7d0cc69d976d1b8a4c78d3cc15058b9ed5c32b289f
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: DA019278E04109EFCB44DF98C5909AEF7B6FF48310F208599D819A7301D730AE41DB80

Function 016D9660 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1370353485.00000000016D7000.00000040.00000020.00020000.00000000.sdmp, Offset: 016D7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d7000_Payment 01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 001D2ADE Relevance: 79.2, APIs: 40, Strings: 5, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 001D2B30
DeleteObject.GDI32(00000000), ref: 001D2B43
DestroyWindow.USER32 ref: 001D2B52
GetDesktopWindow.USER32 ref: 001D2B6D
GetWindowRect.USER32(00000000), ref: 001D2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 001D2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 001D2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001D2CF8
GetClientRect.USER32(00000000,?), ref: 001D2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 001D2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001D2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001D2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001D2D80
GlobalLock.KERNEL32(00000000), ref: 001D2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001D2D98
GlobalUnlock.KERNEL32(00000000), ref: 001D2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001D2DA8
GlobalFree.KERNEL32(00000000), ref: 001D2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001D2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,001EFC38,00000000), ref: 001D2DDB
GlobalFree.KERNEL32(00000000), ref: 001D2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 001D2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 001D2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001D2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001D303F

Strings

AutoIt v3, xrefs: 001D2CF2
, xrefs: 001D2FC5
static, xrefs: 001D2D3A, 001D2E91
DISPLAY, xrefs: 001D2EA2
@U=u, xrefs: 001D2E30, 001D2FBF

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $@U=u$AutoIt v3$DISPLAY$static
API String ID: 2211948467-3613752883
Opcode ID: bdbce7ab3199b405c73918352b6fda58f087aff008c3610c3d916937fcd7f5a4
Instruction ID: 93cb1c733b231ba24f17ad85398abc25f9440797df77b5f07980b71f74e5f624
Opcode Fuzzy Hash: bdbce7ab3199b405c73918352b6fda58f087aff008c3610c3d916937fcd7f5a4
Instruction Fuzzy Hash: C4028D71900205EFDB14DFA4DC89EAE7BB9FF58311F008559F925AB2A1D770AD42CBA0

Function 001E70D5 Relevance: 59.8, APIs: 33, Strings: 1, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 001E712F
GetSysColorBrush.USER32(0000000F), ref: 001E7160
GetSysColor.USER32(0000000F), ref: 001E716C
SetBkColor.GDI32(?,000000FF), ref: 001E7186
SelectObject.GDI32(?,?), ref: 001E7195
InflateRect.USER32(?,000000FF,000000FF), ref: 001E71C0
GetSysColor.USER32(00000010), ref: 001E71C8
CreateSolidBrush.GDI32(00000000), ref: 001E71CF
FrameRect.USER32(?,?,00000000), ref: 001E71DE
DeleteObject.GDI32(00000000), ref: 001E71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 001E7230
FillRect.USER32(?,?,?), ref: 001E7262
GetWindowLongW.USER32(?,000000F0), ref: 001E7284

Part of subcall function 001E73E8: GetSysColor.USER32(00000012), ref: 001E7421
Part of subcall function 001E73E8: SetTextColor.GDI32(?,?), ref: 001E7425
Part of subcall function 001E73E8: GetSysColorBrush.USER32(0000000F), ref: 001E743B
Part of subcall function 001E73E8: GetSysColor.USER32(0000000F), ref: 001E7446
Part of subcall function 001E73E8: GetSysColor.USER32(00000011), ref: 001E7463
Part of subcall function 001E73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 001E7471
Part of subcall function 001E73E8: SelectObject.GDI32(?,00000000), ref: 001E7482
Part of subcall function 001E73E8: SetBkColor.GDI32(?,00000000), ref: 001E748B
Part of subcall function 001E73E8: SelectObject.GDI32(?,?), ref: 001E7498
Part of subcall function 001E73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 001E74B7
Part of subcall function 001E73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001E74CE
Part of subcall function 001E73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 001E74DB

Strings

@U=u, xrefs: 001E72CC

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID: @U=u
API String ID: 4124339563-2594219639
Opcode ID: 3ee725216669717097da2251a6d43fa00ea17bf634ac96a534a442ff2b398450
Instruction ID: a9449cc8ad0ee7238bf51cf2e7250b22b577f3f6b3cbcb47a3b0ae037e9a534a
Opcode Fuzzy Hash: 3ee725216669717097da2251a6d43fa00ea17bf634ac96a534a442ff2b398450
Instruction Fuzzy Hash: 15A1B472108741EFD7049FA0DC88E5F7BA9FF49720F100A19FA629A1E1D731D985CB91

Function 00168D85 Relevance: 49.5, APIs: 26, Strings: 2, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00168E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 001A6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 001A6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 001A6F43

Part of subcall function 00168F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00168BE8,?,00000000,?,?,?,?,00168BBA,00000000,?), ref: 00168FC5

SendMessageW.USER32(?,00001053), ref: 001A6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 001A6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 001A6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 001A6FB7

Strings

@U=u, xrefs: 001A6AC5, 001A6BD6, 001A6EBF
0, xrefs: 001A6DCF

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0$@U=u
API String ID: 2760611726-975001249
Opcode ID: b01689f40c329f0fde5526cc91832acd6e4d17ac4e1a7ce6dad196f4613f04a0
Instruction ID: 473aac98cc1af3dea423040815ac39ec440190bfae81421ca191733310bfa069
Opcode Fuzzy Hash: b01689f40c329f0fde5526cc91832acd6e4d17ac4e1a7ce6dad196f4613f04a0
Instruction Fuzzy Hash: 7912B038200251EFD725CF54DC98BAAB7E1FB5A310F184569F4858B661CB32ECA2CB91

Function 001D2711 Relevance: 47.6, APIs: 22, Strings: 5, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 001D273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 001D286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 001D28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 001D28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 001D2900
GetClientRect.USER32(00000000,?), ref: 001D290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 001D2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 001D2964
GetStockObject.GDI32(00000011), ref: 001D2974
SelectObject.GDI32(00000000,00000000), ref: 001D2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 001D2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 001D2991
DeleteDC.GDI32(00000000), ref: 001D299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 001D29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 001D29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 001D2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 001D2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 001D2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 001D2A77
GetStockObject.GDI32(00000011), ref: 001D2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 001D2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 001D2A97

Strings

AutoIt v3, xrefs: 001D28F8
msctls_progress32, xrefs: 001D2A13
static, xrefs: 001D294F, 001D2A71
DISPLAY, xrefs: 001D295A
@U=u, xrefs: 001D29CC

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: @U=u$AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-2771358697
Opcode ID: 1b2810f6353bd85250225cfc6bf5ee3f62afb3181a3601218adaa97e1021ab11
Instruction ID: 17cb5870b8562eb448c83c801850bed6b8b7020c03c95e6f60ef50bff37256ef
Opcode Fuzzy Hash: 1b2810f6353bd85250225cfc6bf5ee3f62afb3181a3601218adaa97e1021ab11
Instruction Fuzzy Hash: 39B14D71A00215BFEB24DFA8DC89FAE7BA9EF18711F004155F925EB290D774AD41CB90

Function 001E73E8 Relevance: 47.5, APIs: 26, Strings: 1, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 001E7421
SetTextColor.GDI32(?,?), ref: 001E7425
GetSysColorBrush.USER32(0000000F), ref: 001E743B
GetSysColor.USER32(0000000F), ref: 001E7446
CreateSolidBrush.GDI32(?), ref: 001E744B
GetSysColor.USER32(00000011), ref: 001E7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 001E7471
SelectObject.GDI32(?,00000000), ref: 001E7482
SetBkColor.GDI32(?,00000000), ref: 001E748B
SelectObject.GDI32(?,?), ref: 001E7498
InflateRect.USER32(?,000000FF,000000FF), ref: 001E74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001E74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 001E74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 001E752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 001E7554
InflateRect.USER32(?,000000FD,000000FD), ref: 001E7572
DrawFocusRect.USER32(?,?), ref: 001E757D
GetSysColor.USER32(00000011), ref: 001E758E
SetTextColor.GDI32(?,00000000), ref: 001E7596
DrawTextW.USER32(?,001E70F5,000000FF,?,00000000), ref: 001E75A8
SelectObject.GDI32(?,?), ref: 001E75BF
DeleteObject.GDI32(?), ref: 001E75CA
SelectObject.GDI32(?,?), ref: 001E75D0
DeleteObject.GDI32(?), ref: 001E75D5
SetTextColor.GDI32(?,?), ref: 001E75DB
SetBkColor.GDI32(?,?), ref: 001E75E5

Strings

@U=u, xrefs: 001E752A

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID: @U=u
API String ID: 1996641542-2594219639
Opcode ID: d8f9921c77a3cb1bad1b1c5dc4cb5895275cbe6adcdc35479d77b8398aaed405
Instruction ID: 9e9bfa0b927b88eb5b451ceeb98e7c533c50149b534e23c2c99257dc8bcdc63f
Opcode Fuzzy Hash: d8f9921c77a3cb1bad1b1c5dc4cb5895275cbe6adcdc35479d77b8398aaed405
Instruction Fuzzy Hash: 3B616B72900658AFEB059FA4DC89EEEBFB9EF08720F114115F911AB2E1D7709981DF90

Function 001C4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001C4AED
GetDriveTypeW.KERNEL32(?,001ECB68,?,\\.\,001ECC08), ref: 001C4BCA
SetErrorMode.KERNEL32(00000000,001ECB68,?,\\.\,001ECC08), ref: 001C4D36

Strings

iSCSI, xrefs: 001C4CC2
RAMDisk, xrefs: 001C4BF4
Fibre, xrefs: 001C4CAD
SSD, xrefs: 001C4C4A
Removable, xrefs: 001C4C10, 001C4C15
FileBackedVirtual, xrefs: 001C4CEC
Fixed, xrefs: 001C4C09
USB, xrefs: 001C4CB4
ATA, xrefs: 001C4C98
ATAPI, xrefs: 001C4C91
Virtual, xrefs: 001C4CE5
CDROM, xrefs: 001C4BFB
SATA, xrefs: 001C4CD0
Network, xrefs: 001C4C02
Unknown, xrefs: 001C4BED, 001C4C83
PhysicalDrive, xrefs: 001C4B76
SCSI, xrefs: 001C4C8A
SSA, xrefs: 001C4CA6
\\.\, xrefs: 001C4B3F
SAS, xrefs: 001C4CC9
1394, xrefs: 001C4C9F
MMC, xrefs: 001C4CDE
RAID, xrefs: 001C4CBB

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 486d9543f1469dd5b81d8be8daffd0db48a0b3ed302c8877a5c00a7fa9e73421
Instruction ID: bab4435372af537b66c9769d7ea0faaf7a15a1a38088cd0e74721ec1406a7f3f
Opcode Fuzzy Hash: 486d9543f1469dd5b81d8be8daffd0db48a0b3ed302c8877a5c00a7fa9e73421
Instruction Fuzzy Hash: 0861E430619105DBCB18DF64DAA6FBD77F0AB35300B25401DF806AB6A1DB31ED91DB85

Function 001E0241 Relevance: 37.1, APIs: 7, Strings: 14, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 001E02E5
_wcslen.LIBCMT ref: 001E031F
_wcslen.LIBCMT ref: 001E0389
_wcslen.LIBCMT ref: 001E03F1
_wcslen.LIBCMT ref: 001E0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 001E04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 001E0504

Part of subcall function 0016F9F2: _wcslen.LIBCMT ref: 0016F9FD

Part of subcall function 001B223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 001B2258
Part of subcall function 001B223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 001B228A

Strings

GETSELECTEDCOUNT, xrefs: 001E0470, 001E048B
GETSELECTED, xrefs: 001E05E1
SELECTALL, xrefs: 001E0515
FINDITEM, xrefs: 001E0627
SELECTINVERT, xrefs: 001E057E
GETITEMCOUNT, xrefs: 001E0316, 001E0337
SELECTCLEAR, xrefs: 001E052D
SELECT, xrefs: 001E0548
DESELECT, xrefs: 001E059C
ISSELECTED, xrefs: 001E04DD
@U=u, xrefs: 001E04C5, 001E0504
VIEWCHANGE, xrefs: 001E0675
GETSUBITEMCOUNT, xrefs: 001E0384, 001E039F
GETTEXT, xrefs: 001E03EC, 001E0407

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: @U=u$DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-1753161424
Opcode ID: 422e5891c70774033487f9dd62a0abb47b3f090d928964e18ced979dd056f0ba
Instruction ID: bd43e588c803105df65aca8b15ac5f86d4787dc306c01acb77e9eb34a7afb77f
Opcode Fuzzy Hash: 422e5891c70774033487f9dd62a0abb47b3f090d928964e18ced979dd056f0ba
Instruction Fuzzy Hash: B5E1C1312186818FC719DF29C99096EB3E1BFEC314B14495DF8969B3A1DB70ED85CB81

Function 001E0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 001E1128
GetDesktopWindow.USER32 ref: 001E113D
GetWindowRect.USER32(00000000), ref: 001E1144
GetWindowLongW.USER32(?,000000F0), ref: 001E1199
DestroyWindow.USER32(?), ref: 001E11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 001E11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001E120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 001E121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 001E1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 001E1245
IsWindowVisible.USER32(00000000), ref: 001E12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 001E12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 001E12D0
GetWindowRect.USER32(00000000,?), ref: 001E12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 001E130E
GetMonitorInfoW.USER32(00000000,?), ref: 001E1328
CopyRect.USER32(?,?), ref: 001E133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 001E13AA

Strings

0, xrefs: 001E10D3
tooltips_class32, xrefs: 001E11E6
(, xrefs: 001E131B

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: f399afb9ab7c2b6a135886147c178710555e6e8ac1ec5143bf23919f1a0ab41a
Instruction ID: db30d930097fb3911154dec201ef2e76b74d6876501bfdd7ead7364d144a3d93
Opcode Fuzzy Hash: f399afb9ab7c2b6a135886147c178710555e6e8ac1ec5143bf23919f1a0ab41a
Instruction Fuzzy Hash: E1B17971608781AFDB14DF65C884B6FBBE5FF88350F008918F9999B2A1D731E845CB92

Function 00168891 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00168968
GetSystemMetrics.USER32(00000007), ref: 00168970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0016899B
GetSystemMetrics.USER32(00000008), ref: 001689A3
GetSystemMetrics.USER32(00000004), ref: 001689C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 001689E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 001689F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00168A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00168A3C
GetClientRect.USER32(00000000,000000FF), ref: 00168A5A
GetStockObject.GDI32(00000011), ref: 00168A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00168A81

Part of subcall function 0016912D: GetCursorPos.USER32(?), ref: 00169141
Part of subcall function 0016912D: ScreenToClient.USER32(00000000,?), ref: 0016915E
Part of subcall function 0016912D: GetAsyncKeyState.USER32(00000001), ref: 00169183
Part of subcall function 0016912D: GetAsyncKeyState.USER32(00000002), ref: 0016919D

SetTimer.USER32(00000000,00000000,00000028,001690FC), ref: 00168AA8

Strings

AutoIt v3 GUI, xrefs: 00168A20
@U=u, xrefs: 00168A81

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: @U=u$AutoIt v3 GUI
API String ID: 1458621304-2077007950
Opcode ID: cf36ffa0cef7154d1e305887dc6dba8bae60cfee0443ac186c5fc64bd3646938
Instruction ID: a2672b45cb9fbf618d7c18b9ba919e0908ddd171aa6545aeabe2858f37659a8d
Opcode Fuzzy Hash: cf36ffa0cef7154d1e305887dc6dba8bae60cfee0443ac186c5fc64bd3646938
Instruction Fuzzy Hash: 46B19D75A00209AFDB14DFA8DC89FAE7BB5FB48314F154219FA15AB290DB30A851CF51

Function 001B5A1B Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 001B5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 001B5A40
SetWindowTextW.USER32(?,?), ref: 001B5A57
GetDlgItem.USER32(?,000003EA), ref: 001B5A6C
SetWindowTextW.USER32(00000000,?), ref: 001B5A72
GetDlgItem.USER32(?,000003E9), ref: 001B5A82
SetWindowTextW.USER32(00000000,?), ref: 001B5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 001B5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 001B5AC3
GetWindowRect.USER32(?,?), ref: 001B5ACC
_wcslen.LIBCMT ref: 001B5B33
SetWindowTextW.USER32(?,?), ref: 001B5B6F
GetDesktopWindow.USER32 ref: 001B5B75
GetWindowRect.USER32(00000000), ref: 001B5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 001B5BD3
GetClientRect.USER32(?,?), ref: 001B5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 001B5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 001B5C2F

Strings

@U=u, xrefs: 001B5A40

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID: @U=u
API String ID: 895679908-2594219639
Opcode ID: e4da5687edfecad64d0ec3c3a4fa2d26272cdff695b096afeb86de434ca3f5a2
Instruction ID: f1ac7fb0f1c883ce79a91c4ca64db9b0c92fe5a110eaac1490b8a1067f55c896
Opcode Fuzzy Hash: e4da5687edfecad64d0ec3c3a4fa2d26272cdff695b096afeb86de434ca3f5a2
Instruction Fuzzy Hash: 4E716D31900B09AFDB20DFA9CE85BAEBBF6FF48704F104518E542A76A0D775E945CB50

Function 001E091E Relevance: 31.9, APIs: 6, Strings: 12, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 001E09C6
_wcslen.LIBCMT ref: 001E0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 001E0A54
_wcslen.LIBCMT ref: 001E0A8A
_wcslen.LIBCMT ref: 001E0B06
_wcslen.LIBCMT ref: 001E0B81

Part of subcall function 0016F9F2: _wcslen.LIBCMT ref: 0016F9FD

Part of subcall function 001B2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001B2BFA

Strings

SELECT, xrefs: 001E0D11
GETSELECTED, xrefs: 001E0C4E
EXISTS, xrefs: 001E0B7C, 001E0B97
GETTOTALCOUNT, xrefs: 001E09F2, 001E0A17
COLLAPSE, xrefs: 001E0B01, 001E0B1C
ISCHECKED, xrefs: 001E0CE1
GETITEMCOUNT, xrefs: 001E0C1E
@U=u, xrefs: 001E0A54
UNCHECK, xrefs: 001E0D3E
GETTEXT, xrefs: 001E0C97
CHECK, xrefs: 001E0A85, 001E0AA0
EXPAND, xrefs: 001E0BF8

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: @U=u$CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-383632319
Opcode ID: 252e72f6885c459ff379819bee2d6aec2075036b8b5cc0b1313d4a0a2d875e10
Instruction ID: 80427f7f087eb66a85ac83602308ddba293a2fa3b0ac98c233842aa4a15e79bb
Opcode Fuzzy Hash: 252e72f6885c459ff379819bee2d6aec2075036b8b5cc0b1313d4a0a2d875e10
Instruction Fuzzy Hash: E8E1CF35208781CFC715DF25C85086EB7E1BFA8318B15895DF8969B3A2D770ED89CB81

Function 001B0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001B10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 001B1114
Part of subcall function 001B10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,001B0B9B,?,?,?), ref: 001B1120
Part of subcall function 001B10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,001B0B9B,?,?,?), ref: 001B112F
Part of subcall function 001B10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,001B0B9B,?,?,?), ref: 001B1136
Part of subcall function 001B10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 001B114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 001B0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 001B0E29
GetLengthSid.ADVAPI32(?), ref: 001B0E40
GetAce.ADVAPI32(?,00000000,?), ref: 001B0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 001B0E96
GetLengthSid.ADVAPI32(?), ref: 001B0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 001B0EB5
HeapAlloc.KERNEL32(00000000), ref: 001B0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 001B0EDD
CopySid.ADVAPI32(00000000), ref: 001B0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 001B0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 001B0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 001B0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001B0F6E
HeapFree.KERNEL32(00000000), ref: 001B0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001B0F7E
HeapFree.KERNEL32(00000000), ref: 001B0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001B0F8E
HeapFree.KERNEL32(00000000), ref: 001B0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 001B0FA1
HeapFree.KERNEL32(00000000), ref: 001B0FA8

Part of subcall function 001B1193: GetProcessHeap.KERNEL32(00000008,001B0BB1,?,00000000,?,001B0BB1,?), ref: 001B11A1
Part of subcall function 001B1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,001B0BB1,?), ref: 001B11A8
Part of subcall function 001B1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,001B0BB1,?), ref: 001B11B7

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 365165600e43cbaca138e706d2db661535369f410b0f9a8ca5d5c62b782e2fcf
Instruction ID: e4dca2856a8dd8ec66b152bc9d0124a020c05f6b5a6599d5e7ad154cd698a19e
Opcode Fuzzy Hash: 365165600e43cbaca138e706d2db661535369f410b0f9a8ca5d5c62b782e2fcf
Instruction Fuzzy Hash: 13713E71A0020AEBDF219FA4DC45FEFBBB8BF09310F148159F919EA191D7719A45CBA0

Function 001E833C Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001E835A
_wcslen.LIBCMT ref: 001E836E
_wcslen.LIBCMT ref: 001E8391
_wcslen.LIBCMT ref: 001E83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 001E83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,001E361A,?), ref: 001E844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 001E8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 001E84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 001E8501
FreeLibrary.KERNEL32(?), ref: 001E850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 001E851D
DestroyIcon.USER32(?), ref: 001E852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 001E8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 001E8555

Strings

.dll, xrefs: 001E83AB
.icl, xrefs: 001E8368
@U=u, xrefs: 001E8535
.exe, xrefs: 001E8388

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl$@U=u
API String ID: 799131459-1639919054
Opcode ID: e210cd6324be3034f49bcf58c00d27e57b901f29b9a9821d503ad88d9bf70393
Instruction ID: fc55935db32132765dd03179264695d372ea9979399e8fb44e639ddb7af06e65
Opcode Fuzzy Hash: e210cd6324be3034f49bcf58c00d27e57b901f29b9a9821d503ad88d9bf70393
Instruction Fuzzy Hash: D961DD71500A55BBEB14DF65CC81BBE77A8FF18B11F104609F919EA0D1EF74A990CBA0

Function 001DC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001DC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,001ECC08,00000000,?,00000000,?,?), ref: 001DC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 001DC5A4
_wcslen.LIBCMT ref: 001DC5F4
_wcslen.LIBCMT ref: 001DC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 001DC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 001DC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 001DC84D
RegCloseKey.ADVAPI32(?), ref: 001DC881
RegCloseKey.ADVAPI32(00000000), ref: 001DC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 001DC960

Strings

REG_MULTI_SZ, xrefs: 001DC6F5
REG_QWORD, xrefs: 001DC8C3
REG_EXPAND_SZ, xrefs: 001DC5CD
REG_SZ, xrefs: 001DC644
REG_DWORD, xrefs: 001DC804
REG_BINARY, xrefs: 001DC913

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: d3c4c38808ce929ecc15b5ec5fed3b72007b65fa464476f926d1c6e106c67af0
Instruction ID: d8912816042648fcee3af71ac8376a4ba1b1e875d11ed8f19c5a5d9af54deae1
Opcode Fuzzy Hash: d3c4c38808ce929ecc15b5ec5fed3b72007b65fa464476f926d1c6e106c67af0
Instruction Fuzzy Hash: 6B125635604201DFCB14DF24D881A2AB7E5EF88725F04885DF89A9B3A2DB31ED45CB81

Function 001DC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,001DB6AE,?,?), ref: 001DC9B5
_wcslen.LIBCMT ref: 001DC9F1
_wcslen.LIBCMT ref: 001DCA68
_wcslen.LIBCMT ref: 001DCA9E
_wcslen.LIBCMT ref: 001DCAF9
_wcslen.LIBCMT ref: 001DCB2F
_wcslen.LIBCMT ref: 001DCB7F

Strings

HKLM, xrefs: 001DCA98, 001DCA9D
HKCU, xrefs: 001DCBCE
HKEY_USERS, xrefs: 001DCBDF
HKCR, xrefs: 001DCB29, 001DCB2E
HKCC, xrefs: 001DCBAC
HKEY_CLASSES_ROOT, xrefs: 001DCAF3, 001DCAF8
HKEY_CURRENT_USER, xrefs: 001DCBBD
HKEY_LOCAL_MACHINE, xrefs: 001DCA62, 001DCA67
HKU, xrefs: 001DCBF0
HKEY_CURRENT_CONFIG, xrefs: 001DCB79, 001DCB7E

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 20b88b47279353510ec4cf1d1d31a46b78242ebb47bf285d58f9a4c05d1fd41c
Instruction ID: d6245dd430dde039f165571733629b2fe9eb1e58e217e3a2b12c72540eed256d
Opcode Fuzzy Hash: 20b88b47279353510ec4cf1d1d31a46b78242ebb47bf285d58f9a4c05d1fd41c
Instruction Fuzzy Hash: 7A71E23261016B8BCB20DE6CCD515BB33A5ABB4794B150A2AF8669B384F731CD95C3E0

Function 00157778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

', xrefs: 00195169
#pragma compile, xrefs: 001577D3
#ce, xrefs: 001578ED
Cannot parse #include, xrefs: 00195279
#notrayicon, xrefs: 001577E7
#include, xrefs: 00157847
#comments-end, xrefs: 001578D9
#include-once, xrefs: 0015782F
#OnAutoItStartRegister, xrefs: 00157817
#cs, xrefs: 00157873, 001578C5
#comments-start, xrefs: 0015785F, 001578B1
Unterminated group of comments, xrefs: 0019528C
", xrefs: 00195153
Bad directive syntax error, xrefs: 0019519A
#requireadmin, xrefs: 001577FF

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 51b0adb8fdbdf14b16b3f6a25be39c497d9910841a9a00ba368ed83bc310e16d
Instruction ID: 7247a3f6008b533b1c2e1aaa10308fff320aa1767db4cc3ed6eb313b38e1e8a2
Opcode Fuzzy Hash: 51b0adb8fdbdf14b16b3f6a25be39c497d9910841a9a00ba368ed83bc310e16d
Instruction Fuzzy Hash: DC81F371640605EBDB25AF60EC47FAE37A9AF25301F144024FD18AF1D6EB70DA16C7A1

Function 001E856F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 001E8592
GetFileSize.KERNEL32(00000000,00000000), ref: 001E85A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 001E85AD
CloseHandle.KERNEL32(00000000), ref: 001E85BA
GlobalLock.KERNEL32(00000000), ref: 001E85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 001E85D7
GlobalUnlock.KERNEL32(00000000), ref: 001E85E0
CloseHandle.KERNEL32(00000000), ref: 001E85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 001E85F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,001EFC38,?), ref: 001E8611
GlobalFree.KERNEL32(00000000), ref: 001E8621
GetObjectW.GDI32(?,00000018,000000FF), ref: 001E8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 001E8671
DeleteObject.GDI32(00000000), ref: 001E8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 001E86AF

Strings

@U=u, xrefs: 001E86AF

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID: @U=u
API String ID: 3840717409-2594219639
Opcode ID: 6e4242230b918421bf117b330e8e8bdfea36f6de314ddba5b61a4f423f712ffc
Instruction ID: 531392b2a654cf94237b56636f7f2ef4b03352c59a4201793c89ade2b9574e06
Opcode Fuzzy Hash: 6e4242230b918421bf117b330e8e8bdfea36f6de314ddba5b61a4f423f712ffc
Instruction Fuzzy Hash: 18411975600285AFDB11DFA5CC88EAEBBB8FF89715F104158F919EB260DB309942DB60

Function 001B30F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001B318D
_wcslen.LIBCMT ref: 001B31F8

Strings

TEXT, xrefs: 001B347C
NAME, xrefs: 001B3335, 001B3346
CLASS, xrefs: 001B3188, 001B31A5
CLASSNN, xrefs: 001B31F3, 001B3204
INSTANCE, xrefs: 001B3453
[!, xrefs: 001B339A
REGEXPCLASS, xrefs: 001B3255, 001B3266

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[!
API String ID: 176396367-2891400992
Opcode ID: c9babb239876d378d57653d0dd10fbcf10029a962191d244b7042387136036d1
Instruction ID: 341570cc986afb8cc324ff6d4a9055ec64c6e8ee38ae2350151a07c70473d904
Opcode Fuzzy Hash: c9babb239876d378d57653d0dd10fbcf10029a962191d244b7042387136036d1
Instruction Fuzzy Hash: 5FE1F731A00526EBCB289F78C8416EEFBB4BF64714F558159E476E7240DB30AFA9C790

Function 001E911E Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00169BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00169BB2

DragQueryPoint.SHELL32(?,?), ref: 001E9147

Part of subcall function 001E7674: ClientToScreen.USER32(?,?), ref: 001E769A
Part of subcall function 001E7674: GetWindowRect.USER32(?,?), ref: 001E7710
Part of subcall function 001E7674: PtInRect.USER32(?,?,001E8B89), ref: 001E7720

SendMessageW.USER32(?,000000B0,?,?), ref: 001E91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 001E91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 001E91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 001E9225
SendMessageW.USER32(?,000000B0,?,?), ref: 001E923E
SendMessageW.USER32(?,000000B1,?,?), ref: 001E9255
SendMessageW.USER32(?,000000B1,?,?), ref: 001E9277
DragFinish.SHELL32(?), ref: 001E927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 001E9371

Strings

@GUI_DRAGID, xrefs: 001E92E9
@GUI_DROPID, xrefs: 001E929E
@GUI_DRAGFILE, xrefs: 001E9320
@U=u, xrefs: 001E91B0, 001E9225, 001E923E, 001E9255, 001E9277
p#", xrefs: 001E92BB

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$@U=u$p#"
API String ID: 221274066-804948036
Opcode ID: 7850441ae85ba61a1beb0bd07ceda42c3c2e0361039e4b2322faeb67dd8dce57
Instruction ID: 66afaa6a605685e56af0162986c42b66183c84e9430487698f711a4cc01eea3c
Opcode Fuzzy Hash: 7850441ae85ba61a1beb0bd07ceda42c3c2e0361039e4b2322faeb67dd8dce57
Instruction Fuzzy Hash: BA618A71108341AFC701DFA4DC85DAFBBE8EF99750F40091EF9A1961A1DB709A4ACB92

Function 001700C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 001700C6

Part of subcall function 001700ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0022070C,00000FA0,4A7D37E9,?,?,?,?,001923B3,000000FF), ref: 0017011C
Part of subcall function 001700ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,001923B3,000000FF), ref: 00170127
Part of subcall function 001700ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,001923B3,000000FF), ref: 00170138
Part of subcall function 001700ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0017014E
Part of subcall function 001700ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0017015C
Part of subcall function 001700ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0017016A
Part of subcall function 001700ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00170195
Part of subcall function 001700ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 001701A0

___scrt_fastfail.LIBCMT ref: 001700E7

Part of subcall function 001700A3: __onexit.LIBCMT ref: 001700A9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00170122
kernel32.dll, xrefs: 00170133
InitializeConditionVariable, xrefs: 00170148
WakeAllConditionVariable, xrefs: 00170162
SleepConditionVariableCS, xrefs: 00170154

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 3bbcb1bf2e22a07ec908ea673c29008e07f2816c6265658d8e00a029e88e7184
Instruction ID: e356922bb1980496ccd717467a1baf5552c58520123243afcaa1d9daacac54b2
Opcode Fuzzy Hash: 3bbcb1bf2e22a07ec908ea673c29008e07f2816c6265658d8e00a029e88e7184
Instruction Fuzzy Hash: 9A21F932A44750EBD7226BE4BC89B6E77F4EB0DB61F01813DFC0596691DBB09C418A90

Function 001C44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,001ECC08), ref: 001C4527
_wcslen.LIBCMT ref: 001C453B
_wcslen.LIBCMT ref: 001C4599
_wcslen.LIBCMT ref: 001C45F4
_wcslen.LIBCMT ref: 001C463F
_wcslen.LIBCMT ref: 001C46A7

Part of subcall function 0016F9F2: _wcslen.LIBCMT ref: 0016F9FD

GetDriveTypeW.KERNEL32(?,00216BF0,00000061), ref: 001C4743

Strings

all, xrefs: 001C4531, 001C4536
ramdisk, xrefs: 001C46F1
cdrom, xrefs: 001C458F, 001C4594
removable, xrefs: 001C45EA, 001C45EF
unknown, xrefs: 001C4708
fixed, xrefs: 001C4635, 001C463A
network, xrefs: 001C469D, 001C46A2

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 2c55fbbac9c9bc6f78a4a327999f09b9ec617b116c1d80615a7a0188c2a9e1ac
Instruction ID: aed63cb13965299cfd2ff0b53bc85122b9afc9b19351049dc1e64fd06d21307e
Opcode Fuzzy Hash: 2c55fbbac9c9bc6f78a4a327999f09b9ec617b116c1d80615a7a0188c2a9e1ac
Instruction Fuzzy Hash: 58B1EE3160C3129FC724DF28C8A0E6EB7E5AFB5724F50491DF4A6C7291E730D989CA92

Function 001E6CD9 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 001E6DEB

Part of subcall function 00156B57: _wcslen.LIBCMT ref: 00156B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 001E6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 001E6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001E6E94
DestroyWindow.USER32(?), ref: 001E6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00150000,00000000), ref: 001E6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001E6EFD
GetDesktopWindow.USER32 ref: 001E6F16
GetWindowRect.USER32(00000000), ref: 001E6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 001E6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 001E6F4D

Part of subcall function 00169944: GetWindowLongW.USER32(?,000000EB), ref: 00169952

Strings

tooltips_class32, xrefs: 001E6E58, 001E6EDD
@U=u, xrefs: 001E6E81, 001E6E94, 001E6EFD, 001E6F27
0, xrefs: 001E6D98

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$@U=u$tooltips_class32
API String ID: 2429346358-1130792468
Opcode ID: c1d002fefd6d54685eceda1c8ab1198487b4ae895c87943848e72e03d428e9cb
Instruction ID: eb917520e619384ba7993f3df8a2800c38f0cdcf99eaf7480dad1bf9fb1fb6d5
Opcode Fuzzy Hash: c1d002fefd6d54685eceda1c8ab1198487b4ae895c87943848e72e03d428e9cb
Instruction Fuzzy Hash: 2B718870104684AFDB20CF59DC98EAABBE9FBA9340F84041DF999872A1C770AD46CB51

Function 001DAFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001DB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 001DB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 001DB1D4
_wcslen.LIBCMT ref: 001DB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 001DB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 001DB236
_wcslen.LIBCMT ref: 001DB332

Part of subcall function 001C05A7: GetStdHandle.KERNEL32(000000F6), ref: 001C05C6

_wcslen.LIBCMT ref: 001DB34B
_wcslen.LIBCMT ref: 001DB366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 001DB3B6
GetLastError.KERNEL32(00000000), ref: 001DB407
CloseHandle.KERNEL32(?), ref: 001DB439
CloseHandle.KERNEL32(00000000), ref: 001DB44A
CloseHandle.KERNEL32(00000000), ref: 001DB45C
CloseHandle.KERNEL32(00000000), ref: 001DB46E
CloseHandle.KERNEL32(?), ref: 001DB4E3

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: b878d583f195cc8ec9c9b90f4dd7987727cb5d4168e1c3b734ff799fc1f34741
Instruction ID: 7f5e906cb782ac9c7ac8d13197de103f6d8500bbf66caaa21838b6687145cb3e
Opcode Fuzzy Hash: b878d583f195cc8ec9c9b90f4dd7987727cb5d4168e1c3b734ff799fc1f34741
Instruction Fuzzy Hash: 8CF16731608340DFC714EF24D891A6EBBE1AF95314F15855EF89A8B3A2DB31EC45CB92

Function 0015326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00221990), ref: 00192F8D
GetMenuItemCount.USER32(00221990), ref: 0019303D
GetCursorPos.USER32(?), ref: 00193081
SetForegroundWindow.USER32(00000000), ref: 0019308A
TrackPopupMenuEx.USER32(00221990,00000000,?,00000000,00000000,00000000), ref: 0019309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 001930A9

Strings

0, xrefs: 0015327D

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 85a7c4504ba4286bb48374c7a11d557fe90473f3c288edde4ec3cf77dc7a1434
Instruction ID: f82545977a383ce4f6b3b62799d1f15469a782a4ed6e4240c5ea91909b126c7f
Opcode Fuzzy Hash: 85a7c4504ba4286bb48374c7a11d557fe90473f3c288edde4ec3cf77dc7a1434
Instruction Fuzzy Hash: 65710470644205BEEF258F64CC89FAABF64FF05364F244216F939AA1E0C7B1A954DB90

Function 001CC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 001CC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 001CC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 001CC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 001CC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 001CC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 001CC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001CC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 001CC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 001CC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 001CC5F0
InternetCloseHandle.WININET(00000000), ref: 001CC5FB

Strings

, xrefs: 001CC575

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: d0f0f76b83423dd72d93ddf2fa1c3bedb57acacc4740357d7e79515415217e37
Instruction ID: 57bc27fd7e66794e956fa27ecd59b972446767756cdc8f9238d22c7ca00916d9
Opcode Fuzzy Hash: d0f0f76b83423dd72d93ddf2fa1c3bedb57acacc4740357d7e79515415217e37
Instruction Fuzzy Hash: 1E515CB1600245BFDB218FA4CD88FAB7BBCFB28744F00841DF94996650DB30ED459BA1

Function 001C14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 001C1502
VariantCopy.OLEAUT32(?,?), ref: 001C150B
VariantClear.OLEAUT32(?), ref: 001C1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 001C15FB
VarR8FromDec.OLEAUT32(?,?), ref: 001C1657
VariantInit.OLEAUT32(?), ref: 001C1708
SysFreeString.OLEAUT32(?), ref: 001C178C
VariantClear.OLEAUT32(?), ref: 001C17D8
VariantClear.OLEAUT32(?), ref: 001C17E7
VariantInit.OLEAUT32(00000000), ref: 001C1823

Strings

Default, xrefs: 001C16AF
%4d%02d%02d%02d%02d%02d, xrefs: 001C1625

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 8d45ee6c64cb81497357a6dc37de26906f6b2512fd989683142f07e8e762e4e7
Instruction ID: b0af2e6ba45a7b19a998427d4a83240d02c3140056abde2e82de3e0814636c8b
Opcode Fuzzy Hash: 8d45ee6c64cb81497357a6dc37de26906f6b2512fd989683142f07e8e762e4e7
Instruction Fuzzy Hash: F1D12232A40210EBCB049F64E885F7DB7B1BF67B00F51809EE806AB182DB30EC55DB91

Function 001DB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

Part of subcall function 001DC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001DB6AE,?,?), ref: 001DC9B5
Part of subcall function 001DC998: _wcslen.LIBCMT ref: 001DC9F1
Part of subcall function 001DC998: _wcslen.LIBCMT ref: 001DCA68
Part of subcall function 001DC998: _wcslen.LIBCMT ref: 001DCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001DB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001DB772
RegDeleteValueW.ADVAPI32(?,?), ref: 001DB80A
RegCloseKey.ADVAPI32(?), ref: 001DB87E
RegCloseKey.ADVAPI32(?), ref: 001DB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 001DB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 001DB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 001DB922
FreeLibrary.KERNEL32(00000000), ref: 001DB983
RegCloseKey.ADVAPI32(00000000), ref: 001DB994

Strings

advapi32.dll, xrefs: 001DB8ED
RegDeleteKeyExW, xrefs: 001DB8FE

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: b3d2b8e02580259a9e568e86b3bbf0d0bf031e5ad24521933a075017cbfdb910
Instruction ID: 41cdf8b803d9a026a25f816a7d21db6a6efdbdd8aff31dec16152f68b0cbb75a
Opcode Fuzzy Hash: b3d2b8e02580259a9e568e86b3bbf0d0bf031e5ad24521933a075017cbfdb910
Instruction Fuzzy Hash: 67C17A34208241EFD714DF24C8D5B2ABBE1BF84318F55855DF8AA4B3A2CB75E846CB91

Function 001E541D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 001E5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001E5515
CharNextW.USER32(00000158), ref: 001E5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 001E5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 001E559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001E55AC

Strings

@U=u, xrefs: 001E5504, 001E5515, 001E554A, 001E55C9, 001E562B, 001E5816

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: MessageSend$CharNext
String ID: @U=u
API String ID: 1350042424-2594219639
Opcode ID: d8d359b3c944f9d770401aaac1613ac68531bd924f783580325ee42b7905436c
Instruction ID: 32101e79f093324e8bbafb7bcab77169bfba30422f68549bffd7ee1ed6d92dd6
Opcode Fuzzy Hash: d8d359b3c944f9d770401aaac1613ac68531bd924f783580325ee42b7905436c
Instruction Fuzzy Hash: D1619034900A89EFDF108F96CC84DFE7BBAEF09728F144145F925AB291D7748A81DB61

Function 001D255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 001D25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 001D25E8
CreateCompatibleDC.GDI32(?), ref: 001D25F4
SelectObject.GDI32(00000000,?), ref: 001D2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 001D266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 001D26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 001D26D0
SelectObject.GDI32(?,?), ref: 001D26D8
DeleteObject.GDI32(?), ref: 001D26E1
DeleteDC.GDI32(?), ref: 001D26E8
ReleaseDC.USER32(00000000,?), ref: 001D26F3

Strings

(, xrefs: 001D268D

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 456fc632998809464bd094c94df4d13d17a575a2450da7430c0983d9565b6e50
Instruction ID: 32366ef68d2cb7e2b455021d5073a523e199db7b50ffaf7f8f4b15dac6d7b865
Opcode Fuzzy Hash: 456fc632998809464bd094c94df4d13d17a575a2450da7430c0983d9565b6e50
Instruction Fuzzy Hash: 8F61C1B5D00219EFCB14CFA8DC84AAEBBB6FF58310F20852AE955A7350D774A951CF90

Function 001BE6B0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 001BE6B4

Part of subcall function 0016E551: timeGetTime.WINMM(?,?,001BE6D4), ref: 0016E555

Sleep.KERNEL32(0000000A), ref: 001BE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 001BE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 001BE727
SetActiveWindow.USER32 ref: 001BE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 001BE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 001BE773
Sleep.KERNEL32(000000FA), ref: 001BE77E
IsWindow.USER32 ref: 001BE78A
EndDialog.USER32(00000000), ref: 001BE79B

Strings

BUTTON, xrefs: 001BE719
@U=u, xrefs: 001BE754, 001BE773

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: @U=u$BUTTON
API String ID: 1194449130-2582809321
Opcode ID: 8d406aad15bd029285a84607ee4b49d85aa534fac1cde1823edbb2ea3edaf226
Instruction ID: a7fe1fcf2dd765c1a3cf34a865e1e397d956cd75ab2c05ca43d3e281d7e7ad1b
Opcode Fuzzy Hash: 8d406aad15bd029285a84607ee4b49d85aa534fac1cde1823edbb2ea3edaf226
Instruction Fuzzy Hash: AE216571600244FFEB205FE0FCCDEBA3BADEB65348F102424F815956B1DB729C568A94

Function 0018DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0018DAA1

Part of subcall function 0018D63C: _free.LIBCMT ref: 0018D659
Part of subcall function 0018D63C: _free.LIBCMT ref: 0018D66B
Part of subcall function 0018D63C: _free.LIBCMT ref: 0018D67D
Part of subcall function 0018D63C: _free.LIBCMT ref: 0018D68F
Part of subcall function 0018D63C: _free.LIBCMT ref: 0018D6A1
Part of subcall function 0018D63C: _free.LIBCMT ref: 0018D6B3
Part of subcall function 0018D63C: _free.LIBCMT ref: 0018D6C5
Part of subcall function 0018D63C: _free.LIBCMT ref: 0018D6D7
Part of subcall function 0018D63C: _free.LIBCMT ref: 0018D6E9
Part of subcall function 0018D63C: _free.LIBCMT ref: 0018D6FB
Part of subcall function 0018D63C: _free.LIBCMT ref: 0018D70D
Part of subcall function 0018D63C: _free.LIBCMT ref: 0018D71F
Part of subcall function 0018D63C: _free.LIBCMT ref: 0018D731

_free.LIBCMT ref: 0018DA96

Part of subcall function 001829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0018D7D1,00000000,00000000,00000000,00000000,?,0018D7F8,00000000,00000007,00000000,?,0018DBF5,00000000), ref: 001829DE
Part of subcall function 001829C8: GetLastError.KERNEL32(00000000,?,0018D7D1,00000000,00000000,00000000,00000000,?,0018D7F8,00000000,00000007,00000000,?,0018DBF5,00000000,00000000), ref: 001829F0

_free.LIBCMT ref: 0018DAB8
_free.LIBCMT ref: 0018DACD
_free.LIBCMT ref: 0018DAD8
_free.LIBCMT ref: 0018DAFA
_free.LIBCMT ref: 0018DB0D
_free.LIBCMT ref: 0018DB1B
_free.LIBCMT ref: 0018DB26
_free.LIBCMT ref: 0018DB5E
_free.LIBCMT ref: 0018DB65
_free.LIBCMT ref: 0018DB82
_free.LIBCMT ref: 0018DB9A

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: cbc8953d7d4b8dcb9b4ee82a4b2ca2b9f702201be4733a06482567f12a8bd0b8
Instruction ID: 4a91c1c0325c8934cdcf5674f1353731a7c9c8fa52d13f36c735cf8abada8a20
Opcode Fuzzy Hash: cbc8953d7d4b8dcb9b4ee82a4b2ca2b9f702201be4733a06482567f12a8bd0b8
Instruction Fuzzy Hash: F4313731A443059FEB26BA39F845B5AB7E9FF21324F264429E449D7191DF35AE808F20

Function 001B365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 001B369C
_wcslen.LIBCMT ref: 001B36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 001B3797
GetClassNameW.USER32(?,?,00000400), ref: 001B380C
GetDlgCtrlID.USER32(?), ref: 001B385D
GetWindowRect.USER32(?,?), ref: 001B3882
GetParent.USER32(?), ref: 001B38A0
ScreenToClient.USER32(00000000), ref: 001B38A7
GetClassNameW.USER32(?,?,00000100), ref: 001B3921
GetWindowTextW.USER32(?,?,00000400), ref: 001B395D

Strings

%s%u, xrefs: 001B3734

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: f49b697e359e1bf8c6b760f4312f1702e5f8174fcb141eb8e294881eec0fc782
Instruction ID: 562c0c7536aecb1dcd698c691e8e14177ee4be895276a20283c89927e1c7e8fe
Opcode Fuzzy Hash: f49b697e359e1bf8c6b760f4312f1702e5f8174fcb141eb8e294881eec0fc782
Instruction Fuzzy Hash: 2891D571204706EFD718DF64C885BEAF7A9FF44304F008619F9A9C6190DB30EA66CB91

Function 001B4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 001B4994
GetWindowTextW.USER32(?,?,00000400), ref: 001B49DA
_wcslen.LIBCMT ref: 001B49EB
CharUpperBuffW.USER32(?,00000000), ref: 001B49F7
_wcsstr.LIBVCRUNTIME ref: 001B4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 001B4A64
GetWindowTextW.USER32(?,?,00000400), ref: 001B4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 001B4AE6
GetClassNameW.USER32(?,?,00000400), ref: 001B4B20
GetWindowRect.USER32(?,?), ref: 001B4B8B

Strings

ThumbnailClass, xrefs: 001B4A6F, 001B4AF1

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 9cd126f3a8ba34633d5fcdcac3bec415d0629a81d1c515c0c1cf2553dcf46ca4
Instruction ID: cc9497b8ce8579cdc645bca5a38b5642e3ee7f90f4c532047cbef99853791775
Opcode Fuzzy Hash: 9cd126f3a8ba34633d5fcdcac3bec415d0629a81d1c515c0c1cf2553dcf46ca4
Instruction Fuzzy Hash: E691BE710042059FDB04DF14C981BEA7BE9FF98714F048469FE869A197DB30ED46CBA1

Function 001E8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00169BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00169BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 001E8D5A
GetFocus.USER32 ref: 001E8D6A
GetDlgCtrlID.USER32(00000000), ref: 001E8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 001E8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 001E8ECF
GetMenuItemCount.USER32(?), ref: 001E8EEC
GetMenuItemID.USER32(?,00000000), ref: 001E8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 001E8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 001E8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 001E8FA1

Strings

0, xrefs: 001E8E9F

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 69b41f540d9f0b3f38d1ef5c1f96b32bbda15a1285f7417b6b4e6de632e3e901
Instruction ID: c45843ab794cf28e3ca2c6b20b7e3a98d5764cf698e74d8457b828fa8b649385
Opcode Fuzzy Hash: 69b41f540d9f0b3f38d1ef5c1f96b32bbda15a1285f7417b6b4e6de632e3e901
Instruction Fuzzy Hash: CC81DE71508781AFDB10CF25DC84AAFBBE9FF98714F040919F99897291DB30D941CBA2

Function 001BDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 001BDC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 001BDC46
_wcslen.LIBCMT ref: 001BDC50
_wcsstr.LIBVCRUNTIME ref: 001BDCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 001BDCBC

Strings

%u.%u.%u.%u, xrefs: 001BDD9A
DefaultLangCodepage, xrefs: 001BDD1F
04090000, xrefs: 001BDCF2
StringFileInfo\, xrefs: 001BDC8F
\VarFileInfo\Translation, xrefs: 001BDCB4

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 3581cb3cb7fd8517d2d8f70a419e67701a8459639dbc3c54c175066e8149de43
Instruction ID: 573a1c7742db07a980083406ea6a4360e2d3673ca6a105ebac4962167a778755
Opcode Fuzzy Hash: 3581cb3cb7fd8517d2d8f70a419e67701a8459639dbc3c54c175066e8149de43
Instruction Fuzzy Hash: 00412732940204BBDB08A7B5EC47EFF7BBCEF66750F104069F904A6182FB71991287A5

Function 001DCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 001DCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 001DCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 001DCD48

Part of subcall function 001DCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 001DCCAA
Part of subcall function 001DCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 001DCCBD
Part of subcall function 001DCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 001DCCCF
Part of subcall function 001DCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 001DCD05
Part of subcall function 001DCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 001DCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 001DCCF3

Strings

advapi32.dll, xrefs: 001DCCB8
RegDeleteKeyExW, xrefs: 001DCCC9

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 774cda740f2d10a310b63a88f5e3ba1a871d8827ab1530984c51ba8b3999df5b
Instruction ID: dd7cd1413a60e28c124265ad56957fa8bff1d218fe38e6e5c8bc205270a94f93
Opcode Fuzzy Hash: 774cda740f2d10a310b63a88f5e3ba1a871d8827ab1530984c51ba8b3999df5b
Instruction Fuzzy Hash: BD316F7590112ABBDB208B94DC88EFFBBBDEF55750F000566F905E6240DB349A86DAE0

Function 001BE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 001BEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 001BEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001BEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 001BEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 001BEAA7

Strings

open , xrefs: 001BEA0C
play PlayMe wait, xrefs: 001BEA91
close PlayMe, xrefs: 001BEA6E, 001BEA9B
status PlayMe mode, xrefs: 001BEA58
alias PlayMe, xrefs: 001BEA36
play PlayMe, xrefs: 001BEAA2

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 11af39078d08963c8bb59741034ec8da517d853036a14d6f2b7fb986358719a4
Instruction ID: 02e5f37ec66adec7f56aed0b63ca405075908daf2cbc269bf4993a754cb72b87
Opcode Fuzzy Hash: 11af39078d08963c8bb59741034ec8da517d853036a14d6f2b7fb986358719a4
Instruction Fuzzy Hash: 7E115431A50259BAD710A7A1DC4ADFF6ABCEBE2B44F400429B821A70D1DF701999C5B0

Function 00168BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00168F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00168BE8,?,00000000,?,?,?,?,00168BBA,00000000,?), ref: 00168FC5

DestroyWindow.USER32(?), ref: 00168C81
KillTimer.USER32(00000000,?,?,?,?,00168BBA,00000000,?), ref: 00168D1B
DestroyAcceleratorTable.USER32(00000000), ref: 001A6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00168BBA,00000000,?), ref: 001A69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00168BBA,00000000,?), ref: 001A69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00168BBA,00000000), ref: 001A69D4
DeleteObject.GDI32(00000000), ref: 001A69E6

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 1ec6eda0ddf23a7c79e96976abe0e8ef65044d5ce10e54a59839f2161630bf14
Instruction ID: 2484baa8373aab9d9dfb2bdb719269d21726a97cca42459797a11b5def6ff1c9
Opcode Fuzzy Hash: 1ec6eda0ddf23a7c79e96976abe0e8ef65044d5ce10e54a59839f2161630bf14
Instruction Fuzzy Hash: 3161AA35502700EFCB359F64DD98B6AB7F1FB65316F145618E0429B960CB31A8E2CBA1

Function 00169838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00169944: GetWindowLongW.USER32(?,000000EB), ref: 00169952

GetSysColor.USER32(0000000F), ref: 00169862

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 1cff851c32d916beb631d83b3fc2ba3dc9246a1ca9c3076d36517eb0d2d4ddf5
Instruction ID: 1217693e04c5ee152832095e56ca4c860b89f30e4fe8b459753f5f3ee5dab72e
Opcode Fuzzy Hash: 1cff851c32d916beb631d83b3fc2ba3dc9246a1ca9c3076d36517eb0d2d4ddf5
Instruction Fuzzy Hash: 23419E31504684EFDB205F789C88BBA3BADAB47330F144619F9A28B1E1D7319D92DB50

Function 001E50D4 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 001E5186
ShowWindow.USER32(?,00000000), ref: 001E51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 001E51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 001E51D1

Part of subcall function 001E6FBA: DeleteObject.GDI32(00000000), ref: 001E6FE6

GetWindowLongW.USER32(?,000000F0), ref: 001E520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 001E521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 001E524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 001E5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 001E5296

Strings

@U=u, xrefs: 001E5186

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID: @U=u
API String ID: 3210457359-2594219639
Opcode ID: 9dba0700e5ccaf4e96dcd9072f219bf48a1f6cbef9c34d8f61afc09c4abdb25d
Instruction ID: 244c8ace9472afdb358f2c5fe20ab65c57c4035b10a20edc66d7e0a6973e05b4
Opcode Fuzzy Hash: 9dba0700e5ccaf4e96dcd9072f219bf48a1f6cbef9c34d8f61afc09c4abdb25d
Instruction Fuzzy Hash: 1F51B230A40E89FFEF249F66CC49BDD3B67EB15369F188011FA159A2E1C3719990DB41

Function 00168B06 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 001A6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 001A68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 001A68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 001A68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 001A68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00168874,00000000,00000000,00000000,000000FF,00000000), ref: 001A6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 001A691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00168874,00000000,00000000,00000000,000000FF,00000000), ref: 001A692D

Strings

@U=u, xrefs: 001A68F2, 001A691E

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID: @U=u
API String ID: 1268354404-2594219639
Opcode ID: b809d38f7904bdd02e0fd44cc2a41862e0ffb10893d197b789fa7a246a38eeea
Instruction ID: 23563d28ac4f9157639af88e1291395521a0c3b3e5e40ad5a8840b47bc7470ee
Opcode Fuzzy Hash: b809d38f7904bdd02e0fd44cc2a41862e0ffb10893d197b789fa7a246a38eeea
Instruction Fuzzy Hash: 0F5178B4600309EFDB24CF64CC95FAA7BB5FB58750F144618F9129B2A0DB70E9A1DB50

Function 001E8B02 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00169BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00169BB2

Part of subcall function 0016912D: GetCursorPos.USER32(?), ref: 00169141
Part of subcall function 0016912D: ScreenToClient.USER32(00000000,?), ref: 0016915E
Part of subcall function 0016912D: GetAsyncKeyState.USER32(00000001), ref: 00169183
Part of subcall function 0016912D: GetAsyncKeyState.USER32(00000002), ref: 0016919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 001E8B6B
ImageList_EndDrag.COMCTL32 ref: 001E8B71
ReleaseCapture.USER32 ref: 001E8B77
SetWindowTextW.USER32(?,00000000), ref: 001E8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 001E8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 001E8CFF

Strings

@GUI_DROPID, xrefs: 001E8C51
p#", xrefs: 001E8C71
@GUI_DRAGFILE, xrefs: 001E8C9A
@U=u, xrefs: 001E8C25

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$@U=u$p#"
API String ID: 1924731296-3786185933
Opcode ID: ca49e971a50f2841379c7f5aabf5fe6cf4e04699d7c8238b4dd3ab86d00b73bb
Instruction ID: 3e0c6a8953a3e9a0e06c11d54fddd6730b40579ecf740f71b3d06bee87feed5c
Opcode Fuzzy Hash: ca49e971a50f2841379c7f5aabf5fe6cf4e04699d7c8238b4dd3ab86d00b73bb
Instruction Fuzzy Hash: 2B51BA70104340AFD700DF54DC9AFAE77E4FB99714F000629F956AB2E1CB709959CBA2

Function 001B96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0019F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 001B9717
LoadStringW.USER32(00000000,?,0019F7F8,00000001), ref: 001B9720

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0019F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 001B9742
LoadStringW.USER32(00000000,?,0019F7F8,00000001), ref: 001B9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 001B9866

Strings

^ ERROR, xrefs: 001B97FB
Line %d:, xrefs: 001B97A0
Line %d (File "%s"):, xrefs: 001B978F
Error: , xrefs: 001B981D
%s (%d) : ==> %s: %s %s, xrefs: 001B984A

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 07775679f9eceb9cbd448a33f2e32f5db73653377544a6551869989d4dcc3ba4
Instruction ID: e1f1c025bb7d0780bb62b89cdd62c2d3f49248572ed3d7e59db53190ad649068
Opcode Fuzzy Hash: 07775679f9eceb9cbd448a33f2e32f5db73653377544a6551869989d4dcc3ba4
Instruction Fuzzy Hash: ED413C7280021DEACF14EBE0DD86DEE7779AF25341F500065FA157A092EB356F49CBA1

Function 001B06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00156B57: _wcslen.LIBCMT ref: 00156B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 001B07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 001B07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 001B07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 001B0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 001B082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 001B0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 001B083C

Strings

SOFTWARE\Classes\, xrefs: 001B070E
\CLSID, xrefs: 001B0724
\IPC$, xrefs: 001B0784

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: ce4973bae295c3564bee1d718aa577c969757c4d9d284924b85acdc7af21c940
Instruction ID: 00c5535d042c9921350b5755f4c8305ec752e7450b33a897d962b13103482d21
Opcode Fuzzy Hash: ce4973bae295c3564bee1d718aa577c969757c4d9d284924b85acdc7af21c940
Instruction Fuzzy Hash: 57410772C1022DEBCF15EBA4DC958EEB7B8BF58350B444169F911AB161EB309E48CB90

Function 001D3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001D3C5C
CoInitialize.OLE32(00000000), ref: 001D3C8A
CoUninitialize.OLE32 ref: 001D3C94
_wcslen.LIBCMT ref: 001D3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 001D3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 001D3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 001D3F0E
CoGetObject.OLE32(?,00000000,001EFB98,?), ref: 001D3F2D
SetErrorMode.KERNEL32(00000000), ref: 001D3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001D3FC4
VariantClear.OLEAUT32(?), ref: 001D3FD8

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 55f4faa9a142e70f32f42ebb0e0f52a895ffb4ea349b9a57e24e70a7653eae97
Instruction ID: b3c89a55e26e99e775d534a3ae951f3c15edf3a68ddaa2239f9453e028731bee
Opcode Fuzzy Hash: 55f4faa9a142e70f32f42ebb0e0f52a895ffb4ea349b9a57e24e70a7653eae97
Instruction Fuzzy Hash: 08C133716082059FD700DF68C88496BB7E9FF89748F14491EF99A9B250D730EE46CB92

Function 001C7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 001C7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 001C7B8F
SHGetDesktopFolder.SHELL32(?), ref: 001C7BA3
CoCreateInstance.OLE32(001EFD08,00000000,00000001,00216E6C,?), ref: 001C7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 001C7C74
CoTaskMemFree.OLE32(?,?), ref: 001C7CCC
SHBrowseForFolderW.SHELL32(?), ref: 001C7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 001C7D7A
CoTaskMemFree.OLE32(00000000), ref: 001C7D81
CoTaskMemFree.OLE32(00000000), ref: 001C7DD6
CoUninitialize.OLE32 ref: 001C7DDC

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 84c731476429e10247393b4bfd1fe0a3c3f09f4f9d2c94f11bae515ef355ed2e
Instruction ID: 00f931a8079ca45e1618bee603a9d069ef4387307a83f7f701c2944ccce73a14
Opcode Fuzzy Hash: 84c731476429e10247393b4bfd1fe0a3c3f09f4f9d2c94f11bae515ef355ed2e
Instruction Fuzzy Hash: 2BC10975A04109EFCB14DFA4C884EAEBBF9FF58304B148499E81A9B661D770EE45CF90

Function 001AFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 001AFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 001AFB08
VariantInit.OLEAUT32(?), ref: 001AFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 001AFB3A
VariantCopy.OLEAUT32(?,?), ref: 001AFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 001AFBA1
VariantClear.OLEAUT32(?), ref: 001AFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 001AFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 001AFBCC
VariantClear.OLEAUT32(?), ref: 001AFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 001AFBE9

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 99fd3ee76717eb4a2f2eb8879ddc951686047fa752d5c48f2b3f37f4b27c3b3d
Instruction ID: 4afe7de2c2263cb75fbb847ad64e3d4d71254cd5f565be7edb3790a241e0ad45
Opcode Fuzzy Hash: 99fd3ee76717eb4a2f2eb8879ddc951686047fa752d5c48f2b3f37f4b27c3b3d
Instruction Fuzzy Hash: D5414175A00219DFCB04DFA8DC94DEEBBB9FF59344F008069F955AB661C730A946CBA0

Function 001D055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 001D05BC
inet_addr.WSOCK32(?), ref: 001D061C
gethostbyname.WSOCK32(?), ref: 001D0628
IcmpCreateFile.IPHLPAPI ref: 001D0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 001D06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 001D06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 001D07B9
WSACleanup.WSOCK32 ref: 001D07BF

Strings

Ping, xrefs: 001D0676

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 78a377e2af81a4b0ba1981d9bf8fbc739cdc66d415de26b7b072d80fdb7d1224
Instruction ID: 58194f9d0007fd674435a1c6157beaeea044071dd070097ae3f2063987b2d907
Opcode Fuzzy Hash: 78a377e2af81a4b0ba1981d9bf8fbc739cdc66d415de26b7b072d80fdb7d1224
Instruction Fuzzy Hash: F3918D35604241DFD321CF15D888F1ABBE0AF48318F1585AAE8A98F7A2C730ED85CF91

Function 001D8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 001D8CF3

Part of subcall function 001B8E54: _wcslen.LIBCMT ref: 001B8E77

_wcslen.LIBCMT ref: 001D8D4E
_wcslen.LIBCMT ref: 001D8D9C
_wcslen.LIBCMT ref: 001D8DDC
_wcslen.LIBCMT ref: 001D8E6E

Strings

stdcall, xrefs: 001D8DD6, 001D8DDB
winapi, xrefs: 001D8D96, 001D8D9B
cdecl, xrefs: 001D8D48, 001D8D4D
none, xrefs: 001D8E65, 001D8E6A

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 97e319cc1f4d1c63df0c3dc43182b8fd5bd714363d02bb423b07143cc3c0fd47
Instruction ID: 5f0982ae894e8238029aeefaaa77e074638e24d98e989f3428fa7595c8818f0b
Opcode Fuzzy Hash: 97e319cc1f4d1c63df0c3dc43182b8fd5bd714363d02bb423b07143cc3c0fd47
Instruction Fuzzy Hash: 2F518F31A005169BCB14DFACC9519BEB7B6BF64724B21422AE926EB3C5DB31DD40CB90

Function 001D372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 001D3774
CoUninitialize.OLE32 ref: 001D377F
CoCreateInstance.OLE32(?,00000000,00000017,001EFB78,?), ref: 001D37D9
IIDFromString.OLE32(?,?), ref: 001D384C
VariantInit.OLEAUT32(?), ref: 001D38E4
VariantClear.OLEAUT32(?), ref: 001D3936

Strings

NULL Pointer assignment, xrefs: 001D381E
Invalid parameter, xrefs: 001D3865
Failed to create object, xrefs: 001D37E4, 001D389A

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 9c83d2a611db53ae24541c2af9155f7269e934a0d7f53a395be7228d0851d08b
Instruction ID: a01d85e0f76755317210e505bc02e54ef19713a25eea21aaa94ba7c70586d895
Opcode Fuzzy Hash: 9c83d2a611db53ae24541c2af9155f7269e934a0d7f53a395be7228d0851d08b
Instruction Fuzzy Hash: CA61BD71608701AFD311DF54D889FAAB7E4AF59710F00090AF9A59B391D770EE49CB93

Function 00155BEA Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00155C7A

Part of subcall function 00155D0A: GetClientRect.USER32(?,?), ref: 00155D30
Part of subcall function 00155D0A: GetWindowRect.USER32(?,?), ref: 00155D71
Part of subcall function 00155D0A: ScreenToClient.USER32(?,?), ref: 00155D99

GetDC.USER32 ref: 001946F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00194708
SelectObject.GDI32(00000000,00000000), ref: 00194716
SelectObject.GDI32(00000000,00000000), ref: 0019472B
ReleaseDC.USER32(?,00000000), ref: 00194733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 001947C4

Strings

U, xrefs: 00194693
@U=u, xrefs: 00194708

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: @U=u$U
API String ID: 4009187628-4110099822
Opcode ID: 4709d1af2c0a1db88f00c5d80f646fae261bed71f98ea2bc973abc356df29a41
Instruction ID: 6498488b2e8d0f5ba0a78d6018628a6710811319da89850cd1f0c2fb30ad8ad8
Opcode Fuzzy Hash: 4709d1af2c0a1db88f00c5d80f646fae261bed71f98ea2bc973abc356df29a41
Instruction Fuzzy Hash: 4971E035400209DFCF29CFA4CD84EBA3BB6FF5A365F144269ED655A266C3319882DF60

Function 001C3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 001C33CF

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 001C33F0

Strings

^ ERROR , xrefs: 001C349E
Line %d (File "%s"):, xrefs: 001C3443, 001C345C
Error: , xrefs: 001C34D1
"%s" (%d) : ==> %s:%s%s, xrefs: 001C3504
"%s" (%d) : ==> %s:, xrefs: 001C3522
Incorrect parameters to object property !, xrefs: 001C34AB

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 6a5fc522e87f8d07ba620d2940b296f8744c3dac040e03446c1db2ad1dcd9bc3
Instruction ID: 2f3be01a5cb4db2a74959dc6d7d2a698dab39e530f351fa7e56499b1aee0ab2f
Opcode Fuzzy Hash: 6a5fc522e87f8d07ba620d2940b296f8744c3dac040e03446c1db2ad1dcd9bc3
Instruction Fuzzy Hash: 2E517D32900209EADF14EBE0DD46EEEB3B9AF24341F104065F92576052EB316F99DB61

Function 001BB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 001BB5FC
_wcslen.LIBCMT ref: 001BB608
_wcslen.LIBCMT ref: 001BB64D
_wcslen.LIBCMT ref: 001BB68C
_wcslen.LIBCMT ref: 001BB6C7

Strings

REMOVE, xrefs: 001BB602, 001BB607
EXISTS, xrefs: 001BB686, 001BB68B
KEYS, xrefs: 001BB647, 001BB64C
APPEND, xrefs: 001BB6C1, 001BB6C6

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 5e61cc796b8e4d4dd46140f3a79dcc512ff5b9a6e0f3924c92c80154015e6503
Instruction ID: 7d84508857b8142904e97931d9160cb344dc29acd4ebfb873b12cc164c0e5ad0
Opcode Fuzzy Hash: 5e61cc796b8e4d4dd46140f3a79dcc512ff5b9a6e0f3924c92c80154015e6503
Instruction Fuzzy Hash: 2141E532A080269BCB206F7DCCD05FEB7B5AFB0758B254229E425DB684E771CD82C790

Function 001C5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001C53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 001C5416
GetLastError.KERNEL32 ref: 001C5420
SetErrorMode.KERNEL32(00000000,READY), ref: 001C54A7

Strings

READY, xrefs: 001C5460, 001C5468
READONLY, xrefs: 001C5452
INVALID, xrefs: 001C5459
UNKNOWN, xrefs: 001C5444
NOTREADY, xrefs: 001C544B

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 96bf70644df40201847325b98e59b23318903a3cf59f32ecd3435cd3864d6435
Instruction ID: 09da3bc0d98dc47d871e7cf9f78152a67f4f57bbabdeb86ccc921b447bb7e0ee
Opcode Fuzzy Hash: 96bf70644df40201847325b98e59b23318903a3cf59f32ecd3435cd3864d6435
Instruction Fuzzy Hash: 84317035A00504DFC718DF68D884FA97BB5EB65305F148059E805CF292EB71EDC6CB91

Function 001E2D03 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 001E2D1B
GetDC.USER32(00000000), ref: 001E2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 001E2D2E
ReleaseDC.USER32(00000000,00000000), ref: 001E2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 001E2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 001E2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,001E5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 001E2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 001E2DE1

Strings

@U=u, xrefs: 001E2D87, 001E2DE1

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID: @U=u
API String ID: 3864802216-2594219639
Opcode ID: a3777eac07b0b9a47bbecdd9593234ed874a199dd105b77f9ad4691d74c1b790
Instruction ID: afb106ebb2db59178556dfafee4bfa6ac45bd29c4be9e90473ad9daad599c3e4
Opcode Fuzzy Hash: a3777eac07b0b9a47bbecdd9593234ed874a199dd105b77f9ad4691d74c1b790
Instruction Fuzzy Hash: C4318B72201694BBEB118F958C8AFEB3BADFB49721F044055FE089E291C6759C81CBA0

Function 001B209F Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 001B20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 001B20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 001B214D

Strings

largeicons, xrefs: 001B20E1
details, xrefs: 001B20FB
SHELLDLL_DefView, xrefs: 001B20CC
list, xrefs: 001B212F
smallicons, xrefs: 001B2115
@U=u, xrefs: 001B214D

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: @U=u$SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-1428604138
Opcode ID: 9794a5faadf5d0027b5845e033ed6e04e597a550aa79247c64fcb5bc973b4163
Instruction ID: 5c76f2a68032a52c293b56e7d136ac733978ade2fbf1b443d5b427bb16202958
Opcode Fuzzy Hash: 9794a5faadf5d0027b5845e033ed6e04e597a550aa79247c64fcb5bc973b4163
Instruction Fuzzy Hash: 1A1159B668C316FAF6052224DC07CEB33ECCB25328B204056FB09E50D6FF7568965A54

Function 001E3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 001E3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 001E3AA0
GetWindowLongW.USER32(?,000000F0), ref: 001E3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 001E3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 001E3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 001E3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 001E3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 001E3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 001E3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 001E3C13

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: a272117b10d27682ed1aae2a90248ca6001dff02e0c67bf8b3ea85c3cb7579b7
Instruction ID: 04b3a16f3d4495431c7aa6e41ade9547e4e6684a0eed5e7b73af732561a361a7
Opcode Fuzzy Hash: a272117b10d27682ed1aae2a90248ca6001dff02e0c67bf8b3ea85c3cb7579b7
Instruction Fuzzy Hash: 22617D75900248AFDB20DFA8CC85EEE77F8EF09700F14419AFA15A72A1C770AE95DB50

Function 001BB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 001BB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,001BA1E1,?,00000001), ref: 001BB165
GetWindowThreadProcessId.USER32(00000000), ref: 001BB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,001BA1E1,?,00000001), ref: 001BB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 001BB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,001BA1E1,?,00000001), ref: 001BB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,001BA1E1,?,00000001), ref: 001BB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,001BA1E1,?,00000001), ref: 001BB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,001BA1E1,?,00000001), ref: 001BB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,001BA1E1,?,00000001), ref: 001BB21D

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 654c62a27570b78ee19c8b28fabfbcd65993d1b3a5e2c3037fdaaf554e8df0b6
Instruction ID: 2d175b4aff59a45bd72852dfd78aa8648763b920c98e66da49e93ea10a1f8351
Opcode Fuzzy Hash: 654c62a27570b78ee19c8b28fabfbcd65993d1b3a5e2c3037fdaaf554e8df0b6
Instruction Fuzzy Hash: 85318D75604204BFDB20DFA5ECC8FAE7BA9BB55311F104005FA11DA690D7B8AE428FB0

Function 00182C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00182C94

Part of subcall function 001829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0018D7D1,00000000,00000000,00000000,00000000,?,0018D7F8,00000000,00000007,00000000,?,0018DBF5,00000000), ref: 001829DE
Part of subcall function 001829C8: GetLastError.KERNEL32(00000000,?,0018D7D1,00000000,00000000,00000000,00000000,?,0018D7F8,00000000,00000007,00000000,?,0018DBF5,00000000,00000000), ref: 001829F0

_free.LIBCMT ref: 00182CA0
_free.LIBCMT ref: 00182CAB
_free.LIBCMT ref: 00182CB6
_free.LIBCMT ref: 00182CC1
_free.LIBCMT ref: 00182CCC
_free.LIBCMT ref: 00182CD7
_free.LIBCMT ref: 00182CE2
_free.LIBCMT ref: 00182CED
_free.LIBCMT ref: 00182CFB

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 95da1c031ee306122840be37cedad6da0b2b5c24fc6b2fc5828e86c81bcf99d8
Instruction ID: 0c113e094b7362c6eeb317cd355b9f83e54567ea10f099f10c4a71faef98aed4
Opcode Fuzzy Hash: 95da1c031ee306122840be37cedad6da0b2b5c24fc6b2fc5828e86c81bcf99d8
Instruction Fuzzy Hash: 0E119076900118AFCB02FF94D982CDD3BA9FF15354F8245A5FA489B222DB35EB509F90

Function 00151410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00151459
OleUninitialize.OLE32(?,00000000), ref: 001514F8
UnregisterHotKey.USER32(?), ref: 001516DD
DestroyWindow.USER32(?), ref: 001924B9
FreeLibrary.KERNEL32(?), ref: 0019251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0019254B

Strings

close all, xrefs: 00151454

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: f076bd34471dfd9eddebe0f8763b29e9ce8937d56044eb25967623fbfd39a413
Instruction ID: 82f84ae62a18c6b537ae1d07f9b465c31bb818a333fab6c1dc3d7db47daa79d0
Opcode Fuzzy Hash: f076bd34471dfd9eddebe0f8763b29e9ce8937d56044eb25967623fbfd39a413
Instruction Fuzzy Hash: B5D1BD31701212EFDB2AEF14D899B69F7A0BF15301F1541ADE85A6B252DB30EC16CF90

Function 001C359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 001C35E4

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

LoadStringW.USER32(00222390,?,00000FFF,?), ref: 001C360A

Strings

^ ERROR, xrefs: 001C36C9
Line %d (File "%s"):, xrefs: 001C366B
Error: , xrefs: 001C36EF
"%s" (%d) : ==> %s:%s%s, xrefs: 001C3724
"%s" (%d) : ==> %s:, xrefs: 001C3742

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: e9f64e08e91a61bc74b61bb196c326f267c8c0f2c3d1e7894a96ffb0451d0077
Instruction ID: 7853ff7d389bcda5a24bc83ca19cb1c897d87b501431a0cb87e1abdaa31dc9a3
Opcode Fuzzy Hash: e9f64e08e91a61bc74b61bb196c326f267c8c0f2c3d1e7894a96ffb0451d0077
Instruction Fuzzy Hash: 04518F72800209FACF14EBE0DC46EEEBB75AF24341F144169F525760A1EB315B99DFA1

Function 001E3886 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 001E3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 001E393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 001E3954
_wcslen.LIBCMT ref: 001E3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 001E39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 001E39F4

Strings

SysListView32, xrefs: 001E38F7
@U=u, xrefs: 001E3925, 001E393A

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: @U=u$SysListView32
API String ID: 2147712094-1908207174
Opcode ID: a135c13ea51f2964d0751807dc5f4ca7809efabed0c4a4e2975d80a924fa7936
Instruction ID: 9db0d4df2c00c80341ee16081c51dc1334948c9655e67df7deb285624b15314b
Opcode Fuzzy Hash: a135c13ea51f2964d0751807dc5f4ca7809efabed0c4a4e2975d80a924fa7936
Instruction Fuzzy Hash: 1241E371A00658ABEF219FA5CC49FEE7BA9EF18354F100126F958E7281D3719E90CB90

Function 001E2DFD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 001E2E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 001E2E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 001E2E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 001E2EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 001E2EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 001E2EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 001E2F0B

Strings

@U=u, xrefs: 001E2E1C, 001E2EB6, 001E2EE0

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: @U=u
API String ID: 2178440468-2594219639
Opcode ID: f7137c6276b2d57230518f611f7896d7d5b5296c6f3e617d9a52161d17c3f965
Instruction ID: 43202794b62cd06218753f4d3c693f5e34e20336130b2ecdf1239d843a037169
Opcode Fuzzy Hash: f7137c6276b2d57230518f611f7896d7d5b5296c6f3e617d9a52161d17c3f965
Instruction Fuzzy Hash: 7B3108316046A0AFDB21CF99DC98FA937E9FB5A710F1911A4F9009F2B1CB71AC91DB41

Function 001CC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 001CC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001CC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 001CC2CA
GetLastError.KERNEL32 ref: 001CC322
SetEvent.KERNEL32(?), ref: 001CC336
InternetCloseHandle.WININET(00000000), ref: 001CC341

Strings

, xrefs: 001CC2BB

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: a299f9cefe0df17a29c746ef53ee6a913507f031fa5333c2c3f3b005b0f1d451
Instruction ID: f663a7b71e98c8daa85890c1a540bafe6b9a7abfa7ca6c5661b1e4a7fbc249f9
Opcode Fuzzy Hash: a299f9cefe0df17a29c746ef53ee6a913507f031fa5333c2c3f3b005b0f1d451
Instruction Fuzzy Hash: 80319AB1A00248AFD7219FA49C88FAF7BFCFB69740B14851EF44A96601DB30DD458BE1

Function 001B989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00193AAF,?,?,Bad directive syntax error,001ECC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 001B98BC
LoadStringW.USER32(00000000,?,00193AAF,?), ref: 001B98C3

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 001B9987

Strings

., xrefs: 001B996D
%s (%d) : ==> %s.: %s %s, xrefs: 001B98F1
Line %d:, xrefs: 001B9912
Line %d (File "%s"):, xrefs: 001B992D
Error: , xrefs: 001B9955

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 39965538e7b23d88cf2ac8935ea87e5b1c1ce7af96eaf0a754247893b8fdd816
Instruction ID: 4f2232bbc9713799403ba3055ec96d59f5f482d8336c8012b1ae1e8af6dc32bb
Opcode Fuzzy Hash: 39965538e7b23d88cf2ac8935ea87e5b1c1ce7af96eaf0a754247893b8fdd816
Instruction Fuzzy Hash: CA21B131C0021EEBCF15AF90CC0AEEE7775FF29305F044469F9256A0A2EB319668DB51

Function 00188D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 166d44584bb2a3a6ae2c315804138d004fc902f27391e7d01e07fc3301890a7c
Instruction ID: 59b25734382bd75dfe965338c452cb5e218d0faaa72605c97b3ccbbd90172988
Opcode Fuzzy Hash: 166d44584bb2a3a6ae2c315804138d004fc902f27391e7d01e07fc3301890a7c
Instruction Fuzzy Hash: 56C1D474904249AFDB21EFE8D845BBDBBB4AF19310F184199F518A7392CB349A42CF61

Function 0018CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0018CEB7
_free.LIBCMT ref: 0018CF22
_free.LIBCMT ref: 0018CF48
_free.LIBCMT ref: 0018CF71
_free.LIBCMT ref: 0018CFA9
_free.LIBCMT ref: 0018CFDA
_free.LIBCMT ref: 0018D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0018D09C
_free.LIBCMT ref: 0018D0B5

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 408e595874bac4fda830896a4a0ac5d23494275c2e9c3dc60631131270869f7a
Instruction ID: eb05ad79db7cda97b2499ddfc2d2978f60a8ebdad785d0a0874c8060534e4d5e
Opcode Fuzzy Hash: 408e595874bac4fda830896a4a0ac5d23494275c2e9c3dc60631131270869f7a
Instruction Fuzzy Hash: 3A616971904311AFEF32BFB4A885A6A7BA5EF11310F15416EFA4497282D7319F028FE0

Function 001CC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 001CC182
GetLastError.KERNEL32 ref: 001CC195
SetEvent.KERNEL32(?), ref: 001CC1A9

Part of subcall function 001CC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 001CC272
Part of subcall function 001CC253: GetLastError.KERNEL32 ref: 001CC322
Part of subcall function 001CC253: SetEvent.KERNEL32(?), ref: 001CC336
Part of subcall function 001CC253: InternetCloseHandle.WININET(00000000), ref: 001CC341

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: d8deb1957c58f06fecd4321a1dbf19ffd959cb8d525f61751e650bf6b2231cdc
Instruction ID: 25cae97be8119d56c23748b4a9aa0add55b2472566ab07a1cd5b4c9dbfc4242b
Opcode Fuzzy Hash: d8deb1957c58f06fecd4321a1dbf19ffd959cb8d525f61751e650bf6b2231cdc
Instruction Fuzzy Hash: BC317A71600645AFDB219FE5DC44F6ABBF9FF28300B04441DF95A86A10D730EC559BE0

Function 001B25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 001B3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 001B3A57
Part of subcall function 001B3A3D: GetCurrentThreadId.KERNEL32 ref: 001B3A5E
Part of subcall function 001B3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001B25B3), ref: 001B3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 001B25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 001B25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 001B25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 001B25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 001B2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 001B2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 001B260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 001B2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 001B2627

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: c65987e5c2d811c1baad515b5560ecf26abb241ecc88b76545e4857b9323a341
Instruction ID: b43eff342e9c73de3b9872ca5f6e660d22253134738b3947eeb015e9637f06dc
Opcode Fuzzy Hash: c65987e5c2d811c1baad515b5560ecf26abb241ecc88b76545e4857b9323a341
Instruction Fuzzy Hash: BA01D830390250BBFB1067A99CCAFD93F59DB5EB12F100011F314AF1D1CAF114858AA9

Function 001B1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,001B1449,?,?,00000000), ref: 001B180C
HeapAlloc.KERNEL32(00000000,?,001B1449,?,?,00000000), ref: 001B1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,001B1449,?,?,00000000), ref: 001B1828
GetCurrentProcess.KERNEL32(?,00000000,?,001B1449,?,?,00000000), ref: 001B1830
DuplicateHandle.KERNEL32(00000000,?,001B1449,?,?,00000000), ref: 001B1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,001B1449,?,?,00000000), ref: 001B1843
GetCurrentProcess.KERNEL32(001B1449,00000000,?,001B1449,?,?,00000000), ref: 001B184B
DuplicateHandle.KERNEL32(00000000,?,001B1449,?,?,00000000), ref: 001B184E
CreateThread.KERNEL32(00000000,00000000,001B1874,00000000,00000000,00000000), ref: 001B1868

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 77764c59e3e4698007a99c9d2c179cb6a73aba88014122f389d4bd1131be896f
Instruction ID: 5aaefe370039c895dcac839bfbf80743a51b81909f3c5b68d74561d24ab566c4
Opcode Fuzzy Hash: 77764c59e3e4698007a99c9d2c179cb6a73aba88014122f389d4bd1131be896f
Instruction Fuzzy Hash: D301BBB5240348FFE710ABA5DC8DF6B3BACEB89B11F414411FA05DF5A1CA709841CB60

Function 001DA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 001BD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 001BD501
Part of subcall function 001BD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 001BD50F
Part of subcall function 001BD4DC: CloseHandle.KERNEL32(00000000), ref: 001BD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 001DA16D
GetLastError.KERNEL32 ref: 001DA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 001DA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 001DA268
GetLastError.KERNEL32(00000000), ref: 001DA273
CloseHandle.KERNEL32(00000000), ref: 001DA2C4

Strings

SeDebugPrivilege, xrefs: 001DA18F

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 1d85f2412a1624c35d63f182410d6e6fb2cad18fdb0bf258e654341f79e88175
Instruction ID: ec99e688dc56277af0985ba8bf64f683c6444608c4532f39bcc007c735729e7f
Opcode Fuzzy Hash: 1d85f2412a1624c35d63f182410d6e6fb2cad18fdb0bf258e654341f79e88175
Instruction Fuzzy Hash: E6618C312042429FD714DF19C894F1ABBE1AF54318F58849DE8668FBA2C772ED49CBD2

Function 001E81DB Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,001AF3AB,00000000,?,?,00000000,?,001A682C,00000004,00000000,00000000), ref: 001E824C
EnableWindow.USER32(00000000,00000000), ref: 001E8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 001E82D1
ShowWindow.USER32(00000000,00000004), ref: 001E82E5
EnableWindow.USER32(00000000,00000001), ref: 001E830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 001E832F

Strings

@U=u, xrefs: 001E832F

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID: @U=u
API String ID: 642888154-2594219639
Opcode ID: 5f6f30066f2ed0836497ab1acaa18070f89960b560cc21f93387ad9b6bf64ce7
Instruction ID: cca08732221f6631991a18f305139e08a607bd0108c0290c16858dab09530b92
Opcode Fuzzy Hash: 5f6f30066f2ed0836497ab1acaa18070f89960b560cc21f93387ad9b6bf64ce7
Instruction Fuzzy Hash: 8741B730601A85AFDB25CF56DC99FEC7BF1BB0A714F185165E60C5F262C7329892CB50

Function 001B4C7D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 001B4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 001B4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 001B4CEA
_wcslen.LIBCMT ref: 001B4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 001B4D10
_wcsstr.LIBVCRUNTIME ref: 001B4D1A

Strings

@U=u, xrefs: 001B4CB2, 001B4CEA

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID: @U=u
API String ID: 72514467-2594219639
Opcode ID: cee15eeaca1a677cfd90efffe201e25e3d80e02e3df64877fbd9764a2461fc70
Instruction ID: 742ff14f090db849000eaef8a71943afa85fa0da5945b6a5960d49622edf07c3
Opcode Fuzzy Hash: cee15eeaca1a677cfd90efffe201e25e3d80e02e3df64877fbd9764a2461fc70
Instruction Fuzzy Hash: F821D7726042407BEB155B69AC49EBF7FA8DF59750F11C02DF805CA192DB61DC4196A0

Function 001BC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 001BC913

Strings

stop, xrefs: 001BC8E4
info, xrefs: 001BC8B4
warning, xrefs: 001BC8FC
blank, xrefs: 001BC895
question, xrefs: 001BC8CC

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 2c514eccabfc15adf1696b9e52baa5edfa602c58915372d3cc96f08d92bc6db4
Instruction ID: f98782c61d5c66b75660f51c44c93885ee7c5e7323db40f275ea99c727471dd4
Opcode Fuzzy Hash: 2c514eccabfc15adf1696b9e52baa5edfa602c58915372d3cc96f08d92bc6db4
Instruction Fuzzy Hash: 85112732689307BBB7049B549C83CEE67ECDF66328B20402EF504E61C2E7A05E4152E4

Function 001A7439 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 001A7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 001A7469
GetWindowDC.USER32(?), ref: 001A7475
GetPixel.GDI32(00000000,?,?), ref: 001A7484
ReleaseDC.USER32(?,00000000), ref: 001A7496
GetSysColor.USER32(00000005), ref: 001A74B0

Strings

@U=u, xrefs: 001A7469

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID: @U=u
API String ID: 272304278-2594219639
Opcode ID: 1dd899051d4d56dabb49643fdd02a47a7a83219362e87867ca21e9a0695880b8
Instruction ID: 21c2492fb191562cf68c09642062bb26093381affaf7d2154fb6c6b33d76eeba
Opcode Fuzzy Hash: 1dd899051d4d56dabb49643fdd02a47a7a83219362e87867ca21e9a0695880b8
Instruction Fuzzy Hash: 9B018B31500255EFDB105FA4DC48BEEBBB6FF48311F110064F926A65A0CB311E92AB90

Function 001BED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 001BED2A
_wcslen.LIBCMT ref: 001BED3B
_wcslen.LIBCMT ref: 001BED79
_wcslen.LIBCMT ref: 001BEDAF
_wcslen.LIBCMT ref: 001BEDDF
_wcslen.LIBCMT ref: 001BEDEF
_wcslen.LIBCMT ref: 001BEE2B
_wcslen.LIBCMT ref: 001BEE5A

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: bfab4b97eef427081d69d092a41d3d82759b8c6cce71aa5053466bf0277e0a68
Instruction ID: 19010e2562ae34a959a41287c8e3916f8784c6c51ea4b9a37a15ce89ceb5bf6a
Opcode Fuzzy Hash: bfab4b97eef427081d69d092a41d3d82759b8c6cce71aa5053466bf0277e0a68
Instruction Fuzzy Hash: 8F41B065D1021876CB11EBF48C8A9CFB7B8AF59310F50C566E618E3122FB34E245C3A6

Function 0016F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,001A682C,00000004,00000000,00000000), ref: 0016F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,001A682C,00000004,00000000,00000000), ref: 001AF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,001A682C,00000004,00000000,00000000), ref: 001AF454

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 7a16cacc49351f64e96d44e49f461ab8a1d69b1c8b16faf67282470e9b96f0fa
Instruction ID: e94ceb3c56ffcf0ba9b214efb9f8b4485fb1dc5b55187ef507d9665cf6d71f23
Opcode Fuzzy Hash: 7a16cacc49351f64e96d44e49f461ab8a1d69b1c8b16faf67282470e9b96f0fa
Instruction Fuzzy Hash: 4A410935608780BAD73D8B69AC8872A7BA2AF5631CF15443CF09756661C731A8D3C751

Function 001B5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 001B5637
_memcmp.LIBVCRUNTIME ref: 001B5659
_memcmp.LIBVCRUNTIME ref: 001B5671
_memcmp.LIBVCRUNTIME ref: 001B5684
_memcmp.LIBVCRUNTIME ref: 001B569E
_memcmp.LIBVCRUNTIME ref: 001B56B1
_memcmp.LIBVCRUNTIME ref: 001B56C9
_memcmp.LIBVCRUNTIME ref: 001B56E4

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: c8b9c143c3571e2200eac6c3bafb2ce8a2e75001a987776ff9b8f08d8493fb09
Instruction ID: 682f8180fb140e0e32a4be302102a355d1615436a367aa8c72d12408b50f7651
Opcode Fuzzy Hash: c8b9c143c3571e2200eac6c3bafb2ce8a2e75001a987776ff9b8f08d8493fb09
Instruction Fuzzy Hash: C5219571B40E0977E31857259D82FFE336FAF34398F644024FD099A581FB60EE1182A5

Function 001D4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 001D502E, 001D5383
Not an Object type, xrefs: 001D5007

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: d91178330ba2fb5ba01fc2a222b6a7a65cc7ecf98f7459478060dddeed2e0d91
Instruction ID: 3560b28db44aeef5e7eabe52e4c8c202c8b89c5d13e623014a1a6dceb9ec4828
Opcode Fuzzy Hash: d91178330ba2fb5ba01fc2a222b6a7a65cc7ecf98f7459478060dddeed2e0d91
Instruction Fuzzy Hash: B0D1A375A0060AAFDF14CF98C881FAEB7B6BF58344F14816AE915AB381D770DD45CB90

Function 00191522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,001917FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 001915CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,001917FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00191651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,001917FB,?,001917FB,00000000,00000000,?,00000000,?,?,?,?), ref: 001916E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,001917FB,00000000,00000000,?,00000000,?,?,?,?), ref: 001916FB

Part of subcall function 00183820: RtlAllocateHeap.NTDLL(00000000,?,00221444,?,0016FDF5,?,?,0015A976,00000010,00221440,001513FC,?,001513C6,?,00151129), ref: 00183852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,001917FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00191777
__freea.LIBCMT ref: 001917A2
__freea.LIBCMT ref: 001917AE

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 5049ad808e388f8e04065e17c1c95628c894ec8347da765511675c85cfeac180
Instruction ID: 810b5fdb06090c8d00c7f64b38a95847b10edb0fcfd4a2fd07fd7a2f8f47280d
Opcode Fuzzy Hash: 5049ad808e388f8e04065e17c1c95628c894ec8347da765511675c85cfeac180
Instruction Fuzzy Hash: 6691C672E00217BAEF258EB4CC81AEE7BB5AF5A710F1A4659E901E7141D735DDC0CBA0

Function 001D4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001D4648
VariantInit.OLEAUT32(?), ref: 001D4749
VariantClear.OLEAUT32(?), ref: 001D4753
VariantClear.OLEAUT32(?), ref: 001D47B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 001D472C
Null Object assignment in FOR..IN loop, xrefs: 001D45D8, 001D4706, 001D47BE

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 84e506e87f11ce5fe6901b02b7801def96bf9eab631eb17b97be38c956542bea
Instruction ID: 57a0338dcf22794d1dad4bf5452eefe52044abafc1237a82b094850b477e9130
Opcode Fuzzy Hash: 84e506e87f11ce5fe6901b02b7801def96bf9eab631eb17b97be38c956542bea
Instruction Fuzzy Hash: D8919E71A00219ABDF24CFA5DC88FEEBBB8EF56714F10855AF515AB280D7709941CFA0

Function 001C1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 001C125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 001C1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 001C12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001C12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001C135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001C13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001C1430

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 37deaaf7445836110204608e4ccc5909ca66d924053c45b9db65abdb52682a7f
Instruction ID: 5adb90f8b5bb69ad778708e3e2fd8a1adf3db86139209ecab48879971ab4994a
Opcode Fuzzy Hash: 37deaaf7445836110204608e4ccc5909ca66d924053c45b9db65abdb52682a7f
Instruction Fuzzy Hash: A791CE76A40218AFDB059FA4C885FAEB7B5FF66315F204029E910EB292D774E941CB90

Function 0016948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: f8768f430eebdfdda10ec9d8c8cfe4aae5b670a84d9c746c21577591209478ba
Instruction ID: ef8d196e12e32cea5d0e1c3bcd1193507a7d2b171d7817dbc55942b3080245ad
Opcode Fuzzy Hash: f8768f430eebdfdda10ec9d8c8cfe4aae5b670a84d9c746c21577591209478ba
Instruction Fuzzy Hash: 6C913975D00219EFCB14CFA9CC84AEEBBB8FF49320F14415AE516B7251D774AA52CBA0

Function 001D3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001D396B
CharUpperBuffW.USER32(?,?), ref: 001D3A7A
_wcslen.LIBCMT ref: 001D3A8A
VariantClear.OLEAUT32(?), ref: 001D3C1F

Part of subcall function 001C0CDF: VariantInit.OLEAUT32(00000000), ref: 001C0D1F
Part of subcall function 001C0CDF: VariantCopy.OLEAUT32(?,?), ref: 001C0D28
Part of subcall function 001C0CDF: VariantClear.OLEAUT32(?), ref: 001C0D34

Strings

AUTOIT.ERROR, xrefs: 001D3A80, 001D3A85
Incorrect Parameter format, xrefs: 001D39A6, 001D3BA1

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 9bf0180688d7809b7bb7f7e56f34186ac30b5bffe8493baf72671841bae5ca96
Instruction ID: d59f9b4b4d00e01cb4ea84a3029495dd67bd2261d3ee5dee213dc65927c66740
Opcode Fuzzy Hash: 9bf0180688d7809b7bb7f7e56f34186ac30b5bffe8493baf72671841bae5ca96
Instruction Fuzzy Hash: 889146756083059FC704DF68C48196AB7E4FF99314F14892EF8A99B351DB30EE4ACB92

Function 001D4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 001B000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,001AFF41,80070057,?,?,?,001B035E), ref: 001B002B
Part of subcall function 001B000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001AFF41,80070057,?,?), ref: 001B0046
Part of subcall function 001B000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001AFF41,80070057,?,?), ref: 001B0054
Part of subcall function 001B000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001AFF41,80070057,?), ref: 001B0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 001D4C51
_wcslen.LIBCMT ref: 001D4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 001D4DCF
CoTaskMemFree.OLE32(?), ref: 001D4DDA

Strings

NULL Pointer assignment, xrefs: 001D4E23, 001D4E52

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: a28cd172c980bb7c2b72dfe04b3e9b985ea876434fb7076bf28810a20e567230
Instruction ID: 497e6a480804c7b526e933b0ee2296550c55920cdd8f40c58cd4bd61804da7a2
Opcode Fuzzy Hash: a28cd172c980bb7c2b72dfe04b3e9b985ea876434fb7076bf28810a20e567230
Instruction Fuzzy Hash: AD912871D0021DEFDF14DFA4D890AEEB7B9BF18300F10856AE915AB251EB349A45CFA0

Function 001E20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 001E2183
GetMenuItemCount.USER32(00000000), ref: 001E21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 001E21DD
_wcslen.LIBCMT ref: 001E2213
GetMenuItemID.USER32(?,?), ref: 001E224D
GetSubMenu.USER32(?,?), ref: 001E225B

Part of subcall function 001B3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 001B3A57
Part of subcall function 001B3A3D: GetCurrentThreadId.KERNEL32 ref: 001B3A5E
Part of subcall function 001B3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001B25B3), ref: 001B3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 001E22E3

Part of subcall function 001BE97B: Sleep.KERNEL32 ref: 001BE9F3

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 3500e59f7c6670c9905743ea900ec8019da52bed516b3d2a4691e735b5d06406
Instruction ID: 6abf312e980f005740193208f491d0deae66b1fa474671bff13df6a85d3f70ab
Opcode Fuzzy Hash: 3500e59f7c6670c9905743ea900ec8019da52bed516b3d2a4691e735b5d06406
Instruction Fuzzy Hash: 6C71AE35A00645AFCB14DFA5C891AAEB7F9FF88310F158459E916EB341D734AE42CB90

Function 001BAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 001BAEF9
GetKeyboardState.USER32(?), ref: 001BAF0E
SetKeyboardState.USER32(?), ref: 001BAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 001BAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 001BAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 001BAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 001BB020

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 786c580ce47c0f453a70814c55d2e0c58b5650b15826ce62ce52383e5c87b576
Instruction ID: dac5de2974aca9ccb496804d4b9a7f551d9fde4a4f99d0f320c6b5ec96ce985f
Opcode Fuzzy Hash: 786c580ce47c0f453a70814c55d2e0c58b5650b15826ce62ce52383e5c87b576
Instruction Fuzzy Hash: AF5190A06086D53DFB3652348C85BFBBEA95F06304F088589F1D9958C2D3D9ECC8D751

Function 001BACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 001BAD19
GetKeyboardState.USER32(?), ref: 001BAD2E
SetKeyboardState.USER32(?), ref: 001BAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 001BADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 001BADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 001BAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 001BAE38

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: e489662e0194fa4dc151e090ed9b9a636defc6ab207cb37ed695ea6895ba3db1
Instruction ID: b387c0bd654c96bad5cc1972d8742514232456cafa250787bba7d2ce5f0491fc
Opcode Fuzzy Hash: e489662e0194fa4dc151e090ed9b9a636defc6ab207cb37ed695ea6895ba3db1
Instruction Fuzzy Hash: D751E4A15487D53DFB378374CC95BFABEA96F46300F488588E1D54A8C2D394EC88D7A2

Function 0018542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00193CD6,?,?,?,?,?,?,?,?,00185BA3,?,?,00193CD6,?,?), ref: 00185470
__fassign.LIBCMT ref: 001854EB
__fassign.LIBCMT ref: 00185506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00193CD6,00000005,00000000,00000000), ref: 0018552C
WriteFile.KERNEL32(?,00193CD6,00000000,00185BA3,00000000,?,?,?,?,?,?,?,?,?,00185BA3,?), ref: 0018554B
WriteFile.KERNEL32(?,?,00000001,00185BA3,00000000,?,?,?,?,?,?,?,?,?,00185BA3,?), ref: 00185584

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 1d5916ab0e68bb1553ee2df6cfac5778df7a8bc65b6980f6f076bf363dcf3b42
Instruction ID: dbde87495da6e2d9df10f0ebd46500292045b2dffb53d838f70d18f6778a6993
Opcode Fuzzy Hash: 1d5916ab0e68bb1553ee2df6cfac5778df7a8bc65b6980f6f076bf363dcf3b42
Instruction Fuzzy Hash: 87519F71A00649AFDB11DFA8D885AEEBBFAEF09300F14415AF955E7291E7309B41CF60

Function 001E6B76 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 001E6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 001E6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 001E6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,001CAB79,00000000,00000000), ref: 001E6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 001E6CC7

Strings

@U=u, xrefs: 001E6C73

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID: @U=u
API String ID: 3688381893-2594219639
Opcode ID: 9a7d9f05e04da60fdc43c99a4b5471cb8341ddb7ae7ae70d8a2750c2954d00bf
Instruction ID: 8bde7ba1e71ddbf6e67be9aae008adb3258c26e98a2492320cafce4b546be42b
Opcode Fuzzy Hash: 9a7d9f05e04da60fdc43c99a4b5471cb8341ddb7ae7ae70d8a2750c2954d00bf
Instruction Fuzzy Hash: 8741F735600584AFD724CF6ACC98FAD7BA5EB19390F650228FC99A73E0C371ED41CA80

Function 00172D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00172D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00172D53
_ValidateLocalCookies.LIBCMT ref: 00172DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00172E0C
_ValidateLocalCookies.LIBCMT ref: 00172E61

Strings

csm, xrefs: 00172DF6

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 0557981be209ae9319fdff673b4b2b91529861c63093b03076ed0b93eef9aebd
Instruction ID: 477094b1e5a97a89e4be78ca1f042e6d51c198d0134c82dffcc25e615776d1cc
Opcode Fuzzy Hash: 0557981be209ae9319fdff673b4b2b91529861c63093b03076ed0b93eef9aebd
Instruction Fuzzy Hash: 7741A234E00209ABCF20DFA8C855A9EBBB5BF58324F14C155E91C6B352D731EA42CB91

Function 001D10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 001D304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 001D307A
Part of subcall function 001D304E: _wcslen.LIBCMT ref: 001D309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 001D1112
WSAGetLastError.WSOCK32 ref: 001D1121
WSAGetLastError.WSOCK32 ref: 001D11C9
closesocket.WSOCK32(00000000), ref: 001D11F9

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: cf86a321b6baff0bdfecc682bbd388cb8f7aba57d0507fac539f2506e8293487
Instruction ID: 5d46c9ce26849d8d226e5e75222893cc1dfccead930eb3cead6aa1fa482eb0b6
Opcode Fuzzy Hash: cf86a321b6baff0bdfecc682bbd388cb8f7aba57d0507fac539f2506e8293487
Instruction Fuzzy Hash: 9441CE31600214BFDB109F68DC85BAABBAAEF45324F14805AFD159F392C770AD85CBE1

Function 001BCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 001BDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,001BCF22,?), ref: 001BDDFD

Part of subcall function 001BDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,001BCF22,?), ref: 001BDE16

lstrcmpiW.KERNEL32(?,?), ref: 001BCF45
MoveFileW.KERNEL32(?,?), ref: 001BCF7F
_wcslen.LIBCMT ref: 001BD005
_wcslen.LIBCMT ref: 001BD01B
SHFileOperationW.SHELL32(?), ref: 001BD061

Strings

\*.*, xrefs: 001BCFF3

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 498f723e600a20c9f3c0da4c6ae20294d5661e1085d0a10c8c94b42e79f0e870
Instruction ID: 7a6d321314dcc24ece057635c3078f6289e0fde1407336d2bcc319d23819d719
Opcode Fuzzy Hash: 498f723e600a20c9f3c0da4c6ae20294d5661e1085d0a10c8c94b42e79f0e870
Instruction Fuzzy Hash: EF4149719452199FDF16EFA4DD81AEE77F9AF18340F1000EAE509EB141EB34A689CB50

Function 001B7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001B7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001B778F
SysAllocString.OLEAUT32(00000000), ref: 001B7792
SysAllocString.OLEAUT32(?), ref: 001B77B0
SysFreeString.OLEAUT32(?), ref: 001B77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 001B77DE
SysAllocString.OLEAUT32(?), ref: 001B77EC

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: efd6c78ac88b345915a60702542b5cdb66d1500a0b997533887a722ea37249cf
Instruction ID: cb906dba4ee217f17cb50b36e21795b3167de9c0b65025e98744507b7e5a2b72
Opcode Fuzzy Hash: efd6c78ac88b345915a60702542b5cdb66d1500a0b997533887a722ea37249cf
Instruction Fuzzy Hash: E4218E76604259AFDB10EFA8DC88CFB77ACEB49764B148425FA15DB190DB70DC8287A0

Function 001B77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001B7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001B7868
SysAllocString.OLEAUT32(00000000), ref: 001B786B
SysAllocString.OLEAUT32 ref: 001B788C
SysFreeString.OLEAUT32 ref: 001B7895
StringFromGUID2.OLE32(?,?,00000028), ref: 001B78AF
SysAllocString.OLEAUT32(?), ref: 001B78BD

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: f3690d2f1f96ff583225c80a498cc6f428441317869be394eb067ceb4fbaed9e
Instruction ID: f5bbfd388f81a2a7d1f77b45d8f07e63d5060fe6299f6363995339b153d9a049
Opcode Fuzzy Hash: f3690d2f1f96ff583225c80a498cc6f428441317869be394eb067ceb4fbaed9e
Instruction Fuzzy Hash: 5C214135608204AFDB109FF8DC88DAA77ECEB497607118125F915CB2E1D774DC82CB64

Function 001E5706 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 001E5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 001E579D
_wcslen.LIBCMT ref: 001E57AF
_wcslen.LIBCMT ref: 001E57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 001E5816

Strings

@U=u, xrefs: 001E5745, 001E579D, 001E5816

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID: @U=u
API String ID: 763830540-2594219639
Opcode ID: 483fbff1a91d98e8a25715c84f16fb7f69900c74e6250a69d474c852f9994732
Instruction ID: eb62fbbe09eb0fbf4546a175201c600512fb0a6b3e4760f3f22ee9e8a4d0a58c
Opcode Fuzzy Hash: 483fbff1a91d98e8a25715c84f16fb7f69900c74e6250a69d474c852f9994732
Instruction Fuzzy Hash: 8021A531D04A989ADB208FA1CC84AEE7BB9FF14328F148216E919EB1C1E7708985CF50

Function 001C04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 001C04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 001C052E

Strings

nul, xrefs: 001C0567

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: f2b1110ed284eba0a4c570e5795ea07994b71ffdff7ce92f006843478f2dd7c7
Instruction ID: 17f9f21cde42401f42a5918665583ef1816dec9b1ca6d7bf3b88edd325880499
Opcode Fuzzy Hash: f2b1110ed284eba0a4c570e5795ea07994b71ffdff7ce92f006843478f2dd7c7
Instruction Fuzzy Hash: 88218B70500345EFCF218F68DC44F9A7BA4AF69724F204A1CE8A1D62E0D770D981CF60

Function 001C05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 001C05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 001C0601

Strings

nul, xrefs: 001C0639

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: f6686247d817808ab471dd7bd956ee89a994200f721d1f5ca1d488c6ea65df39
Instruction ID: b46ab60be6f027d9cb72d937c48068b8a0203cb22c03c77b3bffcc88db29af56
Opcode Fuzzy Hash: f6686247d817808ab471dd7bd956ee89a994200f721d1f5ca1d488c6ea65df39
Instruction Fuzzy Hash: 56217175500325DBDB219F698C44F9A77E4BFA9720F200A1DE9A1E72D0D770D8A1CB50

Function 001E40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0015600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0015604C
Part of subcall function 0015600E: GetStockObject.GDI32(00000011), ref: 00156060
Part of subcall function 0015600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0015606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 001E4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 001E411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 001E412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 001E4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 001E4145

Strings

Msctls_Progress32, xrefs: 001E40E3

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 88281d5183de89c9579b2907bcb0cdaf2ec05bac6c18a2bbe1e285c695779c11
Instruction ID: 3af6deb1c6b9e997a32f805ed98ea598e133ac3b3ad986c9a2aa0f468f19b244
Opcode Fuzzy Hash: 88281d5183de89c9579b2907bcb0cdaf2ec05bac6c18a2bbe1e285c695779c11
Instruction Fuzzy Hash: 5311E2B2140219BFEF108FA5CC85EEB7FADEF18798F014110BA18A6190C7729C61DBA0

Function 0018D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0018D7A3: _free.LIBCMT ref: 0018D7CC

_free.LIBCMT ref: 0018D82D

Part of subcall function 001829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0018D7D1,00000000,00000000,00000000,00000000,?,0018D7F8,00000000,00000007,00000000,?,0018DBF5,00000000), ref: 001829DE
Part of subcall function 001829C8: GetLastError.KERNEL32(00000000,?,0018D7D1,00000000,00000000,00000000,00000000,?,0018D7F8,00000000,00000007,00000000,?,0018DBF5,00000000,00000000), ref: 001829F0

_free.LIBCMT ref: 0018D838
_free.LIBCMT ref: 0018D843
_free.LIBCMT ref: 0018D897
_free.LIBCMT ref: 0018D8A2
_free.LIBCMT ref: 0018D8AD
_free.LIBCMT ref: 0018D8B8

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 38369d7d34ce96af2da375efbfe2ed07394711bc4936eb74495af0a8db797c9b
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 08112971940B14AAD622BFF0DC46FCB7B9CAF20704F400825F299A60D2DB79A6058B61

Function 001BDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 001BDA74
LoadStringW.USER32(00000000), ref: 001BDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 001BDA91
LoadStringW.USER32(00000000), ref: 001BDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 001BDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 001BDAB9

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: e3c8d6bf6de33e032070eb1b0c6644fb44f5e2ebde7c211be519373dfb529808
Instruction ID: 307d98c1b663cc4adc1a5832b386f99eec24c4ff6b4d9f4371b1c27d420e7ec3
Opcode Fuzzy Hash: e3c8d6bf6de33e032070eb1b0c6644fb44f5e2ebde7c211be519373dfb529808
Instruction Fuzzy Hash: F0014FF6900248BBEB109BE09D89EEB736CEB08301F400491F716E6041E7749EC58BB4

Function 001C096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(01642340,01642340), ref: 001C097B
EnterCriticalSection.KERNEL32(01642320,00000000), ref: 001C098D
TerminateThread.KERNEL32(00540050,000001F6), ref: 001C099B
WaitForSingleObject.KERNEL32(00540050,000003E8), ref: 001C09A9
CloseHandle.KERNEL32(00540050), ref: 001C09B8
InterlockedExchange.KERNEL32(01642340,000001F6), ref: 001C09C8
LeaveCriticalSection.KERNEL32(01642320), ref: 001C09CF

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 8c7c595000582326b13e72698e6cbc663c3232aa1937eb027db5723c46413683
Instruction ID: 809dfcb7bcae9916308aae877948b78256cccded7a25d989e805f40c1b95000a
Opcode Fuzzy Hash: 8c7c595000582326b13e72698e6cbc663c3232aa1937eb027db5723c46413683
Instruction Fuzzy Hash: 06F0C932442A52EBD7525BA4EEC9BDABA29BF05706F402025F20298CA1C77595A6CFD0

Function 001801B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 001800BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001800D6
__allrem.LIBCMT ref: 001800ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0018010B
__allrem.LIBCMT ref: 00180122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00180140

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 8eb06c957246371daf8fd1cdcdf86d21b5240b5f5e0fa4e087c60e3c9423260f
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 1D81F672600B0AABE725AE68CC41B6B73F8AF55374F24823EF415D6281EB70DA458F50

Function 001861FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,001782D9,001782D9,?,?,?,0018644F,00000001,00000001,8BE85006), ref: 00186258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0018644F,00000001,00000001,8BE85006,?,?,?), ref: 001862DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 001863D8
__freea.LIBCMT ref: 001863E5

Part of subcall function 00183820: RtlAllocateHeap.NTDLL(00000000,?,00221444,?,0016FDF5,?,?,0015A976,00000010,00221440,001513FC,?,001513C6,?,00151129), ref: 00183852

__freea.LIBCMT ref: 001863EE
__freea.LIBCMT ref: 00186413

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 3b728338001f96fdbd858df7ad3b8e3f30e12f9ea88e87cb2f77bbe62de9dd68
Instruction ID: 1fd19a3a683dd90f9c3194d2452c255ec1e1fcf483ff6df57f1810c5a722df95
Opcode Fuzzy Hash: 3b728338001f96fdbd858df7ad3b8e3f30e12f9ea88e87cb2f77bbe62de9dd68
Instruction Fuzzy Hash: 2A51E372A00216ABEB25AF64DC81EBF77AAEB54710F154669FC09D6140EB34DE40CBA0

Function 001DBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

Part of subcall function 001DC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001DB6AE,?,?), ref: 001DC9B5
Part of subcall function 001DC998: _wcslen.LIBCMT ref: 001DC9F1
Part of subcall function 001DC998: _wcslen.LIBCMT ref: 001DCA68
Part of subcall function 001DC998: _wcslen.LIBCMT ref: 001DCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001DBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001DBD25
RegCloseKey.ADVAPI32(00000000), ref: 001DBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 001DBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 001DBDF3
RegCloseKey.ADVAPI32(?), ref: 001DBDFF

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 3fbebde9b7259554ca7f5c8760960d3420d9059bb9ac42c5514a806d46141feb
Instruction ID: 42bde17ac3582255cd1b4549f87c6d3955c3115c7d467b7c781cb4737f9ff630
Opcode Fuzzy Hash: 3fbebde9b7259554ca7f5c8760960d3420d9059bb9ac42c5514a806d46141feb
Instruction Fuzzy Hash: 58815830218241EFD714DF64C8D5E2ABBE5BF84308F15895DF45A8B2A2DB31ED49CB92

Function 001AF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 001AF7B9
SysAllocString.OLEAUT32(00000001), ref: 001AF860
VariantCopy.OLEAUT32(001AFA64,00000000), ref: 001AF889
VariantClear.OLEAUT32(001AFA64), ref: 001AF8AD
VariantCopy.OLEAUT32(001AFA64,00000000), ref: 001AF8B1
VariantClear.OLEAUT32(?), ref: 001AF8BB

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 29639964f086e58efda4a297fc128751532bd43d54314cddaacb354161cb7826
Instruction ID: f1f7d82d9ffd6fe9d8fbcbf07cba01a9535c2d1ee1c0cf9bb178335d808c3762
Opcode Fuzzy Hash: 29639964f086e58efda4a297fc128751532bd43d54314cddaacb354161cb7826
Instruction Fuzzy Hash: EC51E639600310FACF24AFE5D895B2AB3A4EF56314F24846EF805DF292DB708C46C796

Function 001C910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00157620: _wcslen.LIBCMT ref: 00157625

Part of subcall function 00156B57: _wcslen.LIBCMT ref: 00156B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 001C94E5
_wcslen.LIBCMT ref: 001C9506
_wcslen.LIBCMT ref: 001C952D
GetSaveFileNameW.COMDLG32(00000058), ref: 001C9585

Strings

X, xrefs: 001C9412

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: c8d7f3a5b03c29ccfb21ee3802c7d11e815109e09f4bf5eff9ed1153914d6335
Instruction ID: 37d7729b8ed6b7631e48bcc52184e210e9ec09c6ecc407711d5054586c10c067
Opcode Fuzzy Hash: c8d7f3a5b03c29ccfb21ee3802c7d11e815109e09f4bf5eff9ed1153914d6335
Instruction Fuzzy Hash: 78E17D31608340CFD724DF24D885F6AB7E4BFA5314F04896DE8999B2A2DB31ED05CB92

Function 0016920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00169BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00169BB2

BeginPaint.USER32(?,?,?), ref: 00169241
GetWindowRect.USER32(?,?), ref: 001692A5
ScreenToClient.USER32(?,?), ref: 001692C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 001692D3
EndPaint.USER32(?,?,?,?,?), ref: 00169321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 001A71EA

Part of subcall function 00169339: BeginPath.GDI32(00000000), ref: 00169357

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: ac00d48b234ae191ff4e56c95280cddfd7c12fccb12e865502c1375fbe6f4afd
Instruction ID: e3f17082091fab33466ab6a96b2a2e448dee293f57cc5e4513a5d86994d9b1a0
Opcode Fuzzy Hash: ac00d48b234ae191ff4e56c95280cddfd7c12fccb12e865502c1375fbe6f4afd
Instruction Fuzzy Hash: 16419C70104340AFD721DF64DC98FBA7BF8EF6A320F040629F9958A2E1C7309996DB61

Function 001C07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 001C080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 001C0847
EnterCriticalSection.KERNEL32(?), ref: 001C0863
LeaveCriticalSection.KERNEL32(?), ref: 001C08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 001C08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 001C0921

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: d8d1a49bbbd2e3a901d2b92a6546142aee64e317a27ad7d7dee436db35183a15
Instruction ID: 40eefa7bc225ed5c3c96a4aef5b264e3deb351253f720c211d7a5a8b59bb16a6
Opcode Fuzzy Hash: d8d1a49bbbd2e3a901d2b92a6546142aee64e317a27ad7d7dee436db35183a15
Instruction Fuzzy Hash: 5C415971900205EFDF15DF94DC85AAA7B78FF18304F1480A9ED049E296DB31DE61DBA0

Function 001C581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00153AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00153A97,?,?,00152E7F,?,?,?,00000000), ref: 00153AC2

_wcslen.LIBCMT ref: 001C587B
CoInitialize.OLE32(00000000), ref: 001C5995
CoCreateInstance.OLE32(001EFCF8,00000000,00000001,001EFB68,?), ref: 001C59AE
CoUninitialize.OLE32 ref: 001C59CC

Strings

.lnk, xrefs: 001C5876, 001C58C1, 001C5985

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 358d0c9cc3651193b727b2a34a842fc803f4ab186b27b4c36a00954df1eeb2d2
Instruction ID: d60a67b7bd19b24fd414f12727999b67ecb328df10f6bf7501a01f0b5f8f4a22
Opcode Fuzzy Hash: 358d0c9cc3651193b727b2a34a842fc803f4ab186b27b4c36a00954df1eeb2d2
Instruction Fuzzy Hash: BFD15370608601DFC714DF25C480E2ABBE2EFA9714F14895DF8999B261DB31EC85CB92

Function 001B175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001B0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 001B0FCA
Part of subcall function 001B0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 001B0FD6
Part of subcall function 001B0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 001B0FE5
Part of subcall function 001B0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 001B0FEC
Part of subcall function 001B0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 001B1002

GetLengthSid.ADVAPI32(?,00000000,001B1335), ref: 001B17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 001B17BA
HeapAlloc.KERNEL32(00000000), ref: 001B17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 001B17DA
GetProcessHeap.KERNEL32(00000000,00000000,001B1335), ref: 001B17EE
HeapFree.KERNEL32(00000000), ref: 001B17F5

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: d529cdcaea8919bbba34e8a3e708cb6df7df20d351e1be0a536e471bcb4253ca
Instruction ID: 9bdba7d5ed79effe2f19decd985b90da71ac4154b65a8dae48d3fded57f53bca
Opcode Fuzzy Hash: d529cdcaea8919bbba34e8a3e708cb6df7df20d351e1be0a536e471bcb4253ca
Instruction Fuzzy Hash: 63118E32610205FFDB14DFA4CC99BEF7BA9EB46355F514018F8419B210DB35A985CBA0

Function 001B14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 001B14FF
OpenProcessToken.ADVAPI32(00000000), ref: 001B1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 001B1515
CloseHandle.KERNEL32(00000004), ref: 001B1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 001B154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 001B1563

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 13078e0fb678091ec4689d2016869440b71f2c6a7601e65975d610e4f2c178bf
Instruction ID: 9fd0c342ae758b208084461b0f4f77411ebec2354e7fd8ba1775e9e794bc42df
Opcode Fuzzy Hash: 13078e0fb678091ec4689d2016869440b71f2c6a7601e65975d610e4f2c178bf
Instruction Fuzzy Hash: 6C111472504249BBDB11CFA8ED89BDE7BA9EB49744F054025FA05A6060C3758EA19BA0

Function 00173382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00173379,00172FE5), ref: 00173390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0017339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 001733B7
SetLastError.KERNEL32(00000000,?,00173379,00172FE5), ref: 00173409

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: b55a5c0d925f17749a36728666d282305d6c6b1ec187900830d63f2cad850031
Instruction ID: 89c7aa992c07e4f2d5d8f5472a7b7dc0ee6c9981b0f26c1bfde835c32abed7be
Opcode Fuzzy Hash: b55a5c0d925f17749a36728666d282305d6c6b1ec187900830d63f2cad850031
Instruction Fuzzy Hash: 5E01FC33649311BFA62927B57CC95A72A75FB29379730C229F538851F0EF114E017654

Function 00182D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00185686,00193CD6,?,00000000,?,00185B6A,?,?,?,?,?,0017E6D1,?,00218A48), ref: 00182D78
_free.LIBCMT ref: 00182DAB
_free.LIBCMT ref: 00182DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0017E6D1,?,00218A48,00000010,00154F4A,?,?,00000000,00193CD6), ref: 00182DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0017E6D1,?,00218A48,00000010,00154F4A,?,?,00000000,00193CD6), ref: 00182DEC
_abort.LIBCMT ref: 00182DF2

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: cf8f083ac6f80e5919798640b219da3d3afe8e8db3b9a062f4c303e79689c647
Instruction ID: 06ce1f5bb1f56df62892971ed08033989545e869672a7a90e9e54b7da99d5976
Opcode Fuzzy Hash: cf8f083ac6f80e5919798640b219da3d3afe8e8db3b9a062f4c303e79689c647
Instruction Fuzzy Hash: 79F0C83664561037C61337B8BC0AE5F295ABFE27A1F254618F824972D2EF349B425F60

Function 001E8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00169639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00169693
Part of subcall function 00169639: SelectObject.GDI32(?,00000000), ref: 001696A2
Part of subcall function 00169639: BeginPath.GDI32(?), ref: 001696B9
Part of subcall function 00169639: SelectObject.GDI32(?,00000000), ref: 001696E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 001E8A4E
LineTo.GDI32(?,00000003,00000000), ref: 001E8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 001E8A70
LineTo.GDI32(?,00000000,00000003), ref: 001E8A80
EndPath.GDI32(?), ref: 001E8A90
StrokePath.GDI32(?), ref: 001E8AA0

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 5af7783120f87bfc5e09a2d44b479914eb499d7e4c244e4242c019e68754f018
Instruction ID: eeb7f5a6344fb4375fe8bca76424d5e19332916df040813432f6a0332e282022
Opcode Fuzzy Hash: 5af7783120f87bfc5e09a2d44b479914eb499d7e4c244e4242c019e68754f018
Instruction Fuzzy Hash: 6B11FA7600018CFFDF129F90DC88E9A7F6CEB04354F048021FA199A161C7719D96DFA0

Function 001B51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 001B5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 001B5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 001B5230
ReleaseDC.USER32(00000000,00000000), ref: 001B5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 001B524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 001B5261

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: e510246554c4b1418858a633d4e769a26d89ed7a70a0326823cd3c7e72d21dcf
Instruction ID: a92306d1311c1b2ddf1f1949c95f44c5d1bd7ad9d0cfa792bbf260d037287369
Opcode Fuzzy Hash: e510246554c4b1418858a633d4e769a26d89ed7a70a0326823cd3c7e72d21dcf
Instruction Fuzzy Hash: 56014F75A01758BBEB109BE59C89B5EBFB9EB48751F044065FA04AB681D7709801CBA0

Function 00151BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00151BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00151BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00151C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00151C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00151C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00151C22

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 444314952d53945dd294172417cb2fb18c8b4022d8512ac8f28cdbf4b0f084c4
Instruction ID: 9449716f2269e0a604b0a56bf2ae3351ee80d5c4276e1efa883046dac3c74053
Opcode Fuzzy Hash: 444314952d53945dd294172417cb2fb18c8b4022d8512ac8f28cdbf4b0f084c4
Instruction Fuzzy Hash: 950148B09027597DE3008F5A8C85A56FFA8FF19354F04411B915C4BA41C7B5A864CBE5

Function 001BEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 001BEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 001BEB46
GetWindowThreadProcessId.USER32(?,?), ref: 001BEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001BEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001BEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001BEB75

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 90f1e167e3778356be1f20d07af77b06a633e7c8ffac300ac057b837ddc04efc
Instruction ID: 03cee1823f82090a5c5afe3b0c74c039e346dcc77282acf413ae6adfe08b9561
Opcode Fuzzy Hash: 90f1e167e3778356be1f20d07af77b06a633e7c8ffac300ac057b837ddc04efc
Instruction Fuzzy Hash: E9F03072140198BBE72157929C4DEEF3A7CEFCAB11F000158FA01D5591D7A05A42C6F5

Function 001B1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 001B187F
UnloadUserProfile.USERENV(?,?), ref: 001B188B
CloseHandle.KERNEL32(?), ref: 001B1894
CloseHandle.KERNEL32(?), ref: 001B189C
GetProcessHeap.KERNEL32(00000000,?), ref: 001B18A5
HeapFree.KERNEL32(00000000), ref: 001B18AC

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: ec06589542ab737535113294c191bfa64577150a24cffe8e71841a4fb023e7e6
Instruction ID: be25b518466eaa1fdf5bf89df514c9f5f956db2d9e383008f828890ecafd2c38
Opcode Fuzzy Hash: ec06589542ab737535113294c191bfa64577150a24cffe8e71841a4fb023e7e6
Instruction Fuzzy Hash: 14E0E536004241FBDB015FE1ED4C90EBF39FF4AB22B108220F62589870CB3294A2DF90

Function 0015BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0015BEB3

Strings

D%"D%", xrefs: 0015BCA5
D%", xrefs: 0015BCA2
D%", xrefs: 0015BE9A
D%", xrefs: 0015BDED, 0015BD91, 0015BD1B

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%"$D%"$D%"$D%"D%"
API String ID: 1385522511-2824579510
Opcode ID: adda9341f65259f804ef7e67853dc30e166aad948748640bf68615323035af01
Instruction ID: 25f4e7b776448bdbb4891d8ed75c567522f66192cd249da84d1df6a27f3a6db5
Opcode Fuzzy Hash: adda9341f65259f804ef7e67853dc30e166aad948748640bf68615323035af01
Instruction Fuzzy Hash: 85916A75A0820ADFCB18CF98C0D16A9B7F1FF58315F248169E965AB350E731ED89CB90

Function 001BC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00157620: _wcslen.LIBCMT ref: 00157625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001BC6EE
_wcslen.LIBCMT ref: 001BC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001BC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 001BC7CA

Strings

0, xrefs: 001BC6AF

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: e1cee313461aa669f064a90ad94230d520aef386c15a724a16765878ae655bff
Instruction ID: ce6e03d37aafc10d1c07db169108cfe29392bfab8b7c8360c9daa3319b160de5
Opcode Fuzzy Hash: e1cee313461aa669f064a90ad94230d520aef386c15a724a16765878ae655bff
Instruction Fuzzy Hash: 6251FF726043019BD714DF68C885BEBB7E8AFA9310F040A2DF9A5D72A0DB70D814CBD2

Function 001DAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 001DAEA3

Part of subcall function 00157620: _wcslen.LIBCMT ref: 00157625

GetProcessId.KERNEL32(00000000), ref: 001DAF38
CloseHandle.KERNEL32(00000000), ref: 001DAF67

Strings

@, xrefs: 001DAE72
<, xrefs: 001DAE6B

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: ab8a30fcdf9bedc7fc9ec6478eea5f9c74371386fa43d6192cfa5bb3df429988
Instruction ID: d979d4b7092b142707d0d6f89055401a653f01793b977740b9181b5ea0f54bc4
Opcode Fuzzy Hash: ab8a30fcdf9bedc7fc9ec6478eea5f9c74371386fa43d6192cfa5bb3df429988
Instruction Fuzzy Hash: 6F717771A00618DFCB14DFA4D485A9EBBF0BF08301F44849AE866AF392D770ED45CB91

Function 001E6278 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0164CDC0,?), ref: 001E62E2
ScreenToClient.USER32(?,?), ref: 001E6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 001E6382

Strings

@U=u, xrefs: 001E63DD

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID: @U=u
API String ID: 3880355969-2594219639
Opcode ID: 8b681f46cfa9fff5615ef6bea497bbac3969f2a407c1632820a731b0ba257b3d
Instruction ID: 15959797951c1ad14625715ee0d381cd75643190966e0d75b73b29a7f73d56c2
Opcode Fuzzy Hash: 8b681f46cfa9fff5615ef6bea497bbac3969f2a407c1632820a731b0ba257b3d
Instruction Fuzzy Hash: BF516274900685EFCF10DF55D8849AE7BB6FF653A0F508159F9159B290D730ED81CB90

Function 001B2716 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001BB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001B21D0,?,?,00000034,00000800,?,00000034), ref: 001BB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 001B2760

Part of subcall function 001BB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001B21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 001BB3F8

Part of subcall function 001BB32A: GetWindowThreadProcessId.USER32(?,?), ref: 001BB355
Part of subcall function 001BB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,001B2194,00000034,?,?,00001004,00000000,00000000), ref: 001BB365
Part of subcall function 001BB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,001B2194,00000034,?,?,00001004,00000000,00000000), ref: 001BB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 001B27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 001B281A

Strings

@, xrefs: 001B2832
@U=u, xrefs: 001B2760, 001B27CD, 001B281A

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @$@U=u
API String ID: 4150878124-826235744
Opcode ID: 2116ec2efc49bd195ccf14a50201a144ab3cb7d4e618b75d7f7b3af22e78c2db
Instruction ID: 51ce2d8a171ee64ab2b5187b5b6f20aa083fb550fe0eb2cd5cef0171e9208ecd
Opcode Fuzzy Hash: 2116ec2efc49bd195ccf14a50201a144ab3cb7d4e618b75d7f7b3af22e78c2db
Instruction Fuzzy Hash: 25410B76900218AFDB10DBA4CD85AEEBBB8AF19700F104095FA55B7191DB706E89CBA1

Function 001B719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 001B7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 001B723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 001B724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 001B72CF

Strings

DllGetClassObject, xrefs: 001B7242

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 78e58e9e41c1ba3d7ab008f865c23814530678ffc25eec974ab7e97eae850844
Instruction ID: f7efbdecb95adbb24db153f526c3ba531b84d2f0095e49ae899cdcdc5970d26a
Opcode Fuzzy Hash: 78e58e9e41c1ba3d7ab008f865c23814530678ffc25eec974ab7e97eae850844
Instruction Fuzzy Hash: 0C413171A04204EFDB15CF94C984ADA7BA9EF98310F1580ADFD05DF28AD7B1DA45CBA0

Function 001E52C1 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 001E5352
GetWindowLongW.USER32(?,000000F0), ref: 001E5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 001E5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001E53A8

Strings

@U=u, xrefs: 001E5352

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID: @U=u
API String ID: 3340791633-2594219639
Opcode ID: 6ddcfbc5c881e481c6dcf27d6a83fc9ead0e6f431b5b1ac3b676930c20402cbf
Instruction ID: 2f491a41d5217aa22529be37b900f4ffd0c0111fb5350edc33af9b2b97fbca84
Opcode Fuzzy Hash: 6ddcfbc5c881e481c6dcf27d6a83fc9ead0e6f431b5b1ac3b676930c20402cbf
Instruction Fuzzy Hash: BA31DE34A55E88EFEB349A56CC46FED7767BB04398F584102FA10962E1C7B09980DB82

Function 001DC9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001DC9F1
_wcslen.LIBCMT ref: 001DCA68
_wcslen.LIBCMT ref: 001DCA9E
_wcslen.LIBCMT ref: 001DCAF9
_wcslen.LIBCMT ref: 001DCB2F
_wcslen.LIBCMT ref: 001DCB7F

Strings

HKLM, xrefs: 001DCA98, 001DCA9D
HKEY_LOCAL_MACHINE, xrefs: 001DCA62, 001DCA67

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 27fc46ba6fb8a7f48fc0d4d02aab15a0a8ece011215031036b1428d6501eecd1
Instruction ID: 5f135a7f760bd5fe5267a9102ef60e1fd3ce509823afd09426383623b947191c
Opcode Fuzzy Hash: 27fc46ba6fb8a7f48fc0d4d02aab15a0a8ece011215031036b1428d6501eecd1
Instruction Fuzzy Hash: F731D273A1016B8BCB20DE6C99405BE33A29BB1794B15492BF855AB345FB71CE84D3E0

Function 001E2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 001E2F8D
LoadLibraryW.KERNEL32(?), ref: 001E2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 001E2FA9
DestroyWindow.USER32(?), ref: 001E2FB1

Strings

SysAnimate32, xrefs: 001E2F68

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 0f189231cb64986254bb52c54fba3cc42cb69864f476434765eacebaa4d637ab
Instruction ID: 220eab493e316ff1c9be479fe09a3f774dc70ef901ddde7ff06ab4797fb5cb11
Opcode Fuzzy Hash: 0f189231cb64986254bb52c54fba3cc42cb69864f476434765eacebaa4d637ab
Instruction Fuzzy Hash: 0E21CD72600685ABEB204FA6DCA1FBF77BDEB69364F100228FA50D7190D771DC9197A0

Function 001E5660 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 001E56BB
_wcslen.LIBCMT ref: 001E56CD
_wcslen.LIBCMT ref: 001E56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 001E5816

Strings

@U=u, xrefs: 001E56BB, 001E5816

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: MessageSend_wcslen
String ID: @U=u
API String ID: 455545452-2594219639
Opcode ID: 40bf852205a2e3ed2b573aec4d818db821c837c8d2ef5a682801f3d5bfe88e61
Instruction ID: 67c7610adf6a37e576d34c0914502f3ebba8f9f4fd3809ff34131aaf7ff82c02
Opcode Fuzzy Hash: 40bf852205a2e3ed2b573aec4d818db821c837c8d2ef5a682801f3d5bfe88e61
Instruction Fuzzy Hash: 1111D375A00A99A6DF209FA2CCC5AEE77BCEF15768F148026F915D6081E770CA80CB60

Function 0015600E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0015604C
GetStockObject.GDI32(00000011), ref: 00156060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0015606A

Strings

@U=u, xrefs: 0015606A

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID: @U=u
API String ID: 3970641297-2594219639
Opcode ID: 1cb52e8c67ebc31763f474ecf7ef256dc508458a9acce96b84c2275b1ab25be6
Instruction ID: ca1273e21113052dea6ccfbe7369bdc883fc8abeabe74e4c71ce7eeee7016993
Opcode Fuzzy Hash: 1cb52e8c67ebc31763f474ecf7ef256dc508458a9acce96b84c2275b1ab25be6
Instruction Fuzzy Hash: 23118B72501648FFEF164FA4DC84EEABB69EF183A5F440201FE245A150C7369CA19BE0

Function 00174D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00174D1E,001828E9,?,00174CBE,001828E9,002188B8,0000000C,00174E15,001828E9,00000002), ref: 00174D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00174DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00174D1E,001828E9,?,00174CBE,001828E9,002188B8,0000000C,00174E15,001828E9,00000002,00000000), ref: 00174DC3

Strings

CorExitProcess, xrefs: 00174D98
mscoree.dll, xrefs: 00174D86

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 073e18a6e9af43fd527c4f976406648d54d2c504603394560a2b8660a0ccaf5e
Instruction ID: 42286adc43b6447e5a1c4ceec0a82dc098da173af7116daf8408f076b1ae984d
Opcode Fuzzy Hash: 073e18a6e9af43fd527c4f976406648d54d2c504603394560a2b8660a0ccaf5e
Instruction Fuzzy Hash: F3F04F35A40308FBDB129FD4DC49BEDBBB5EF58752F0441A8F949A6660DB309A81CAD0

Function 00154E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00154EDD,?,00221418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00154E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00154EAE
FreeLibrary.KERNEL32(00000000,?,?,00154EDD,?,00221418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00154EC0

Strings

kernel32.dll, xrefs: 00154E94
Wow64DisableWow64FsRedirection, xrefs: 00154EA8

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 1a6024698cd0fe5148168b84e6f8a5dfd18af3e8c7689f190f5cfefc9d67495a
Instruction ID: be3d013bd8dfdbdf47974ead1180368ea9011aa367aadbbc6be0b0770b288f19
Opcode Fuzzy Hash: 1a6024698cd0fe5148168b84e6f8a5dfd18af3e8c7689f190f5cfefc9d67495a
Instruction Fuzzy Hash: 4FE0CD35E01622DBD2311765AC1DB9F6595EF82F677090115FC10DB100DB74CD8744F4

Function 00154E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00193CDE,?,00221418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00154E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00154E74
FreeLibrary.KERNEL32(00000000,?,?,00193CDE,?,00221418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00154E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00154E6E
kernel32.dll, xrefs: 00154E5B

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 832668110094dc01b2eabea40d258678c640547807e14ce180f749cbe5bca192
Instruction ID: b7639192e3c66d02ee714366046c33bc27093985dbd3e6533818d3e8189d924e
Opcode Fuzzy Hash: 832668110094dc01b2eabea40d258678c640547807e14ce180f749cbe5bca192
Instruction Fuzzy Hash: A5D0C231902A61E7A6221B256C09DCF2A18EF85F563090114BC10AA110CF34CD8285D0

Function 001C2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001C2C05
DeleteFileW.KERNEL32(?), ref: 001C2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 001C2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001C2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001C2CC0

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 47baaebdd11f062cad433681e5702330a5bf81d03c335cbc839a77ccf0668fef
Instruction ID: 4615b53e8d2ec19ea7ace31d2033b3696d09487e5d0c7df43563d4651fcfb31f
Opcode Fuzzy Hash: 47baaebdd11f062cad433681e5702330a5bf81d03c335cbc839a77ccf0668fef
Instruction Fuzzy Hash: 35B13E71900119ABDF25DBA4CC85FDEB7BDEF69350F1040AAF909A7141EB30DA448B61

Function 001DA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 001DA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 001DA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 001DA468
CloseHandle.KERNEL32(?), ref: 001DA63D

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: f43d970dd46c7b9cccfa8862d3ac88050b9e8cf3c76993083068f06eea1ff8c2
Instruction ID: d81b1adf4ea3605746f018c4429fd4f90e5c0d04b8711bf956d938dc5d1db309
Opcode Fuzzy Hash: f43d970dd46c7b9cccfa8862d3ac88050b9e8cf3c76993083068f06eea1ff8c2
Instruction Fuzzy Hash: 11A1A1716043009FD720DF28D886F2AB7E5AF94714F54885DF96A9B392DBB0EC45CB82

Function 0018BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,001F3700), ref: 0018BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0022121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0018BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00221270,000000FF,?,0000003F,00000000,?), ref: 0018BC36
_free.LIBCMT ref: 0018BB7F

Part of subcall function 001829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0018D7D1,00000000,00000000,00000000,00000000,?,0018D7F8,00000000,00000007,00000000,?,0018DBF5,00000000), ref: 001829DE
Part of subcall function 001829C8: GetLastError.KERNEL32(00000000,?,0018D7D1,00000000,00000000,00000000,00000000,?,0018D7F8,00000000,00000007,00000000,?,0018DBF5,00000000,00000000), ref: 001829F0

_free.LIBCMT ref: 0018BD4B

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: b1c59df9dc5a73b079a3b9a9f977fe5a962298ae621bf340a483f7147a7a9a28
Instruction ID: c1d7c6c9ea1a6fc1eb2c653fea2e0db6393b865b6372c5ac80b2619db05ff2f5
Opcode Fuzzy Hash: b1c59df9dc5a73b079a3b9a9f977fe5a962298ae621bf340a483f7147a7a9a28
Instruction Fuzzy Hash: 6051D871908219EFCB24FFA59CC59AEB7B8AF64310B10436AF814D71A1EB309F418F50

Function 001BE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 001BDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,001BCF22,?), ref: 001BDDFD

Part of subcall function 001BDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,001BCF22,?), ref: 001BDE16

Part of subcall function 001BE199: GetFileAttributesW.KERNEL32(?,001BCF95), ref: 001BE19A

lstrcmpiW.KERNEL32(?,?), ref: 001BE473
MoveFileW.KERNEL32(?,?), ref: 001BE4AC
_wcslen.LIBCMT ref: 001BE5EB
_wcslen.LIBCMT ref: 001BE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 001BE650

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 3b3eb413a73d15b3e7788a6140ab0149f8adb9e5fd8ae46181902670a9c69406
Instruction ID: e4e14eb6f10e32388944786fbd4b372fe7c38388edb07f83c299f04b5d9b5507
Opcode Fuzzy Hash: 3b3eb413a73d15b3e7788a6140ab0149f8adb9e5fd8ae46181902670a9c69406
Instruction Fuzzy Hash: 5E5153B24083859BC724DBA4DC819DF73ECAF95340F00492EF689D7191EF75A68C8766

Function 001DB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

Part of subcall function 001DC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001DB6AE,?,?), ref: 001DC9B5
Part of subcall function 001DC998: _wcslen.LIBCMT ref: 001DC9F1
Part of subcall function 001DC998: _wcslen.LIBCMT ref: 001DCA68
Part of subcall function 001DC998: _wcslen.LIBCMT ref: 001DCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001DBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001DBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 001DBB63
RegCloseKey.ADVAPI32(?,?), ref: 001DBBA6
RegCloseKey.ADVAPI32(00000000), ref: 001DBBB3

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: a34cffad569f951a6318e5ce2c4dd737611c9f65839dbef74bc7630a5745f91f
Instruction ID: 794fa9a652abc7f52174d00c4422fd1d865f7f802576022efa2c4b45f9ce44a3
Opcode Fuzzy Hash: a34cffad569f951a6318e5ce2c4dd737611c9f65839dbef74bc7630a5745f91f
Instruction Fuzzy Hash: B2612A31208241EFD714DF54C8D1E2ABBE5BF84308F55895EF49A8B2A2DB31ED45CB92

Function 001B8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001B8BCD
VariantClear.OLEAUT32 ref: 001B8C3E
VariantClear.OLEAUT32 ref: 001B8C9D
VariantClear.OLEAUT32(?), ref: 001B8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 001B8D3B

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: f007cf2f633de0a7c347d8c86cdebb41ad97e14fcdd33fdb89f0eae85f3bf2ca
Instruction ID: 5d89eaa1567797e7967c3384e7f7852d5be5ffef6afd645e0db0477f1390e12d
Opcode Fuzzy Hash: f007cf2f633de0a7c347d8c86cdebb41ad97e14fcdd33fdb89f0eae85f3bf2ca
Instruction Fuzzy Hash: F6516AB5A00219EFCB14CF68C894AEAB7F8FF8D710B15855AE909DB350E730E911CB90

Function 001C8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 001C8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 001C8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 001C8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 001C8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 001C8C5F

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 9dbedc706a4a68a5262cda93b9fd88a8f15ae21d7269bdc2c3066c99032dba71
Instruction ID: 2780e3c34c26c0cf3772a560e3aedfe3f933597bdbdd8a201400bd3eba70c0ca
Opcode Fuzzy Hash: 9dbedc706a4a68a5262cda93b9fd88a8f15ae21d7269bdc2c3066c99032dba71
Instruction Fuzzy Hash: 70513835A00215DFCB04DF64D881EADBBF5BF58314F088458E859AB3A2DB31ED55CB90

Function 001D8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 001D8F40
GetProcAddress.KERNEL32(00000000,?), ref: 001D8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 001D8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 001D9032
FreeLibrary.KERNEL32(00000000), ref: 001D9052

Part of subcall function 0016F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,001C1043,?,75B8E610), ref: 0016F6E6
Part of subcall function 0016F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,001AFA64,00000000,00000000,?,?,001C1043,?,75B8E610,?,001AFA64), ref: 0016F70D

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 1bcb264de524da8c68fd97e4c9c86c691c9a87ff137934c8bbd553fb17d63559
Instruction ID: 55dbca4feff6290d00a17cd06bc149cb10f36b5ead40adc4df62f888b0303c59
Opcode Fuzzy Hash: 1bcb264de524da8c68fd97e4c9c86c691c9a87ff137934c8bbd553fb17d63559
Instruction Fuzzy Hash: 6F515C35604205DFCB15EF68D4848ADBBF1FF59314B0580A9E81A9F362DB31ED8ACB91

Function 00182051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001820C3
_free.LIBCMT ref: 001820E3

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 63a239796ca843c4b27a952fbeee5dd19c71b93c954a33a1c89f9c7b6852653a
Instruction ID: 70b838e9fca00b8ca448654e9b1d255c0162866eaf89ada6b0eb898f84553216
Opcode Fuzzy Hash: 63a239796ca843c4b27a952fbeee5dd19c71b93c954a33a1c89f9c7b6852653a
Instruction Fuzzy Hash: BB41D376A002009FCB25EF78C885A9DB7F5EF99314F268569E515EB391DB31EE01CB80

Function 0016912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00169141
ScreenToClient.USER32(00000000,?), ref: 0016915E
GetAsyncKeyState.USER32(00000001), ref: 00169183
GetAsyncKeyState.USER32(00000002), ref: 0016919D

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 9f756a24147d76ac289acef590693bb1f4f4333c7f1c6cb7949cb0da69e48891
Instruction ID: c32a2d5036ef5c5d77177310a138939da6bd5106d9c9cecd2e6a31c48aa97bb3
Opcode Fuzzy Hash: 9f756a24147d76ac289acef590693bb1f4f4333c7f1c6cb7949cb0da69e48891
Instruction Fuzzy Hash: 2B415E75A0864AEBDF199F68CC44BEEB7B8FF06330F248215E425A72D0C7346A54CB91

Function 001C3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 001C38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 001C3922
TranslateMessage.USER32(?), ref: 001C394B
DispatchMessageW.USER32(?), ref: 001C3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001C3966

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 104c46737bd892c78bc9a54177bc9779ed329bcccbc24e76a682f429c596af81
Instruction ID: de07da64279ef1423df1163ddd52559559d8c7e2f1c386c9d47191b31e3a7bcf
Opcode Fuzzy Hash: 104c46737bd892c78bc9a54177bc9779ed329bcccbc24e76a682f429c596af81
Instruction Fuzzy Hash: 7731B970904381AEEB35CBB4AC4DFB677A4AB35308F04856DE472865A0D3F5D686CB51

Function 001CCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,001CC21E,00000000), ref: 001CCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 001CCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,001CC21E,00000000), ref: 001CCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,001CC21E,00000000), ref: 001CCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,001CC21E,00000000), ref: 001CCFF2

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 68f7f1f5859d666648d776d0d4577189065371ba623c01e5705f0e5ff4d930cb
Instruction ID: 4c06c71d1c9792f0457488f15fef66c0b22df8b005b0fb17a822d8f05329ce31
Opcode Fuzzy Hash: 68f7f1f5859d666648d776d0d4577189065371ba623c01e5705f0e5ff4d930cb
Instruction Fuzzy Hash: 5C314B71900205AFDB24DFA5D884EAEBBF9EB24350B10442EF51AD6540DB30EE41DBA0

Function 001B1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 001B1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 001B19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 001B19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 001B19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 001B19E2

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: dac19da16d6f1bf9f99bf966ab993ad51d96ebde6e24deb9460be94268ee72a9
Instruction ID: 00f8b5812e3b08875a98a42a7f0d70d1515674c032fa034aed988536738ffd84
Opcode Fuzzy Hash: dac19da16d6f1bf9f99bf966ab993ad51d96ebde6e24deb9460be94268ee72a9
Instruction Fuzzy Hash: 6A31C072A00259FFCB04CFA8CDA9ADE3BB5EB05319F514229F921EB2D1C7709944CB90

Function 001D0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 001D0951
GetForegroundWindow.USER32 ref: 001D0968
GetDC.USER32(00000000), ref: 001D09A4
GetPixel.GDI32(00000000,?,00000003), ref: 001D09B0
ReleaseDC.USER32(00000000,00000003), ref: 001D09E8

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 5e5597632bce9635dd8546a505fe3e8fab7f1da0714272e41b1629c03a08f3ef
Instruction ID: a79f7cd2c16cf434429be110859946a4f6b2228885591f96f115cf7f3228d353
Opcode Fuzzy Hash: 5e5597632bce9635dd8546a505fe3e8fab7f1da0714272e41b1629c03a08f3ef
Instruction Fuzzy Hash: 7A216F35600204AFD704EFA9DC94AAEBBE5FF58701F04846DE85ADB752DB70AC45CB90

Function 0018CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0018CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0018CDE9

Part of subcall function 00183820: RtlAllocateHeap.NTDLL(00000000,?,00221444,?,0016FDF5,?,?,0015A976,00000010,00221440,001513FC,?,001513C6,?,00151129), ref: 00183852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0018CE0F
_free.LIBCMT ref: 0018CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0018CE31

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: f4b2845e8363dc79ed137dc846a2b53a77e1cc5a9c44b2e77522147284e53798
Instruction ID: e958602a2ae63b4e5817c00d4e1eae09f62383bd76fd0888ea4d19a03a944981
Opcode Fuzzy Hash: f4b2845e8363dc79ed137dc846a2b53a77e1cc5a9c44b2e77522147284e53798
Instruction Fuzzy Hash: D40184726016557F232136BA6C88D7F6E6DEFC6BA13154129F905C7201EB718F028BF0

Function 00169639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00169693
SelectObject.GDI32(?,00000000), ref: 001696A2
BeginPath.GDI32(?), ref: 001696B9
SelectObject.GDI32(?,00000000), ref: 001696E2

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 5169f6e42dfb5c5c2bc93393e032814e41d3b6068bffa3a63fa961d53a09697d
Instruction ID: e44c796555f198626d25065c5465cccc452d12356bef9d7c3f5710b95ac31fdf
Opcode Fuzzy Hash: 5169f6e42dfb5c5c2bc93393e032814e41d3b6068bffa3a63fa961d53a09697d
Instruction Fuzzy Hash: F9214CB0802385EBDB219FA4EC58BAD3BA9BF61755F10061AF410A61B0D37099F3CF94

Function 001B5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 001B5726
_memcmp.LIBVCRUNTIME ref: 001B5744
_memcmp.LIBVCRUNTIME ref: 001B5757
_memcmp.LIBVCRUNTIME ref: 001B576F
_memcmp.LIBVCRUNTIME ref: 001B5787

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 3a57c3e1db3537d09648e8c684d3ce9d96f5964333bab13e0d5b8ee069afe72a
Instruction ID: 3e744240950d7f23664eb20e4685a98fd9e3055b593b1d9a5091baeb7cab6983
Opcode Fuzzy Hash: 3a57c3e1db3537d09648e8c684d3ce9d96f5964333bab13e0d5b8ee069afe72a
Instruction Fuzzy Hash: 0F017971741A05BBE30857159D82FFF736FAB713A8FA44025FD089B641FB61EE1282A1

Function 00182DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0017F2DE,00183863,00221444,?,0016FDF5,?,?,0015A976,00000010,00221440,001513FC,?,001513C6), ref: 00182DFD
_free.LIBCMT ref: 00182E32
_free.LIBCMT ref: 00182E59
SetLastError.KERNEL32(00000000,00151129), ref: 00182E66
SetLastError.KERNEL32(00000000,00151129), ref: 00182E6F

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 9e52a997fe29de4dba76723a112e5b98f61b662534f6651d8e6964dfa2dec6f2
Instruction ID: b74181cce1624f5f65229d36570dc6011b31d137c78fe4e5194cb2eb77382830
Opcode Fuzzy Hash: 9e52a997fe29de4dba76723a112e5b98f61b662534f6651d8e6964dfa2dec6f2
Instruction Fuzzy Hash: D3012836645A007BC62377747C89D6F265EABE17B5B364028F825A32D2EF348F014F64

Function 001B000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,001AFF41,80070057,?,?,?,001B035E), ref: 001B002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001AFF41,80070057,?,?), ref: 001B0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001AFF41,80070057,?,?), ref: 001B0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001AFF41,80070057,?), ref: 001B0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001AFF41,80070057,?,?), ref: 001B0070

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: c10d0cd7b368cf0e37a33ae62399fbd4a67cc09aadead78c4f029ad64945c1b7
Instruction ID: 5e82318942e018037074c7c26c7a91e17c5eb2299172f563645bd6342c1c84dc
Opcode Fuzzy Hash: c10d0cd7b368cf0e37a33ae62399fbd4a67cc09aadead78c4f029ad64945c1b7
Instruction Fuzzy Hash: CA018F72600204BFDB125FA8DC44FEF7AADEB48791F144128F905D6210D771DD818BA0

Function 001BE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 001BE997
QueryPerformanceFrequency.KERNEL32(?), ref: 001BE9A5
Sleep.KERNEL32(00000000), ref: 001BE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 001BE9B7
Sleep.KERNEL32 ref: 001BE9F3

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 6a1925cb3ca0607944f05eadc184df51a5ffd1a0c906d7128ed5216db8e2cc24
Instruction ID: fa44b8d00f33f95147c47a4bbdbc8ef91c4de7321d3296911f926bbd54e334ef
Opcode Fuzzy Hash: 6a1925cb3ca0607944f05eadc184df51a5ffd1a0c906d7128ed5216db8e2cc24
Instruction Fuzzy Hash: 99012531C01629DBCF00AFE5DC99AEDBBB8FF09705F010556E902B6241CB30A699CBA1

Function 001B10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 001B1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,001B0B9B,?,?,?), ref: 001B1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,001B0B9B,?,?,?), ref: 001B112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,001B0B9B,?,?,?), ref: 001B1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 001B114D

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: f76494255bdeda662568a3f15695662905a798cffad94144f2a9fcc165262753
Instruction ID: 465eebd2543eb461139ff385fef29d4f5b5d0c48c1df7439c1ab3acb9955c346
Opcode Fuzzy Hash: f76494255bdeda662568a3f15695662905a798cffad94144f2a9fcc165262753
Instruction Fuzzy Hash: FB018179500205BFDB114FA8DC89EAE3F6EEF86360B150418FA41C7350DB31DC418BA0

Function 001B0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 001B0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 001B0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 001B0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 001B0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 001B1002

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: f2ce5e3445e4cb6bb67e75d652101ae0854e26ba7e2259fe31d57c8f6447a040
Instruction ID: 599e9936f87d08dfc6ea5be66b7b6e55289394f4995e8dd25743e20eae4b6c2e
Opcode Fuzzy Hash: f2ce5e3445e4cb6bb67e75d652101ae0854e26ba7e2259fe31d57c8f6447a040
Instruction Fuzzy Hash: C1F04939200345FBDB215FA49C8DF9A3BADEF8A762F614415FE45CA651CB70DC818BA0

Function 001B1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 001B102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 001B1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001B1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 001B104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001B1062

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 56869306bf8377c448402fe25ccb47275ff7832e29634f1e5da809ec873a3120
Instruction ID: cdb0f7641aa69fefaf5f8958020618415bc2e9da5b5d7ae4a01c25d16c6d56bd
Opcode Fuzzy Hash: 56869306bf8377c448402fe25ccb47275ff7832e29634f1e5da809ec873a3120
Instruction Fuzzy Hash: 61F04F39100341FBD7215FA4EC99F9A3B6DEF8A761F610414FD45CA650CB70D8818AA0

Function 001C030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,001C017D,?,001C32FC,?,00000001,00192592,?), ref: 001C0324
CloseHandle.KERNEL32(?,?,?,?,001C017D,?,001C32FC,?,00000001,00192592,?), ref: 001C0331
CloseHandle.KERNEL32(?,?,?,?,001C017D,?,001C32FC,?,00000001,00192592,?), ref: 001C033E
CloseHandle.KERNEL32(?,?,?,?,001C017D,?,001C32FC,?,00000001,00192592,?), ref: 001C034B
CloseHandle.KERNEL32(?,?,?,?,001C017D,?,001C32FC,?,00000001,00192592,?), ref: 001C0358
CloseHandle.KERNEL32(?,?,?,?,001C017D,?,001C32FC,?,00000001,00192592,?), ref: 001C0365

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: fdc14175c91c69d7c468d612b0cadb219369c9fbd1fec103cba9190b497c596e
Instruction ID: a38da16d7f258c06d9e74c4272991f74404e954a857839e5a82c99d01665fd7a
Opcode Fuzzy Hash: fdc14175c91c69d7c468d612b0cadb219369c9fbd1fec103cba9190b497c596e
Instruction Fuzzy Hash: FB01EE72800B81CFCB32AF66D880802FBF9BF603153059A3FD19252931C3B1A989CF80

Function 0018D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0018D752

Part of subcall function 001829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0018D7D1,00000000,00000000,00000000,00000000,?,0018D7F8,00000000,00000007,00000000,?,0018DBF5,00000000), ref: 001829DE
Part of subcall function 001829C8: GetLastError.KERNEL32(00000000,?,0018D7D1,00000000,00000000,00000000,00000000,?,0018D7F8,00000000,00000007,00000000,?,0018DBF5,00000000,00000000), ref: 001829F0

_free.LIBCMT ref: 0018D764
_free.LIBCMT ref: 0018D776
_free.LIBCMT ref: 0018D788
_free.LIBCMT ref: 0018D79A

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4983f00e7595060a01d7321fc2dc210ae95114eae5681df88db95a08c6e502d4
Instruction ID: c65d8b95ff346c1a461134dce79e44d5ca6767d63c1cfe7225bc4c62264a7d1c
Opcode Fuzzy Hash: 4983f00e7595060a01d7321fc2dc210ae95114eae5681df88db95a08c6e502d4
Instruction Fuzzy Hash: 94F03632944314AB8622FB68F9C6C5677EDBB547187A64C05F048D7541CB34FD808F64

Function 001822A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 001822BE

Part of subcall function 001829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0018D7D1,00000000,00000000,00000000,00000000,?,0018D7F8,00000000,00000007,00000000,?,0018DBF5,00000000), ref: 001829DE
Part of subcall function 001829C8: GetLastError.KERNEL32(00000000,?,0018D7D1,00000000,00000000,00000000,00000000,?,0018D7F8,00000000,00000007,00000000,?,0018DBF5,00000000,00000000), ref: 001829F0

_free.LIBCMT ref: 001822D0
_free.LIBCMT ref: 001822E3
_free.LIBCMT ref: 001822F4
_free.LIBCMT ref: 00182305

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2253b49d67bf9e44c06f505277f11ad871e710050b80465cff6056c6cfb44e0a
Instruction ID: 107266f03a7132f327449c6597ddb6fe465b9aa4763c1166d01daab8b524b9b5
Opcode Fuzzy Hash: 2253b49d67bf9e44c06f505277f11ad871e710050b80465cff6056c6cfb44e0a
Instruction Fuzzy Hash: 3CF030B4880130AB8623BFD4BC498483B65B7387507122606F814D3272CF3416639FA4

Function 001695C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 001695D4
StrokeAndFillPath.GDI32(?,?,001A71F7,00000000,?,?,?), ref: 001695F0
SelectObject.GDI32(?,00000000), ref: 00169603
DeleteObject.GDI32 ref: 00169616
StrokePath.GDI32(?), ref: 00169631

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: de59e9464d4e1be9db61c502809dd9f6839b8909dedc0c1e2b735deb374f4970
Instruction ID: 4c524640da1133d827d86fe88e92990ec3bcc0cd4ca179ec3a1cad6367edb3fb
Opcode Fuzzy Hash: de59e9464d4e1be9db61c502809dd9f6839b8909dedc0c1e2b735deb374f4970
Instruction Fuzzy Hash: B2F0C9350053C8EBDB265FA9ED5CB683B65AB11322F049214F465594F0C73089F7DF60

Function 00180F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 001810F9
__freea.LIBCMT ref: 00181117

Part of subcall function 00181537: _free.LIBCMT ref: 0018154F

Strings

a/p, xrefs: 001811DE
am/pm, xrefs: 0018117A

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 162ae20fbf80fe996205bb6fa14d8d49e0f359ea18329e70d1903acecf63fb78
Instruction ID: 6a427964ef79f1e446761cf10dcdfe939daafe30cd2ebca6cab6a48620859363
Opcode Fuzzy Hash: 162ae20fbf80fe996205bb6fa14d8d49e0f359ea18329e70d1903acecf63fb78
Instruction Fuzzy Hash: BED10433900206EACB28BF68C845BFAB7B9FF16710F294159E9059B650D3759F82CF51

Function 001D61D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00170242: EnterCriticalSection.KERNEL32(0022070C,00221884,?,?,0016198B,00222518,?,?,?,001512F9,00000000), ref: 0017024D
Part of subcall function 00170242: LeaveCriticalSection.KERNEL32(0022070C,?,0016198B,00222518,?,?,?,001512F9,00000000), ref: 0017028A

Part of subcall function 001700A3: __onexit.LIBCMT ref: 001700A9

__Init_thread_footer.LIBCMT ref: 001D6238

Part of subcall function 001701F8: EnterCriticalSection.KERNEL32(0022070C,?,?,00168747,00222514), ref: 00170202
Part of subcall function 001701F8: LeaveCriticalSection.KERNEL32(0022070C,?,00168747,00222514), ref: 00170235

Part of subcall function 001C359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 001C35E4
Part of subcall function 001C359C: LoadStringW.USER32(00222390,?,00000FFF,?), ref: 001C360A

Strings

x#", xrefs: 001D636F
x#", xrefs: 001D6353
x#", xrefs: 001D633A

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#"$x#"$x#"
API String ID: 1072379062-2717048500
Opcode ID: b163d19243e28f84369192247b75f6f96d7f74d25ad41f497a780ff47fb8002e
Instruction ID: bfa7aa91f0c1e63cc613c375ecdcdee27f9cb44ede8b36ed7d4e646dc2912c9d
Opcode Fuzzy Hash: b163d19243e28f84369192247b75f6f96d7f74d25ad41f497a780ff47fb8002e
Instruction Fuzzy Hash: 31C16A71A00205AFCB14DF98D891EBEB7B9EF58340F10816AF915AB391DB70E985CB90

Function 001D7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00170242: EnterCriticalSection.KERNEL32(0022070C,00221884,?,?,0016198B,00222518,?,?,?,001512F9,00000000), ref: 0017024D
Part of subcall function 00170242: LeaveCriticalSection.KERNEL32(0022070C,?,0016198B,00222518,?,?,?,001512F9,00000000), ref: 0017028A

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

Part of subcall function 001700A3: __onexit.LIBCMT ref: 001700A9

__Init_thread_footer.LIBCMT ref: 001D7BFB

Part of subcall function 001701F8: EnterCriticalSection.KERNEL32(0022070C,?,?,00168747,00222514), ref: 00170202
Part of subcall function 001701F8: LeaveCriticalSection.KERNEL32(0022070C,?,00168747,00222514), ref: 00170235

Strings

G, xrefs: 001D7C7F
5, xrefs: 001D7C78
Variable must be of type 'Object'., xrefs: 001D7C3A

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 43fffad2ba256307e07a685330d2a935dff56fb927757c48c06bbe890b0043dd
Instruction ID: 2bb7329ad05a93c68b79b5e72f6bb6aacdf846d9924152d66c3431f61775a775
Opcode Fuzzy Hash: 43fffad2ba256307e07a685330d2a935dff56fb927757c48c06bbe890b0043dd
Instruction Fuzzy Hash: 3A918B71A04609EFCB14EF94D891DADB7B2FF59300F50805AF806AB392EB71AE45CB51

Function 0018172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Payment 01.08.25.pdf.exe,00000104), ref: 00181769
_free.LIBCMT ref: 00181834
_free.LIBCMT ref: 0018183E

Strings

C:\Users\user\Desktop\Payment 01.08.25.pdf.exe, xrefs: 00181760, 00181767, 00181796, 001817CE

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\Payment 01.08.25.pdf.exe
API String ID: 2506810119-900951643
Opcode ID: 20dbab01b37013ac8751977ca752f9e95c8b61901e9df788cbc846e0edb112c0
Instruction ID: 25b1637e87d1ea04a8131f135ee3485f8733aac8d797f9f7df5d295462f39acd
Opcode Fuzzy Hash: 20dbab01b37013ac8751977ca752f9e95c8b61901e9df788cbc846e0edb112c0
Instruction Fuzzy Hash: 46318E72A00218FBDB21EB999885D9EBBFCEBA5310B1041AAF80497211D7708F42CF90

Function 001BC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 001BC306
DeleteMenu.USER32(?,00000007,00000000), ref: 001BC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00221990,01644EC0), ref: 001BC395

Strings

0, xrefs: 001BC2DF

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 501a6b8ced9f348cc5f2ab86fab17f6472a3952dbd62d5fe6d05180bbe4a62a1
Instruction ID: 194bb264b45e44a142006ff3f8f18a22a391342694e33586f5769a1dbbed6b14
Opcode Fuzzy Hash: 501a6b8ced9f348cc5f2ab86fab17f6472a3952dbd62d5fe6d05180bbe4a62a1
Instruction Fuzzy Hash: D341AE312043419FD724DF25D884F9BBBE4BF95320F048A1EF8A59B2E1D770A904CBA2

Function 001E4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,001ECC08,00000000,?,?,?,?), ref: 001E44AA
GetWindowLongW.USER32 ref: 001E44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 001E44D7

Strings

SysTreeView32, xrefs: 001E447C

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 17955d300f21d9198d66d35a70e32a25e6088c222b784d9d642d671db42a6d95
Instruction ID: 4f948de105af6f83bcd7a292fd7c517870a6fff8396bcedd57766362a476087a
Opcode Fuzzy Hash: 17955d300f21d9198d66d35a70e32a25e6088c222b784d9d642d671db42a6d95
Instruction Fuzzy Hash: 35319C32210A85AFDB208E79DC45BEA77A9EF08334F204325F975921D0D770AC519790

Function 001D304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 001D335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,001D3077,?,?), ref: 001D3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 001D307A
_wcslen.LIBCMT ref: 001D309B
htons.WSOCK32(00000000,?,?,00000000), ref: 001D3106

Strings

255.255.255.255, xrefs: 001D3095, 001D309A

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: fed38efe02cac8b68d036469b11cb5287a50e4a2b2ba62b4e4e72457dd62ba2c
Instruction ID: 36302389bd5b74fc7963aeda48b6f4581fe5c78bd5deb5353fde337ffd33a6ed
Opcode Fuzzy Hash: fed38efe02cac8b68d036469b11cb5287a50e4a2b2ba62b4e4e72457dd62ba2c
Instruction Fuzzy Hash: 8D31E739200206DFC710CF68C985EA977F0EF54318F25815AE9258F792D771EE45C762

Function 001E4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 001E4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 001E4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 001E471A

Strings

msctls_updown32, xrefs: 001E4684

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 9445f19e3b451023975e108c6747f6949870f3ccc3e210c36d671110fa1eaf0c
Instruction ID: dcb127bb1972fdd92ed84acc346042486dc44a093492411b7665f8c063e11d23
Opcode Fuzzy Hash: 9445f19e3b451023975e108c6747f6949870f3ccc3e210c36d671110fa1eaf0c
Instruction Fuzzy Hash: A42160B5600648AFDB10DF65DCC1DAB37EDEF5A7A4B040059FA009B351CB70EC62CAA0

Function 001B95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001B961D

Strings

#notrayicon, xrefs: 001B95B7
#requireadmin, xrefs: 001B95D9
#OnAutoItStartRegister, xrefs: 001B95F3

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 00ad8b5995748cf86d7e32632641ebe1f4a9e0f6e0caccfed0140c0d025ea152
Instruction ID: 08d58ab944dd2d163dffa6f409810c5fcdfc3863f4d01ead0195c5f079be93af
Opcode Fuzzy Hash: 00ad8b5995748cf86d7e32632641ebe1f4a9e0f6e0caccfed0140c0d025ea152
Instruction Fuzzy Hash: 0D216A32244650A6D331AB25EC06FFB73E8AFA5300F10802AFF499B081EB51AD57C2D5

Function 001E37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 001E3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 001E3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 001E3876

Strings

Listbox, xrefs: 001E380F

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 902d0cd89c69e3caa52ac9ccaf1e7a7b522e829fe37bdf703a4c42d8b240ca3b
Instruction ID: c6b3af4d9b76458da474c0d44e8630a58ffee346f63180ec1bd1da2dd3f0f71e
Opcode Fuzzy Hash: 902d0cd89c69e3caa52ac9ccaf1e7a7b522e829fe37bdf703a4c42d8b240ca3b
Instruction Fuzzy Hash: 95218072610158BBEB218F96DC89EAF376AEF99750F118124F9149B190C771DC5287A0

Function 001B223F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 001B2258

Part of subcall function 00156B57: _wcslen.LIBCMT ref: 00156B6A

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 001B228A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 001B22CA

Strings

@U=u, xrefs: 001B2258, 001B228A, 001B22CA

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID: @U=u
API String ID: 763830540-2594219639
Opcode ID: adf2b950fb60923f3cebf9758d941b714745bd84ac52d99d4299f6e2e15a7f11
Instruction ID: eb70e9b9be15ac5f8ee131ce297398e39da29ed7aebb53d34ac03e80d7eb457f
Opcode Fuzzy Hash: adf2b950fb60923f3cebf9758d941b714745bd84ac52d99d4299f6e2e15a7f11
Instruction Fuzzy Hash: F921C931700244ABDB10AB55CD89FEF3BA9EF6D711F044025FE05DB291D7B48D4987A1

Function 001C49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001C4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 001C4A5C
SetErrorMode.KERNEL32(00000000,?,?,001ECC08), ref: 001C4AD0

Strings

%lu, xrefs: 001C4A6F

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 2011558527290d1fe8a3e3c8fe38caf8e63b1b3159c92361473511acfa11f66a
Instruction ID: 274e549ec4d2a4b158e85a112dadda25490d7f5c1a6a5db5bdf618cb7d555f1d
Opcode Fuzzy Hash: 2011558527290d1fe8a3e3c8fe38caf8e63b1b3159c92361473511acfa11f66a
Instruction Fuzzy Hash: A7312D75A00109EFDB10DF54C885EAA77E8EF15308F148099E905DF252D771ED46CBA1

Function 001B1B2C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 001B1B4F
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 001B1B61
SendMessageW.USER32(?,0000000D,?,00000000), ref: 001B1B99

Strings

@U=u, xrefs: 001B1B99

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: b9d2c021f024fccb80453a4801f31dd205394d08f12d36e68d6144af83545a19
Instruction ID: 4440ebcf930a66a059e127a80c32d27312275eade3e318c330fa022289065755
Opcode Fuzzy Hash: b9d2c021f024fccb80453a4801f31dd205394d08f12d36e68d6144af83545a19
Instruction Fuzzy Hash: 3421C032600118BFDB15DBA8DD91DEFB7FAEF44340F51046AE505E7290EB71AE418B94

Function 001D0CD5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000402,00000000,00000000), ref: 001D0D24
SendMessageW.USER32(0000000C,00000000,?), ref: 001D0D65
SendMessageW.USER32(0000000C,00000000,?), ref: 001D0D8D

Strings

@U=u, xrefs: 001D0D24, 001D0D65, 001D0D8D

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 88cd1e2377763b2d26b7c3c691f079d1eb07f4d03d2fa9765b425e8e46538733
Instruction ID: 7ed91e7560194a50e37f5a280143413975aadd57caf707117621b229aedfb3bb
Opcode Fuzzy Hash: 88cd1e2377763b2d26b7c3c691f079d1eb07f4d03d2fa9765b425e8e46538733
Instruction Fuzzy Hash: 35213335200900EFD711EBA4E986EAAB7E6FF19311B008456F9199BB71DB30FC52CB90

Function 001E41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 001E424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 001E4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 001E4271

Strings

msctls_trackbar32, xrefs: 001E4226

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 256f8d92df48c74b7ab759dd77d445611d8363fc571a1b77503eb1e69e51c881
Instruction ID: 3c6b4881a58c3e623445cdec4c664c663ae3b4479144e521d80e5917a8b9eb99
Opcode Fuzzy Hash: 256f8d92df48c74b7ab759dd77d445611d8363fc571a1b77503eb1e69e51c881
Instruction Fuzzy Hash: 7011E331240288BFEF205F69DC46FAB7BACEF99B64F010124FA55E6090D371D8619B50

Function 001B2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00156B57: _wcslen.LIBCMT ref: 00156B6A

Part of subcall function 001B2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 001B2DC5
Part of subcall function 001B2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 001B2DD6
Part of subcall function 001B2DA7: GetCurrentThreadId.KERNEL32 ref: 001B2DDD
Part of subcall function 001B2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 001B2DE4

GetFocus.USER32 ref: 001B2F78

Part of subcall function 001B2DEE: GetParent.USER32(00000000), ref: 001B2DF9

GetClassNameW.USER32(?,?,00000100), ref: 001B2FC3
EnumChildWindows.USER32(?,001B303B), ref: 001B2FEB

Strings

%s%d, xrefs: 001B2FFF

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: e0311200b85fdea131d6ef3f919d41024adc6766e37fd0f756edb1ee1a12dfda
Instruction ID: aeb4f28968df2c37d281e3ec64f33db628ec5389d756338d2afc41b5962f4cbc
Opcode Fuzzy Hash: e0311200b85fdea131d6ef3f919d41024adc6766e37fd0f756edb1ee1a12dfda
Instruction Fuzzy Hash: CF11B471700205ABCF147FB08CC5EEE776AAFA9304F044075FD199B252DF70994A8BA0

Function 001E3429 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 001E34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 001E34BA

Strings

@U=u, xrefs: 001E34BA
edit, xrefs: 001E348F

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: @U=u$edit
API String ID: 2978978980-590756393
Opcode ID: ddd86182a93c3f961c219c02b1f293b0538c88fddaac7c062cb46e43173933a9
Instruction ID: 2e7d0b47a85f17fb0774e0d2f9c84b999c345e4860e683ef4b12bf70871a6acc
Opcode Fuzzy Hash: ddd86182a93c3f961c219c02b1f293b0538c88fddaac7c062cb46e43173933a9
Instruction Fuzzy Hash: C111BF71100588AFEB124E65DC88AEF376AEF15374F504324F970971D0C731DD929B50

Function 001BD66A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 001BD682
DeviceIoControl.KERNEL32(00000000,t.Windows.Common-Controls" version="6.0.0.0" language="*" processorArchitecture="*" publicKeyToken="6595b64144ccf1df"/> </dependentAssembly> </dependency> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges>,00000007,0000000C,?,0000000C,?,00000000), ref: 001BD6BF
CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 001BD6C8

Strings

t.Windows.Common-Controls" version="6.0.0.0" language="*" processorArchitecture="*" publicKeyToken="6595b64144ccf1df"/> </dependentAssembly> </dependency> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges>, xrefs: 001BD6B9

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID: t.Windows.Common-Controls" version="6.0.0.0" language="*" processorArchitecture="*" publicKeyToken="6595b64144ccf1df"/> </dependentAssembly> </dependency> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges>
API String ID: 33631002-3738756521
Opcode ID: f9f75be9ef9470c4052ef935677c13ac73c7b3d762ecd709bbdbcf9067b5a923
Instruction ID: fbf26fa656cbaf9382bf309e6dd47666f9f492ac59e050d191ca669c4787638c
Opcode Fuzzy Hash: f9f75be9ef9470c4052ef935677c13ac73c7b3d762ecd709bbdbcf9067b5a923
Instruction Fuzzy Hash: 27015EB1901228BBE7109BE8AC49FAFBBBCEB08750F104515BA14EA190D3B45E458BE1

Function 001B1BD8 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

Part of subcall function 001B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001B3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 001B1C46

Strings

ListBox, xrefs: 001B1C10
ComboBox, xrefs: 001B1BE5
@U=u, xrefs: 001B1C46

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: @U=u$ComboBox$ListBox
API String ID: 624084870-2258501812
Opcode ID: a9ef0ff11a2d945d92bbefdc8881964c2b86c1027c7e676fc18ac83ad058fdf7
Instruction ID: 5ea96a0037408dc0ed90dbceca7d08da76d8461c0481d1c237844bb828086abf
Opcode Fuzzy Hash: a9ef0ff11a2d945d92bbefdc8881964c2b86c1027c7e676fc18ac83ad058fdf7
Instruction Fuzzy Hash: 8B01A775681108F6CB08EB90D9629FF7BA89F66340F540019E8166B282EB209F1C96B2

Function 001E5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 001E58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 001E58EE
DrawMenuBar.USER32(?), ref: 001E58FD

Strings

0, xrefs: 001E588F

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 560ced08fd2190ea8aabb77055abb89f1e1352b9dac597eb9974e687153093aa
Instruction ID: f4d0346a56bdf7918586f3873aa8091c0fb720261c98aef7a2bb8f9728d75ccb
Opcode Fuzzy Hash: 560ced08fd2190ea8aabb77055abb89f1e1352b9dac597eb9974e687153093aa
Instruction Fuzzy Hash: E701AD31600688EFDB209F52EC44BEEBFB5FF45369F008099E848DA152DB308A91DF20

Function 001E7803 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,002218B0,001EA364,000000FC,?,00000000,00000000,?,?,?,001A76CF,?,?,?,?,?), ref: 001E7805
GetFocus.USER32 ref: 001E780D

Part of subcall function 00169BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00169BB2

Part of subcall function 00169944: GetWindowLongW.USER32(?,000000EB), ref: 00169952

SendMessageW.USER32(0164CDC0,000000B0,000001BC,000001C0), ref: 001E787A

Strings

@U=u, xrefs: 001E787A

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Window$Long$FocusForegroundMessageSend
String ID: @U=u
API String ID: 3601265619-2594219639
Opcode ID: dbbf22a7638c14847822b2ad0107cf65a28d49fdeaa9258d14bc974fd605442b
Instruction ID: 304498977591933ae87443e32bbedd54cd07b0b1b305cbffc4f64c6c164e1b41
Opcode Fuzzy Hash: dbbf22a7638c14847822b2ad0107cf65a28d49fdeaa9258d14bc974fd605442b
Instruction Fuzzy Hash: E90171325015509FE329DB69FC9CEAA73E5AF9A320F180269E4158B2E0DB316C53CB80

Function 001AD3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 001AD3BF
FreeLibrary.KERNEL32 ref: 001AD3E5

Strings

X64, xrefs: 001AD2A8
GetSystemWow64DirectoryW, xrefs: 001AD3B9

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: cff1ae8270fda0e63b141e4d0fb782356f8e9515f18fa6d2f27ce5feb5cea9fd
Instruction ID: 7fbf4d3b65e264529e84065f51a90e0024ba89d40263040fbe092a3435428beb
Opcode Fuzzy Hash: cff1ae8270fda0e63b141e4d0fb782356f8e9515f18fa6d2f27ce5feb5cea9fd
Instruction Fuzzy Hash: 5AF05569802E21DBCB3543116C54AAD3324BF12741B5A415AF403F5808DB20CD95C2C2

Function 001B007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a280207e0aecd811d9e1302a72bde27c76ea24e314fe2f10bf85aab834fddc70
Instruction ID: cb3ccee6a1ee809fd691ac93f07862a2dd6d692361922131878023ea9a06bf95
Opcode Fuzzy Hash: a280207e0aecd811d9e1302a72bde27c76ea24e314fe2f10bf85aab834fddc70
Instruction Fuzzy Hash: 58C14C75A0021AEFDB15CFA8C898AAEB7B5FF48704F118598E505EB261D731ED81CB90

Function 001D342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 001D3459
CoUninitialize.OLE32 ref: 001D3463
VariantInit.OLEAUT32(?), ref: 001D346E
VariantClear.OLEAUT32(?), ref: 001D371B

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: c9e6c1399c59fb1996be3c9bf62e2462604a07d79d4a2f47817a11cf5f6f6396
Instruction ID: e7d70af082f41b1b90189db9ab7fba10cf62b3b0b52a78c2ed31423220d1313b
Opcode Fuzzy Hash: c9e6c1399c59fb1996be3c9bf62e2462604a07d79d4a2f47817a11cf5f6f6396
Instruction Fuzzy Hash: CBA13D75604300DFC704DF28D485A2AB7E5FF98715F05885AF9999B3A1DB30EE05CB92

Function 001B0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,001EFC08,?), ref: 001B05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,001EFC08,?), ref: 001B0608
CLSIDFromProgID.OLE32(?,?,00000000,001ECC40,000000FF,?,00000000,00000800,00000000,?,001EFC08,?), ref: 001B062D
_memcmp.LIBVCRUNTIME ref: 001B064E

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 9765f113c6cb4081a18ad6c389d7d77342d8b264c8c3df9f5c48e9b4b879b36a
Instruction ID: e39592b26319df60fdc9b23054b8e0f4436dd13f782a0ead90e763e7c9cc0fb0
Opcode Fuzzy Hash: 9765f113c6cb4081a18ad6c389d7d77342d8b264c8c3df9f5c48e9b4b879b36a
Instruction Fuzzy Hash: 53810971A00209EFCB05DF98C984EEEB7B9FF89315F204558E516EB250DB71AE46CB60

Function 00191391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001914C0

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 3d96a86561519183f730d49a6b6de68aafb4c927a092324fc240608b09b5e4be
Instruction ID: bb03df5c9737b60ce2ec77978f155002fe242829ef646c085acb5c293937fe60
Opcode Fuzzy Hash: 3d96a86561519183f730d49a6b6de68aafb4c927a092324fc240608b09b5e4be
Instruction Fuzzy Hash: B4414731A00102BBDF257BF89C466BE3AB4FF69370F254225F81897192E73489C18762

Function 001D1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 001D1AFD
WSAGetLastError.WSOCK32 ref: 001D1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 001D1B8A
WSAGetLastError.WSOCK32 ref: 001D1B94

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 882fd889794751b86f880626c1f64a85ddf3807fb70bab3d8b8ec18415d88373
Instruction ID: dc9e653a9dbf206e6a483291d1a077dc99d5ca9fe0ebd34a7cc33a2bfb1aca87
Opcode Fuzzy Hash: 882fd889794751b86f880626c1f64a85ddf3807fb70bab3d8b8ec18415d88373
Instruction Fuzzy Hash: B041A034600200BFE720AF24D886F2A77E5AB58718F54845DF96A9F7D2D772ED42CB90

Function 0018B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7e1381281c8f8686ab8de43496ab58c45e9420f108623c2a2f6f954c5b532fe
Instruction ID: f2e776e55a859074d6a0b3395ef26b1f5ccc7a646f84079ab6d2fdb41c2dc6b4
Opcode Fuzzy Hash: b7e1381281c8f8686ab8de43496ab58c45e9420f108623c2a2f6f954c5b532fe
Instruction Fuzzy Hash: 60412B72A04304BFD725AF38CC82B6B7BE9EB94710F10452EF546DB292D3719A418B90

Function 001C56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 001C5783
GetLastError.KERNEL32(?,00000000), ref: 001C57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 001C57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 001C57FA

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 30d101164f9f194c94368aeefd8349b2dd5f9df86e0b44b440dcdd8d9c743948
Instruction ID: 733dc6b9b03cdf19e4a0c0efbcba7eb371cf318c280a8343bf32ded21fccd3d1
Opcode Fuzzy Hash: 30d101164f9f194c94368aeefd8349b2dd5f9df86e0b44b440dcdd8d9c743948
Instruction Fuzzy Hash: 74415D39600610DFCB10DF55D485A5EBBE2EF99321B198488EC5AAF3A2DB30FD45CB91

Function 0018D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00176D71,00000000,00000000,001782D9,?,001782D9,?,00000001,00176D71,8BE85006,00000001,001782D9,001782D9), ref: 0018D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0018D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0018D9AB
__freea.LIBCMT ref: 0018D9B4

Part of subcall function 00183820: RtlAllocateHeap.NTDLL(00000000,?,00221444,?,0016FDF5,?,?,0015A976,00000010,00221440,001513FC,?,001513C6,?,00151129), ref: 00183852

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 3e76ae07e1325d50afdaa2586979d84d27a519f733d59ce19434bdb47ceb0573
Instruction ID: fd4bb9f7dea0009ab7939417fff7d172ac2bddd42fa3f90be23e9203136373e1
Opcode Fuzzy Hash: 3e76ae07e1325d50afdaa2586979d84d27a519f733d59ce19434bdb47ceb0573
Instruction Fuzzy Hash: B731D272A0021AABDF25AF65EC41EAE7BA5EB41714F054168FC08D7190EB35CE51CB90

Function 001BAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,753DC0D0,?,00008000), ref: 001BABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 001BAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 001BAC74
SendInput.USER32(00000001,?,0000001C,753DC0D0,?,00008000), ref: 001BACC6

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 6477ab89c30603a7aba665810f201caeed835101f4099f51ddf11a32736d61c5
Instruction ID: f37f863ee7e4d19b67551c6ca7b10cd812deb7ff55473df822427f5c7b52313f
Opcode Fuzzy Hash: 6477ab89c30603a7aba665810f201caeed835101f4099f51ddf11a32736d61c5
Instruction Fuzzy Hash: E9314630A00358AFFF35CB65CC497FE7FA5AF89310F84431AE481962D1D374998187A2

Function 001E7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 001E769A
GetWindowRect.USER32(?,?), ref: 001E7710
PtInRect.USER32(?,?,001E8B89), ref: 001E7720
MessageBeep.USER32(00000000), ref: 001E778C

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 4629f8127e45e0c8963f1aa0c37110ea99fda3b5b60cafb8b862a192fbb9d5a2
Instruction ID: a3581d90bca773694823afcefeba1646b45447e3f13d2e62680492b372ca3202
Opcode Fuzzy Hash: 4629f8127e45e0c8963f1aa0c37110ea99fda3b5b60cafb8b862a192fbb9d5a2
Instruction Fuzzy Hash: 0841A034A05694EFEB11CF9AD898EADB7F4FF59304F1540A8E4149B2A1C330A982CF90

Function 001E16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 001E16EB

Part of subcall function 001B3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 001B3A57
Part of subcall function 001B3A3D: GetCurrentThreadId.KERNEL32 ref: 001B3A5E
Part of subcall function 001B3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001B25B3), ref: 001B3A65

GetCaretPos.USER32(?), ref: 001E16FF
ClientToScreen.USER32(00000000,?), ref: 001E174C
GetForegroundWindow.USER32 ref: 001E1752

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: d3b4568b24014f481bf9af61d4623a5633ab50429f6427e0f9ca334ea04c68d4
Instruction ID: c278c9112368146cd88649b30dac667456a3d0518a0da61756d4290197422b01
Opcode Fuzzy Hash: d3b4568b24014f481bf9af61d4623a5633ab50429f6427e0f9ca334ea04c68d4
Instruction Fuzzy Hash: B7314171D00249AFC704EFAAC8C1CEEB7F9EF59304B50806AE425EB251D7719E45CBA0

Function 001BD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 001BD501
Process32FirstW.KERNEL32(00000000,?), ref: 001BD50F
Process32NextW.KERNEL32(00000000,?), ref: 001BD52F
CloseHandle.KERNEL32(00000000), ref: 001BD5DC

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: f904e9b7622f159035f39d92f648ffe76ad1e37a744d4434d949f8a513d174c1
Instruction ID: 47fcbbaa182a48eac7e539164a4c5f0a60f023f616c78ad5da5e7a6c0caacac8
Opcode Fuzzy Hash: f904e9b7622f159035f39d92f648ffe76ad1e37a744d4434d949f8a513d174c1
Instruction Fuzzy Hash: 19319031008340DFD314EF54D881AAFBBF8EFA9344F54092DF9918A1A1EB719989CB92

Function 001E8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00169BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00169BB2

GetCursorPos.USER32(?), ref: 001E9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,001A7711,?,?,?,?,?), ref: 001E9016
GetCursorPos.USER32(?), ref: 001E905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,001A7711,?,?,?), ref: 001E9094

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: e535c185c1f15933aca1b70ebabde5f8722bf9a449ea88d2e62c704b2825381c
Instruction ID: 07a48393b80b178ff8dc94814b513866549663635535062e04964ad28ab26fb0
Opcode Fuzzy Hash: e535c185c1f15933aca1b70ebabde5f8722bf9a449ea88d2e62c704b2825381c
Instruction Fuzzy Hash: C221D172600558FFCB258F95CC98EFE7BB9EF89350F444055F9058B261C3319AA1DBA0

Function 001BD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,001ECB68), ref: 001BD2FB
GetLastError.KERNEL32 ref: 001BD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 001BD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,001ECB68), ref: 001BD376

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 4c441b3c6af76c3074bbbad3764ad812c3a8915df5723480c79fb1e8f9c9d735
Instruction ID: 63dc299bb64272bf914e0637f6592426d026b28c3aae46a2320fdac3ec6dcbea
Opcode Fuzzy Hash: 4c441b3c6af76c3074bbbad3764ad812c3a8915df5723480c79fb1e8f9c9d735
Instruction Fuzzy Hash: 9D2171B0505301DF8718DF68D8814AE77E4BF55764F104A1DF8A9CB2A2E731D94ACB93

Function 001B1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001B1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 001B102A
Part of subcall function 001B1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 001B1036
Part of subcall function 001B1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001B1045
Part of subcall function 001B1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 001B104C
Part of subcall function 001B1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001B1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 001B15BE
_memcmp.LIBVCRUNTIME ref: 001B15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001B1617
HeapFree.KERNEL32(00000000), ref: 001B161E

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: ac69ad9dd6e82f02be1710118516b122188af3c4a00bab0af07b2e88e27ccdeb
Instruction ID: 43b7fdb36078d8ec6117ca69dadcea068772ad06f5cd4ad79c6a2b8bf60ef420
Opcode Fuzzy Hash: ac69ad9dd6e82f02be1710118516b122188af3c4a00bab0af07b2e88e27ccdeb
Instruction Fuzzy Hash: 1E21AC32E00208FFDF10DFA5C965BEEB7B8EF45354F4A8459E441AB241E770AA45CBA0

Function 001E2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 001E280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 001E2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 001E2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 001E2840

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 925569be6043f9d6feb2175d21ae382dc31a89cae82aed4f684f0df756de9f71
Instruction ID: 5418bf91bd2b4b1b0f5f122f834d851e36490f72e5258ff4e49beafd6c6d075e
Opcode Fuzzy Hash: 925569be6043f9d6feb2175d21ae382dc31a89cae82aed4f684f0df756de9f71
Instruction Fuzzy Hash: 1121F431604990AFD7149B25CC95FAE7799AF95324F148158F8268F6D2C771FC82C7D0

Function 001B78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 001B8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,001B790A,?,000000FF,?,001B8754,00000000,?,0000001C,?,?), ref: 001B8D8C
Part of subcall function 001B8D7D: lstrcpyW.KERNEL32(00000000,?,?,001B790A,?,000000FF,?,001B8754,00000000,?,0000001C,?,?,00000000), ref: 001B8DB2
Part of subcall function 001B8D7D: lstrcmpiW.KERNEL32(00000000,?,001B790A,?,000000FF,?,001B8754,00000000,?,0000001C,?,?), ref: 001B8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,001B8754,00000000,?,0000001C,?,?,00000000), ref: 001B7923
lstrcpyW.KERNEL32(00000000,?,?,001B8754,00000000,?,0000001C,?,?,00000000), ref: 001B7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,001B8754,00000000,?,0000001C,?,?,00000000), ref: 001B7984

Strings

cdecl, xrefs: 001B797B

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 9916b55d084925d6472a15afa6f6888131176bdb34390bb0453225fc33be084f
Instruction ID: 446d6b0ead6fe286b82933afe4687ab0f7115d3e0fded0719ee9be3b60822383
Opcode Fuzzy Hash: 9916b55d084925d6472a15afa6f6888131176bdb34390bb0453225fc33be084f
Instruction Fuzzy Hash: 1D11263A200342ABCB15AF74DC44DBA77A9FF95764B00402AF802CB2A4EB31D812C7A1

Function 001B1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 001B1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 001B1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 001B1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 001B1A8A

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 085ab49516526fe55bbdb1cd7b8be5f960e25dc62bcd9746105befc6a88761b8
Instruction ID: a40292b94913eb253cdb6edad3f77eaaf9eccec4fbceb0a93fb475b6c635bbc8
Opcode Fuzzy Hash: 085ab49516526fe55bbdb1cd7b8be5f960e25dc62bcd9746105befc6a88761b8
Instruction Fuzzy Hash: 5011273A901219FFEB109BA4CD85FEDBB79EB08750F210091EA00B7290D7716E50DB94

Function 001BE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 001BE1FD
MessageBoxW.USER32(?,?,?,?), ref: 001BE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 001BE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 001BE24D

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: eaabe47dd14afea5e5b6b30c73dfd3e87c169bd923cad747b24d822996b34f39
Instruction ID: abe6a3688d147d811b50f25573720d6fc33585df944201ba5b598f0da026f622
Opcode Fuzzy Hash: eaabe47dd14afea5e5b6b30c73dfd3e87c169bd923cad747b24d822996b34f39
Instruction Fuzzy Hash: E411E176904258BBC721DBE8AC49ADE7BEDAB45320F104299F825E3291D7B099018BA0

Function 0017D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0017CFF9,00000000,00000004,00000000), ref: 0017D218
GetLastError.KERNEL32 ref: 0017D224
__dosmaperr.LIBCMT ref: 0017D22B
ResumeThread.KERNEL32(00000000), ref: 0017D249

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 5311b664bebd7f6934e739e5906f2a7be05184c1ebcc9170ca65c972c1a7ca5a
Instruction ID: fc3e66a432cae2e91e78886cfc5a2491d5d5ed5b3eac17a5a9f6fa94db7edfa8
Opcode Fuzzy Hash: 5311b664bebd7f6934e739e5906f2a7be05184c1ebcc9170ca65c972c1a7ca5a
Instruction Fuzzy Hash: DD01D236805208BBCB116BA5EC09BAF7A79EF91731F208219F929961D1CF70C942C6E0

Function 00173B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00173B56

Part of subcall function 00173AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00173AD2
Part of subcall function 00173AA3: ___AdjustPointer.LIBCMT ref: 00173AED

_UnwindNestedFrames.LIBCMT ref: 00173B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00173B7C
CallCatchBlock.LIBVCRUNTIME ref: 00173BA4

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 63fdb484111fcd34d67418c56c921a40c69e77d129e60978e7f4185fed160a71
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 6901E932100149BBDF125E95CC46EEB7B79EF58754F048018FE6C96121C732E961EBA1

Function 00183073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,001513C6,00000000,00000000,?,0018301A,001513C6,00000000,00000000,00000000,?,0018328B,00000006,FlsSetValue), ref: 001830A5
GetLastError.KERNEL32(?,0018301A,001513C6,00000000,00000000,00000000,?,0018328B,00000006,FlsSetValue,001F2290,FlsSetValue,00000000,00000364,?,00182E46), ref: 001830B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0018301A,001513C6,00000000,00000000,00000000,?,0018328B,00000006,FlsSetValue,001F2290,FlsSetValue,00000000), ref: 001830BF

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 4468cca49bc91ffa9d4a19c46fcc8eabdb0abbd636da834eb60b895b1fb29170
Instruction ID: e03e78561e1531b4bf3e80a5f7e45164ccd89b6627098c43311297549a8ccc8e
Opcode Fuzzy Hash: 4468cca49bc91ffa9d4a19c46fcc8eabdb0abbd636da834eb60b895b1fb29170
Instruction Fuzzy Hash: AA01A732751322EBCB315BF9AC8896B7B98AF45F61B190720F925E7540D721DB42CBE0

Function 001B7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 001B747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 001B7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 001B74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 001B74CA

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 70be6c84edc64d056eb4cf2f5221a74543564703f454e3d7ed28dda09cd4a20a
Instruction ID: 8a6267883d3a965de25dc564b9630db69c10a9853cea973606a28e5af70636d8
Opcode Fuzzy Hash: 70be6c84edc64d056eb4cf2f5221a74543564703f454e3d7ed28dda09cd4a20a
Instruction Fuzzy Hash: 5611A1B12093149BE7209F54DC48FD67BFCEB40B01F108969E616DA5D1D770E944DB90

Function 001BB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,001BACD3,?,00008000), ref: 001BB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,001BACD3,?,00008000), ref: 001BB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,001BACD3,?,00008000), ref: 001BB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,001BACD3,?,00008000), ref: 001BB126

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: eba3e359d5183d3f03802919c0f87f922b98df4edd21ec01882598df3b64316f
Instruction ID: d7d6ca2225c388a499725ca3b9db81e3dd8fdecdda71b296ed4896f4ad965c4d
Opcode Fuzzy Hash: eba3e359d5183d3f03802919c0f87f922b98df4edd21ec01882598df3b64316f
Instruction Fuzzy Hash: 4E113971C0552CE7CF04AFE8E9E86FEBB78FF0A711F114085E941B6681CBB096518B91

Function 001B2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 001B2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 001B2DD6
GetCurrentThreadId.KERNEL32 ref: 001B2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 001B2DE4

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 95c7b3b8bc58545193677c83e39086546a2ee8db14cb9dbf3674ceedbd74ee75
Instruction ID: 78eb0e92972cfff952966d3d02f5f642e533261d353615e6875261b07e5b2489
Opcode Fuzzy Hash: 95c7b3b8bc58545193677c83e39086546a2ee8db14cb9dbf3674ceedbd74ee75
Instruction Fuzzy Hash: 9DE09272101224BBDB201BF29C4DFEF7E6CEF46BA1F000019F105D55809BA0C886C6F0

Function 001E8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00169639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00169693
Part of subcall function 00169639: SelectObject.GDI32(?,00000000), ref: 001696A2
Part of subcall function 00169639: BeginPath.GDI32(?), ref: 001696B9
Part of subcall function 00169639: SelectObject.GDI32(?,00000000), ref: 001696E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 001E8887
LineTo.GDI32(?,?,?), ref: 001E8894
EndPath.GDI32(?), ref: 001E88A4
StrokePath.GDI32(?), ref: 001E88B2

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: c9951a552a88de4d3937dbfa378370f2818589534fd3bfa2054bf335c16571eb
Instruction ID: 50293e575f18c032634952dc56eae5cdf6e1a3facc1927af38d952f567ffc050
Opcode Fuzzy Hash: c9951a552a88de4d3937dbfa378370f2818589534fd3bfa2054bf335c16571eb
Instruction Fuzzy Hash: 22F03A3A041698FADB125FD4AC0DFCE3A59AF16310F048000FE12690E1C77555A2CFE5

Function 001698B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 001698CC
SetTextColor.GDI32(?,?), ref: 001698D6
SetBkMode.GDI32(?,00000001), ref: 001698E9
GetStockObject.GDI32(00000005), ref: 001698F1

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 9311caa5f2984efbdd564183020a999d9506f759f0d93f20172307b240d09d65
Instruction ID: f1722d5a1ba19309466168c2a872140b64be357324a72ec4c6b13aadee6ecc6e
Opcode Fuzzy Hash: 9311caa5f2984efbdd564183020a999d9506f759f0d93f20172307b240d09d65
Instruction Fuzzy Hash: 13E06D31244680EADB215BB8EC49BEC3F61EB52736F048219F6FA584E1C37146919F10

Function 001B162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 001B1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,001B11D9), ref: 001B163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,001B11D9), ref: 001B1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,001B11D9), ref: 001B164F

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 3377e023383d48d1d342e99c16e6af86068c9f8d71506c7b86d0552998e938a4
Instruction ID: 33f6b75816b53be5178a26024104fdc0deba0cd74ffa4cfa1b1d376cc20cebad
Opcode Fuzzy Hash: 3377e023383d48d1d342e99c16e6af86068c9f8d71506c7b86d0552998e938a4
Instruction Fuzzy Hash: 4DE08C36602211EBD7201FE4AE4DB8F3B7CAF547A2F158808F646CD080E7748482CBA0

Function 001AD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 001AD858
GetDC.USER32(00000000), ref: 001AD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 001AD882
ReleaseDC.USER32(?), ref: 001AD8A3

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 5fb5b6bfd601eb650301cc96854fc33d617fcd7509aa6ed00e3b556a6c8c8354
Instruction ID: 7683996b03be14eb6ceeeea1f4397ea6a63391dbab261563ee672c46cb96b620
Opcode Fuzzy Hash: 5fb5b6bfd601eb650301cc96854fc33d617fcd7509aa6ed00e3b556a6c8c8354
Instruction Fuzzy Hash: A0E01AB8800204DFCF419FE4DC4866EBBB1FB48311F118409F816EB750C7384992AF80

Function 001AD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 001AD86C
GetDC.USER32(00000000), ref: 001AD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 001AD882
ReleaseDC.USER32(?), ref: 001AD8A3

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: cdb952920b08dc96e74f81485cc875cd62b1e671e0f2a6c62b62080191c4e14d
Instruction ID: f3099c2a4f126f4b9dd719f364912cdb8a383943c695fdb07094f23851925816
Opcode Fuzzy Hash: cdb952920b08dc96e74f81485cc875cd62b1e671e0f2a6c62b62080191c4e14d
Instruction Fuzzy Hash: 93E012B4C00200EFCF40AFE4DC8866EBBB1BB48311B108409F81AEB750CB385982AF80

Function 001C4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00157620: _wcslen.LIBCMT ref: 00157625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 001C4ED4

Strings

*, xrefs: 001C4E10
LPT, xrefs: 001C4DFB

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 11f4dbcfe8c5fa8e0a0f120c6eff3c34125e701fbfb71e79d7f7758739ad7039
Instruction ID: bdccafb17d88d01912f4a739ad55d167985cfabd5715cb449c37e88f0b010c42
Opcode Fuzzy Hash: 11f4dbcfe8c5fa8e0a0f120c6eff3c34125e701fbfb71e79d7f7758739ad7039
Instruction Fuzzy Hash: C0917B74A042049FDB14DF58C494FAABBF1AF64304F19809DE84A9F3A2D735EE85CB90

Function 0017E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0017E30D

Strings

pow, xrefs: 0017E2E5, 0017E302

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: dfb2ac2cefe9cf1b69acf60ad67a50187fc8e5ce56ec6775b6a127ff2838a1e4
Instruction ID: 2f0414df68c60a4ff7c075c712b45b4cffc0499d565ba97df42b11ec6c2f4479
Opcode Fuzzy Hash: dfb2ac2cefe9cf1b69acf60ad67a50187fc8e5ce56ec6775b6a127ff2838a1e4
Instruction Fuzzy Hash: D7513761A0C20296CB157724C94137A3BF4AB54740F34CED8E09A832E9EB35CED1DF46

Function 001D7771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(001A569E,00000000,?,001ECC08,?,00000000,00000000), ref: 001D78DD

Part of subcall function 00156B57: _wcslen.LIBCMT ref: 00156B6A

CharUpperBuffW.USER32(001A569E,00000000,?,001ECC08,00000000,?,00000000,00000000), ref: 001D783B

Strings

<s!, xrefs: 001D77C8

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s!
API String ID: 3544283678-2588671885
Opcode ID: 8ce586bd6aba487b93901107cc334d07e3acc5fba7a30dd1a7161fb58bc42fcd
Instruction ID: cfb542ee91d69d090ebdbc296683a686a1a9c4ac2d9e7329ceb66f450223305a
Opcode Fuzzy Hash: 8ce586bd6aba487b93901107cc334d07e3acc5fba7a30dd1a7161fb58bc42fcd
Instruction Fuzzy Hash: 31615E72914118EACF08EBA4DCA1DFDB374BF28305B844526E952AB191FF345A49DBA0

Function 0016E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0016E1B1

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 9574b104a20e4939a1bbffa454db2f51c8352f6b9520a6ff3fd0df1306f4e243
Instruction ID: ed717b7508800db7161ba330e6c7f9fe28721e13770d2ac604829c4ad372bcc3
Opcode Fuzzy Hash: 9574b104a20e4939a1bbffa454db2f51c8352f6b9520a6ff3fd0df1306f4e243
Instruction Fuzzy Hash: C6516479900346DFDB19DFA8C891ABA7BE5EF26310F244119FC919B2C0DB349D56CBA0

Function 0016F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0016F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0016F2BB

Strings

@, xrefs: 0016F2AF

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: c534eb53d9e58a9fb66d7975ec36ffa046410414bcd45b34734075e68dc9858d
Instruction ID: 33689b676728d23587d7eb94e7320452bb124306e9654ff776032c993270386d
Opcode Fuzzy Hash: c534eb53d9e58a9fb66d7975ec36ffa046410414bcd45b34734075e68dc9858d
Instruction Fuzzy Hash: D0515771408744DBD320AF14EC86BAFBBF8FB95301F81884DF5E945196EB708529CBA6

Function 001B2999 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 001B29EB
SendMessageW.USER32(?,0000110A,00000001,?), ref: 001B2A8D

Part of subcall function 001B2C75: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 001B2CE0

Strings

@U=u, xrefs: 001B29EB, 001B2A8D

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 4318ccef5f4eda39d9535c7534c05aa7efa3341cc928e3e73344b1f81be182e1
Instruction ID: 13e8f5b82693bbdcf62fad56e5ebab43e4d16c5a5acaf3d4407d82dbf2b66fd4
Opcode Fuzzy Hash: 4318ccef5f4eda39d9535c7534c05aa7efa3341cc928e3e73344b1f81be182e1
Instruction Fuzzy Hash: EE41B330A00209ABDF25DF64CC45BEE7BB9EF58755F040029FD15A7291DB709E49CBA2

Function 001D5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 001D57E0
_wcslen.LIBCMT ref: 001D57EC

Strings

CALLARGARRAY, xrefs: 001D57E6, 001D57EB

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 74a4b3b6ea795ad713e932749f48bc5bb1c8e20f1375ef55c3990886d0da4261
Instruction ID: 40d88311a2f2c46150392b930240810290fb121da801e6ccbc20ad61cddd0d03
Opcode Fuzzy Hash: 74a4b3b6ea795ad713e932749f48bc5bb1c8e20f1375ef55c3990886d0da4261
Instruction Fuzzy Hash: 2041A031A00209DFCF14DFA9C8818AEBBB6FF69314F10416AE515AB391E7349D81CB90

Function 001CD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001CD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 001CD13A

Strings

|, xrefs: 001CD10B

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: f7dab63c0d5173c1dae1e644be3577186482e02f7b2f5395021a4b3b01ad5c8a
Instruction ID: 6b5276cf5ae7eddfe0135b784975c3185359ca399ad6f7b1fcc47067c3dbb471
Opcode Fuzzy Hash: f7dab63c0d5173c1dae1e644be3577186482e02f7b2f5395021a4b3b01ad5c8a
Instruction Fuzzy Hash: 3531F871D01109ABCF15EFA4DC85AEE7BB9FF24300F040069F815AA161D731AA46CB90

Function 001E356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 001E3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 001E365C

Strings

static, xrefs: 001E35BC

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 51e80e53f5804a8a948efc91d1a4844604631b45b099b4a336ddb2ab66057a44
Instruction ID: 5d4caa35a8b88a046845d9e54ab0ff147b3ea99aeab738c1e5c243c3dfea4321
Opcode Fuzzy Hash: 51e80e53f5804a8a948efc91d1a4844604631b45b099b4a336ddb2ab66057a44
Instruction Fuzzy Hash: D5319E71100A44AEDB109F79DC85EFF73A9FF98760F009619F8A597280DB31AD92D760

Function 001E4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 001E461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 001E4634

Strings

', xrefs: 001E458E

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 7bd75c92e11d5884fc8a1643aa7ee902166f9d95ee5799a480e48513329f153a
Instruction ID: b6af29e73e9d958a400243e0d7b8fb02bc79c841d8dd976b76299186daa41de7
Opcode Fuzzy Hash: 7bd75c92e11d5884fc8a1643aa7ee902166f9d95ee5799a480e48513329f153a
Instruction Fuzzy Hash: A8311874A01759AFDB14CFAAC990BDEBBB5FF49300F14406AE905AB391D770A941CF90

Function 001B286B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 001B2884
SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 001B28B6

Strings

@U=u, xrefs: 001B2884, 001B28B6

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 58dcee13a29f8a778d12b4846f125448b17d0d3a8cafb899d835bd75df6ad675
Instruction ID: f08825e88fd7005522d477f0471e6cab34c24965b4935f268c01c3c5aebce148
Opcode Fuzzy Hash: 58dcee13a29f8a778d12b4846f125448b17d0d3a8cafb899d835bd75df6ad675
Instruction Fuzzy Hash: 9E212832E00214ABCB11AF948881DFF77B9EF99715F144019ED29AB280EB749C49C7A0

Function 001B3BC4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001B3D03: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 001B3D18

SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 001B3C23
_strlen.LIBCMT ref: 001B3C2E

Strings

@U=u, xrefs: 001B3C23

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: MessageSend$Timeout_strlen
String ID: @U=u
API String ID: 2777139624-2594219639
Opcode ID: dddda9ec43869207e66436fb525e906bc70ffcd1e9b033298b8ae6fadc1cf6e9
Instruction ID: e8703ab6614fd4331ee34349474de856444c7e5f2ad07651201f3dbdfe0f731c
Opcode Fuzzy Hash: dddda9ec43869207e66436fb525e906bc70ffcd1e9b033298b8ae6fadc1cf6e9
Instruction Fuzzy Hash: 6F11DA31700115678B29AAFCD8929FE7F648F65B40F10003EF916AB292DF219E5786E4

Function 001E336F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001BED19: GetLocalTime.KERNEL32 ref: 001BED2A
Part of subcall function 001BED19: _wcslen.LIBCMT ref: 001BED3B
Part of subcall function 001BED19: _wcslen.LIBCMT ref: 001BED79
Part of subcall function 001BED19: _wcslen.LIBCMT ref: 001BEDAF
Part of subcall function 001BED19: _wcslen.LIBCMT ref: 001BEDDF
Part of subcall function 001BED19: _wcslen.LIBCMT ref: 001BEDEF
Part of subcall function 001BED19: _wcslen.LIBCMT ref: 001BEE2B

SendMessageW.USER32(?,00001002,00000000,?), ref: 001E340A

Strings

@U=u, xrefs: 001E340A
SysDateTimePick32, xrefs: 001E33C7

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: _wcslen$LocalMessageSendTime
String ID: @U=u$SysDateTimePick32
API String ID: 2216836867-2530228043
Opcode ID: 054d6ed136131c7a02d20c16265ea517d7d25037334e64fec2f7c7190ef776ef
Instruction ID: aa5f413cfc5cc5485cd5d480d5b7aebab0b8e9fff2c1bfcedf6812d284a38346
Opcode Fuzzy Hash: 054d6ed136131c7a02d20c16265ea517d7d25037334e64fec2f7c7190ef776ef
Instruction Fuzzy Hash: 2E2103313402496FEF229E55DC86FEF33AAEB54764F200519F960AB1D0DBB1EC9187A0

Function 001B215F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 001B2178

Part of subcall function 001BB32A: GetWindowThreadProcessId.USER32(?,?), ref: 001BB355
Part of subcall function 001BB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,001B2194,00000034,?,?,00001004,00000000,00000000), ref: 001BB365
Part of subcall function 001BB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,001B2194,00000034,?,?,00001004,00000000,00000000), ref: 001BB37B

Part of subcall function 001BB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001B21D0,?,?,00000034,00000800,?,00000034), ref: 001BB42D

SendMessageW.USER32(?,00001073,00000000,?), ref: 001B21DF

Part of subcall function 001BB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001B21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 001BB3F8

Strings

@U=u, xrefs: 001B2178, 001B21DF

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Process$MemoryMessageSend$AllocOpenReadThreadVirtualWindowWrite
String ID: @U=u
API String ID: 1045663743-2594219639
Opcode ID: 8d8f19fe356d358d25b2b03f85f5de1875dea09f7df37de875f9c3f03f408bd2
Instruction ID: ed1f877c9bf0cc398ac567ffb5772c03b398689eafc0d68b3b5ce1a9e503b221
Opcode Fuzzy Hash: 8d8f19fe356d358d25b2b03f85f5de1875dea09f7df37de875f9c3f03f408bd2
Instruction Fuzzy Hash: AF215C31901128ABEF11ABA8DC81FDDBBB8FF19350F1001A5E959E7190EB705A48CB90

Function 001E31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 001E327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001E3287

Strings

Combobox, xrefs: 001E3249

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 31a78315ff84cecf971bcfecaf67ee4313a099e4dff3df5d7238d289c3a7603f
Instruction ID: 61100ad46a4a10fd3b6e7eb7e646975c4849a0d3ace3081b4f5205181d7079c5
Opcode Fuzzy Hash: 31a78315ff84cecf971bcfecaf67ee4313a099e4dff3df5d7238d289c3a7603f
Instruction Fuzzy Hash: E411D3712005497FEF259E95DC88EAF37AAEB943A4F100124FA6897290D7319D518760

Function 001E3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0015600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0015604C
Part of subcall function 0015600E: GetStockObject.GDI32(00000011), ref: 00156060
Part of subcall function 0015600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0015606A

GetWindowRect.USER32(00000000,?), ref: 001E377A
GetSysColor.USER32(00000012), ref: 001E3794

Strings

static, xrefs: 001E3757

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 8969c02eae11e5655311b9cdea95ac4e08c5541c350db938185578f0e17809ba
Instruction ID: 6d1e68bef1bee937c8da48ced31df3082846c384055d3c08ef292048b5d043fe
Opcode Fuzzy Hash: 8969c02eae11e5655311b9cdea95ac4e08c5541c350db938185578f0e17809ba
Instruction Fuzzy Hash: A51159B2610649AFDF10DFA8CC49EEE7BB8EB08314F004514F965E3250D735E8519B90

Function 001E6181 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 001E61FC
SendMessageW.USER32(?,00000194,00000000,00000000), ref: 001E6225

Strings

@U=u, xrefs: 001E61FC, 001E6225

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 559ec7b09ae27a71d9e556447326cfbff2a3fd3cadc18b2a96129bf32b6caaa9
Instruction ID: f95a5d4fb9ca4769d6bf86bb90c627c3ea560e1ce3b6bada3f4a944f004aaaba
Opcode Fuzzy Hash: 559ec7b09ae27a71d9e556447326cfbff2a3fd3cadc18b2a96129bf32b6caaa9
Instruction Fuzzy Hash: 7C11D031540696FEEB158FA9CC09FFE3BA8EB29740F804111FB169A1D0D3B1DA40DB50

Function 001CCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 001CCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 001CCDA6

Strings

<local>, xrefs: 001CCD66

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: d580bc24f97e4b7c508f3d516a5a667eca1366e0a2cbcabb5e4752a965975b2b
Instruction ID: 5686faf0816ecec6b156ccb49130a1defc4513729ce8fb24d54205a304b25af1
Opcode Fuzzy Hash: d580bc24f97e4b7c508f3d516a5a667eca1366e0a2cbcabb5e4752a965975b2b
Instruction Fuzzy Hash: 7B11A77151563179D7284AA69C45FF7BE68EB227A4F014229F10E86080D770DC41D6F0

Function 001E4F80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 001E4FCC

Strings

@U=u, xrefs: 001E4FCC, 001E5008

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 54c3d5cdb780ec2d5a8edd2a31c7ab52d58c617dc87d894e859aa66fc97a7baa
Instruction ID: 015db8ef688386460b205c632eb958f51095d9fe13408a8f452a8193a91b10ac
Opcode Fuzzy Hash: 54c3d5cdb780ec2d5a8edd2a31c7ab52d58c617dc87d894e859aa66fc97a7baa
Instruction Fuzzy Hash: 4321C27A60055AEF8B15CFA8C9508EE7BB6EB4D344B014554FE05A7310D731EA61DB90

Function 001E30D2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000401,?,00000000), ref: 001E3147

Strings

button, xrefs: 001E311E
@U=u, xrefs: 001E3147

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: MessageSend
String ID: @U=u$button
API String ID: 3850602802-1762282863
Opcode ID: 1b8e94752f385e8988b80e0bc5e703bde1835e87d87dfcb340c8fb9ba9127a2d
Instruction ID: 87172b0581dbe614783a2e1d31fc341285c49ee587a538eb010ab5f858af4bcd
Opcode Fuzzy Hash: 1b8e94752f385e8988b80e0bc5e703bde1835e87d87dfcb340c8fb9ba9127a2d
Instruction Fuzzy Hash: 2E11E132250285ABDF118FA4DC45FEF3BAAEB18310F100118FE64A7190C776E8A1AB50

Function 001B6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

CharUpperBuffW.USER32(?,?,?), ref: 001B6CB6
_wcslen.LIBCMT ref: 001B6CC2

Strings

STOP, xrefs: 001B6CBC, 001B6CC1

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 885cc1a560e9303862612c0bac2060d7e1d0205db4d32ccf4155c62a01bf1041
Instruction ID: 088d5af765dcec3b54c479d4915abd5065ead735fc314680db80a61a70d89301
Opcode Fuzzy Hash: 885cc1a560e9303862612c0bac2060d7e1d0205db4d32ccf4155c62a01bf1041
Instruction Fuzzy Hash: C9010032A00526CBCB20AFFDDC918FF7BB5EB75710B400928E8A29A190EB39D844C650

Function 001B23DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001BB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001B21D0,?,?,00000034,00000800,?,00000034), ref: 001BB42D

SendMessageW.USER32(?,0000102B,?,00000000), ref: 001B243B
SendMessageW.USER32(?,0000102B,?,00000000), ref: 001B245E

Strings

@U=u, xrefs: 001B243B, 001B245E

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: MessageSend$MemoryProcessWrite
String ID: @U=u
API String ID: 1195347164-2594219639
Opcode ID: e1d7f5d4028d3177a8ec2f520aec27d0e93ca9c8e68de218523b7653853a2525
Instruction ID: 573a172fec7163e15c308b5c4dfd11b4bc233db466d9b177defa13e4aecb5635
Opcode Fuzzy Hash: e1d7f5d4028d3177a8ec2f520aec27d0e93ca9c8e68de218523b7653853a2525
Instruction Fuzzy Hash: 4301B932900218EBEB156F64DC86FEEBB79DB18310F104166F925AA5D1DBB05D45CB60

Function 001E4366 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000133E,00000000,?), ref: 001E43AF
InvalidateRect.USER32(?,00000000,00000001,?,?), ref: 001E4408

Strings

@U=u, xrefs: 001E43AF

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: InvalidateMessageRectSend
String ID: @U=u
API String ID: 909852535-2594219639
Opcode ID: ceac8d76b1ab4aa94f9ae0e85b40ecf00f5933885e17dcd7367fc946ac73f5a6
Instruction ID: dc908628a8b262b83e8e3a193926822f99f0bf358761c8ca7ba5bda2a7218494
Opcode Fuzzy Hash: ceac8d76b1ab4aa94f9ae0e85b40ecf00f5933885e17dcd7367fc946ac73f5a6
Instruction Fuzzy Hash: 9A11BF30600B84AFE721CF64C891BEBBBE5BF05310F10851CE8AB9B281C7706941CB90

Function 001B250B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000406,00000000,00000000), ref: 001B2531
SendMessageW.USER32(?,0000040D,?,00000000), ref: 001B2564

Part of subcall function 001BB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001B21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 001BB3F8

Part of subcall function 00156B57: _wcslen.LIBCMT ref: 00156B6A

Strings

@U=u, xrefs: 001B2531, 001B2564

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: MessageSend$MemoryProcessRead_wcslen
String ID: @U=u
API String ID: 1083363909-2594219639
Opcode ID: 0daa4de87c5e2add69de770fd39c41898b43ca65adb6748597fb534422e54985
Instruction ID: 7ce73d3523d262af52c020d08b0f70c14411536aa9c245a3584fc90d9cf43577
Opcode Fuzzy Hash: 0daa4de87c5e2add69de770fd39c41898b43ca65adb6748597fb534422e54985
Instruction Fuzzy Hash: 4F011E71900118EFDB51AF94DC91EED77A9FB24344F808065F549AA150DF705E89CB90

Function 001E90A1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00169BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00169BB2

DefDlgProcW.USER32(?,0000002B,?,?,?,?,?,?,?,001A769C,?,?,?), ref: 001E9111

Part of subcall function 00169944: GetWindowLongW.USER32(?,000000EB), ref: 00169952

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 001E90F7

Strings

@U=u, xrefs: 001E90F7

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: LongWindow$MessageProcSend
String ID: @U=u
API String ID: 982171247-2594219639
Opcode ID: e9f63c7ca134a8fa80dd9c18515f6cb78475a018c3af235512fcff86bfffb333
Instruction ID: d65988c23cd1ba5018f7f898a25e44f84154a9985d9a354fd85e6dd0cd3b96ef
Opcode Fuzzy Hash: e9f63c7ca134a8fa80dd9c18515f6cb78475a018c3af235512fcff86bfffb333
Instruction Fuzzy Hash: 3A01D430200694BBDB219F56DC89FAA3BA6FF96375F100018F9511B2E1C7726CA2DB50

Function 001E8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00223018,0022305C), ref: 001E81BF
CloseHandle.KERNEL32 ref: 001E81D1

Strings

\0", xrefs: 001E818A

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0"
API String ID: 3712363035-2428598737
Opcode ID: 1bff300e1ea180ed003e92d528049b2b12445c057370e66278166a4e0005ba96
Instruction ID: 2e40c9d42616838996e9349ade22f8f60ebb21a2413dba469735e65309b06851
Opcode Fuzzy Hash: 1bff300e1ea180ed003e92d528049b2b12445c057370e66278166a4e0005ba96
Instruction Fuzzy Hash: 4FF054B1640310BEE220A7A17C49F773A5CEB04751F004420FB0CD91A1D6798B5282F8

Function 001B246C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 001B2480
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 001B2497

Part of subcall function 001B23DB: SendMessageW.USER32(?,0000102B,?,00000000), ref: 001B243B

Strings

@U=u, xrefs: 001B2480, 001B2497

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 1211e69f24619a4eb4471c73901fb16117e1007386fe74f01b000a64e78e75aa
Instruction ID: c7a371e418a03075177288b81d779c9337c84d46aa729a41d916fcde9eff3537
Opcode Fuzzy Hash: 1211e69f24619a4eb4471c73901fb16117e1007386fe74f01b000a64e78e75aa
Instruction Fuzzy Hash: 61F0E230601161BAEB201B56CC0ECDFBF6DDF5A760B100014F805A6161C7B05D81C6F0

Function 001D747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001D7493
_wcslen.LIBCMT ref: 001D74B9

Strings

3, 3, 16, 1, xrefs: 001D7483

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 37e5b951eaf50a0f7e34debccb44a6d083bad41796b274c1f5f677d0e314550e
Instruction ID: d8b50a33ec9524ef5f72f4682182af5cf1362b8ede9105729b58e483d968d7e4
Opcode Fuzzy Hash: 37e5b951eaf50a0f7e34debccb44a6d083bad41796b274c1f5f677d0e314550e
Instruction Fuzzy Hash: BCE02B0221422012923212799CC197F56D9CFE9750710182BFA89C23A6FB948D9193A1

Function 001B2BE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001B2BFA
SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 001B2C2A

Strings

@U=u, xrefs: 001B2BFA, 001B2C2A

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: bc589978a962e3473815752fe03ba6bccff59252eb012c16215292df12c59ebc
Instruction ID: ff63d40b2dc2c5d76a1b824ce0c3b1661da4c0871ea23202692da0d248f6b160
Opcode Fuzzy Hash: bc589978a962e3473815752fe03ba6bccff59252eb012c16215292df12c59ebc
Instruction Fuzzy Hash: 8AF08C75340304BBFA156A809C86FEA3B58AB29761F100014FB095A190DBE2584497A0

Function 001B2D60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001B286B: SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 001B2884
Part of subcall function 001B286B: SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 001B28B6

SendMessageW.USER32(?,0000110B,00000005,00000000), ref: 001B2D80
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 001B2D90

Strings

@U=u, xrefs: 001B2D80, 001B2D90

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: a8d3a5179132e589d107dfd84a975b5aa1733f3c8b0811c5d4760e30fa40abe3
Instruction ID: 8658a0d4a8f562b1949f155a39e3281aa74e3a8c2ef066c4f4b50214486706d1
Opcode Fuzzy Hash: a8d3a5179132e589d107dfd84a975b5aa1733f3c8b0811c5d4760e30fa40abe3
Instruction Fuzzy Hash: 95E0D8353443457FF6260AD19C86EE7375DD759751F100026F70469191DFB2CC565560

Function 001E5829 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000133D,?,?), ref: 001E5855
InvalidateRect.USER32(?,?,00000001), ref: 001E5877

Strings

@U=u, xrefs: 001E5855

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: InvalidateMessageRectSend
String ID: @U=u
API String ID: 909852535-2594219639
Opcode ID: adf34e7f30cc4456e7636d421eaec031418c931b4d672a2e40516e7e03d4b3b7
Instruction ID: 1c62186afdbd9d80c819984130c574bdf57dcd1701e42ef0d0eafa701ee91a64
Opcode Fuzzy Hash: adf34e7f30cc4456e7636d421eaec031418c931b4d672a2e40516e7e03d4b3b7
Instruction Fuzzy Hash: F9F089326045C4AED7208B66DC44FEE7FF9DB45329F0441B2E55AD9191D7308A81CB60

Function 001B0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 001B0B23

Strings

AutoIt, xrefs: 001B0B17
Error allocating memory., xrefs: 001B0B1C

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 6735a3df0f753386a8cf09c638a6d5f5beb310f7806833abef765eb20b0dc1f2
Instruction ID: b522ed2816181fe1fa2d91f2f4153885c91ced9d734d2f32e260b30b0f567427
Opcode Fuzzy Hash: 6735a3df0f753386a8cf09c638a6d5f5beb310f7806833abef765eb20b0dc1f2
Instruction Fuzzy Hash: A0E0D8312843586BD21437957C03FCD7A848F19F25F20046AFB58994C38BE228A106E9

Function 00170D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0016F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00170D71,?,?,?,0015100A), ref: 0016F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0015100A), ref: 00170D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0015100A), ref: 00170D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00170D7F

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 767e5cc5c23725548c49dff5bea51ddb57795cea1c013934f6da556870e0da2c
Instruction ID: 1ecf9bbbeb07ae63412d363eacc90ded98c658e9610da08c45e8baff5d4faca0
Opcode Fuzzy Hash: 767e5cc5c23725548c49dff5bea51ddb57795cea1c013934f6da556870e0da2c
Instruction Fuzzy Hash: 8FE06D742007818FD3319FF9E94874A7BF1EB18744F00896DE89ACA651EBB0E4868B91

Function 0016E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0016E3D5

Strings

8%", xrefs: 0016E3CA
0%", xrefs: 0016E3B5

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%"$8%"
API String ID: 1385522511-3788803983
Opcode ID: 6327a739b9408ed411e364921c35949e7bdaf554e2ddf2df6ae23832d3ba7f46
Instruction ID: d619edb0e12bfc303d7e298afb9e4b9e67d831740ed940c398311992d8affb43
Opcode Fuzzy Hash: 6327a739b9408ed411e364921c35949e7bdaf554e2ddf2df6ae23832d3ba7f46
Instruction Fuzzy Hash: 06E02636810A20FBCA1D975CFE58A8833A1BF18320BD0A268E4028F2D19B3628768644

Function 001C3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 001C302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 001C3044

Strings

aut, xrefs: 001C3038

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 3b53b76085a8121009f87d432492e180ab02e1e188c50920210ee1498e0725ba
Instruction ID: 410ae1509be0c9d4359b6a238850cdf57ee8c7a2887503001cb1b80c720b5ab3
Opcode Fuzzy Hash: 3b53b76085a8121009f87d432492e180ab02e1e188c50920210ee1498e0725ba
Instruction Fuzzy Hash: 39D05E7290032867DA20A7E4AC4EFCF7A7CEB05751F0002A1BB55E6091DAB099C5CAD0

Function 001AD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 001AD220

Strings

X64, xrefs: 001AD2A8
%.3d, xrefs: 001AD22B

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: d6bf02c5a1160943136f4d806227390f76325b91ebe04c43ee7aa0d744fe9dcf
Instruction ID: afa0c6353f5650894943ad4bd79274df72d4393c238372b3ec9a200c448fb1b7
Opcode Fuzzy Hash: d6bf02c5a1160943136f4d806227390f76325b91ebe04c43ee7aa0d744fe9dcf
Instruction Fuzzy Hash: 53D012A9C08509E9CB5496D0EC45AFAB3BCBB1A341F528453FD07D1440D724C559E762

Function 001E2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001E232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 001E233F

Part of subcall function 001BE97B: Sleep.KERNEL32 ref: 001BE9F3

Strings

Shell_TrayWnd, xrefs: 001E2325

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 275442bdb2a280d108cfc0e3a6e60c82fe630e62714b18a446bcfef7a5d163c1
Instruction ID: e57750987ea396fa223f91b42a4b32ff763b37ced48f95a6e1ec01358bf0cdca
Opcode Fuzzy Hash: 275442bdb2a280d108cfc0e3a6e60c82fe630e62714b18a446bcfef7a5d163c1
Instruction Fuzzy Hash: 8DD0C9363D5350BAE664A7B0DC4FFCBAA549B14B14F044916B645AA1D0CAA0A8868A94

Function 001E2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001E236C
PostMessageW.USER32(00000000), ref: 001E2373

Part of subcall function 001BE97B: Sleep.KERNEL32 ref: 001BE9F3

Strings

Shell_TrayWnd, xrefs: 001E2365

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 321cce5beb37f7be9e2b8b97eee6bdf3a7ac1638d31bfed4f6d3a05e24bb8448
Instruction ID: 1ce3e3fba8c06d0c8eee10c6219fc57525596253e0336a4c8d25ef29e51092d7
Opcode Fuzzy Hash: 321cce5beb37f7be9e2b8b97eee6bdf3a7ac1638d31bfed4f6d3a05e24bb8448
Instruction Fuzzy Hash: 0DD0C9363D1350BAE664A7B0DC4FFCBA6549B15B14F044916B645AA1D0CAA0B8868A94

Function 001B2313 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 001B231F
SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 001B232D

Strings

@U=u, xrefs: 001B231F, 001B232D

Memory Dump Source

Source File: 00000000.00000002.1364172143.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1362593511.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364280865.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364337156.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1364362627.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_Payment 01.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: dfd75ff96e8b0f9286de80c79a0a135a5eb1d95f0428cb1a1d0d2435b0fa3f16
Instruction ID: 1419cbb90aae031f0b2c2e9d3d0a071fec76ee4508c66a7c4a92f1aa2b64e336
Opcode Fuzzy Hash: dfd75ff96e8b0f9286de80c79a0a135a5eb1d95f0428cb1a1d0d2435b0fa3f16
Instruction Fuzzy Hash: 30C08C311001C0BAF7300BA3BC0CCCB3F3DE7CFF01300000CB604884A586600082C630

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Payment 01.08.25.pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Dunlop

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Windows Analysis Report
Payment 01.08.25.pdf.exe

Function 001542DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 001542A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00192BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 00152CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 0019065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 0015344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00152B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00153170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 016D9DE0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00152C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 016D9BA0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 149
fileCOMMON

Function 00153B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Function 016D8A90 Relevance: 6.7, APIs: 4, Instructions: 720
processthreadCOMMON

Function 00153923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
windowCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre